LDAP/AD Filter disabled users?

Well, I finally got everything up and running with all filters in place in a test environment but I have one issue. In our AD we never delete users, we just disable users who have temporarily left the organization (military service, etc.) or quit. I would like to create a filter that would ignore disabled accounts without having to manually create a seperate group that I would add and remove users from as they leave and come back to the organization. Is it possible to do this?

try this filter:

(&(userAccountControl=66048)(memberOf=CN=users,DC=domain,DC=com))

where CN will be the container that contains your users and domain of course is your domain name.

userAccountControl=66048 is the filter that gets all accounts not disabled.

Let me know how it goes.

Thanks for the reply. I have been unable to successfully add your suggestion to my current filter. (ignore the weird space in each example, I’'m not sure why they are showing up)

Working:

I tried:

and:

Any glaring errors that you can see that would be causing these not to work?

Try

Your containers look suspicious: cn=group,cn=container

are you sure the list of users you want to pull is under those two containers? I’‘m going to suggest using CN=users only because that’'s usually the default location for user accounts in AD. But if you have the user accounts in another container than use the proper CN value.

I was using a group that was inside the Users container called “chat” and I wanted the user list in the jive admin panel to only show the users in that container (when I didn’'t put the users in a group jive made a user out of every object in the User container.) However, in an attempt to remove that as a possible source of error I reverted back to pulling all objects from the User container and tried using your suggested filter and I was unable to log in. Here is my working config:

 </searchFilter>
        <groupSearchFilter>
 <![CDATA[(&(member=)(sAMAccountName=chat))]]>

I tried replacing my searchFilter with yours and I tried another where I removed the “cn=chat” and was also unable to log in with either config.

try this one:

I changed your base dn to include the container Chat

as well as the admin DN. Also please make sure that you include the appropriate ldap accounts with access to log onto Jive under the

Unfotunately this didn’'t work either . Everytime I add the “userAccountControl=66048” to my working config I am unable to login. Additionally just adding cn=chat to the baseDN without changing anything else in my working config prohibits me from logging in as well.

I downloaded the free LDAP browser that you linked to and tried using “userAccountControl=66048” as a filter to search on the User container and it returned two users (of the 5 total that are in the container), the enabled users that it didn’'t return belong to the same groups as the two results that the filtered search provides. Any idea why the other enabled users in that container would not show up?

Ok, after playing with AD some I finally figured out that users with “password never expires” unchecked are not included in the “userAccountControl=66048” filter. I just ended up changing my filter to:

I could never get it to work with “userAccountControl=66048” and something else. This solution does leave a couple of extra users in Jive Admin but at least the disabled users don’‘t appear in client’'s lists. Thanks for the assistance SupaXStarz.

I tried using 66048 and only turned up accounts whose passwords were set not to expire. I looked it up at http://support.microsoft.com/?kbid=305144 and found that is because it is 65536 --> DONT_EXPIRE_PASSWORD and 512 --> NORMAL_ACCOUNT. You want to change that portion to

(!userAccountControl=514)

Add this to your query filter:

(!userAccountControl:1.2.840.113556.1.4.803:=2)

For more AD filters check this LDAP Search Samples for Windows Server 2003 and Exchange 2000/2003 | Petri