Find inactive LDAP accounts by using the userAccountControl field

Xanadu Platform security

Release

xanadu

ft:locale

en-US

ft:publication_title

Xanadu Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Find inactive LDAP accounts by using the userAccountControl field

Release version: Xanadu

Updated August 1, 2024

1 minute to read

Identify when an Active Directory (AD) user is deleted (or made inactive).

Role required: admin

One method is to track the active status of AD users and create a business rule to update corresponding accounts when an AD account is inactive.

Create a new string field on the User [sys_user] table to track the value of the AD userAccountControl field.
For example: u_ad_user_account.
Create an LDAP transform script to set the field value.
```
target.u_ad_user_account = source.userAccountControl
```

Update the LDAP filter to show disabled AD accounts.

Here is an example of a filter.

(&(objectClass=person)(sn=*)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Here is an example of a replacement filter you can use.

(&(objectClass=person)(sn=*)(!(objectClass=computer)))

Create an onChange business rule to set the active field to false whenever the u_ad_user_account field has the value 514.
'514' indicates an inactive account.