How to filter out disabled accounts from ldap?

dave_mankoff · March 15, 2006, 10:39pm

I’'m running active directory and have some accounts that are disabled but not deleted. Is there a way I can search, based on the ‘‘userAccountControl’’ field to filter them out? I found this as a reference:

http://www.computerperformance.co.uk/ezine/ezine23b.htm

It appears as though having the 0x0002 bit set indicates that the account is disabled, (I doubled checked this and it’‘s true in my system.) Unfortunately, I can’'t just check for values of 512 vs. 514 since some users have other flags set. How do I do a bitwise AND?

Jay · March 16, 2006, 4:38am

Ick- what a horrid way to manage account status in LDAP. LDAP has no bitwise functions, everything is a logical operator, so something would need to be implemented post-query to figure it out.

Is there perhaps something else you could check? Maybe some group membership status? Another field to filter?

dave_mankoff · March 16, 2006, 3:35pm

Nothing that I’'ve found. Perhaps jabber-side filtering of disabled acounts could be added as a plugin?

Win_Myo_Htet · March 16, 2006, 5:09pm

May be you want to take a look at this JM-160

regards,

wmhtet

Dave_Wong · March 16, 2006, 6:45pm

I’'m just using the ldapSearchFilter in wildfire.xml to filter out our disabled (but not deleted) accounts. See below:

/code

Works for me with AD on Win2K3.