Find inactive LDAP accounts by using the userAccountControl field

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 1분

    • Identify when an Active Directory (AD) user is deleted (or made inactive).

    시작하기 전에

    Role required: admin

    이 태스크 정보

    One method is to track the active status of AD users and create a business rule to update corresponding accounts when an AD account is inactive.

    프로시저

    1. Create a new string field on the User [sys_user] table to track the value of the AD userAccountControl field.
      For example: u_ad_user_account.
    2. Create an LDAP transform script to set the field value. 
      target.u_ad_user_account = source.userAccountControl
    3. Update the LDAP filter to show disabled AD accounts.
      Here is an example of a filter. 
      (&(objectClass=person)(sn=*)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

      Here is an example of a replacement filter you can use.

      (&(objectClass=person)(sn=*)(!(objectClass=computer)))
    4. Create an onChange business rule to set the active field to false whenever the u_ad_user_account field has the value 514.
      '514' indicates an inactive account.