@tomaslindev 

steps to achieve this:

1. Maintain Synchronization in Auxiliary Fields:

• You can create custom fields in the sys_user table to store the synchronized data from AD.

• Use a transform map to map the AD attributes to these custom fields during the LDAP import process.

1. Desynchronize Users from AD:

• To desynchronize users from AD, you can modify the LDAP import process to exclude certain users. This can be done by adding conditions in the transform map or using an onBefore transform script to skip records based on specific criteria.

• For example, you can exclude users who have a specific value in a custom field indicating they should be desynchronized.

1. Local Access and Passwords:

• Once users are desynchronized, they will need local passwords to access the instance. You can set up a process to reset their passwords and notify them.

• Ensure that the password_needs_reset field is set to true for these users, prompting them to reset their passwords upon their next login.

Here is an example of an onBefore transform script to exclude users from the LDAP import:

(function transformRow(source, target, map, log, isUpdate) {
    // Check if the user should be desynchronized
    if (target.u_desynchronize == true) {
        // Skip this record
        ignore = true;
    }
})(source, target, map, log, isUpdate);

This script checks if the u_desynchronize field is set to true and skips the record if it is.

If my response helped please mark it correct and close the thread so that it benefits future readers.