powered by Jive Software

How to filter out disabled accounts from ldap?

I’'m running active directory and have some accounts that are disabled but not deleted. Is there a way I can search, based on the ‘‘userAccountControl’’ field to filter them out? I found this as a reference:


It appears as though having the 0x0002 bit set indicates that the account is disabled, (I doubled checked this and it’‘s true in my system.) Unfortunately, I can’'t just check for values of 512 vs. 514 since some users have other flags set. How do I do a bitwise AND?

Ick- what a horrid way to manage account status in LDAP. LDAP has no bitwise functions, everything is a logical operator, so something would need to be implemented post-query to figure it out.

Is there perhaps something else you could check? Maybe some group membership status? Another field to filter?

Nothing that I’'ve found. Perhaps jabber-side filtering of disabled acounts could be added as a plugin?

May be you want to take a look at this JM-160



I’'m just using the ldapSearchFilter in wildfire.xml to filter out our disabled (but not deleted) accounts. See below:


Works for me with AD on Win2K3.