The following attributes are visible when you open Advanced Properties on a user object...
edsaAccountIsDisabled
edsaAccountLockedOut
However, they are not available for selection within the Find Users, Contacts, and Groups dialog box.
It is also not possible to create a Managed Unit or a Dynamic Group based on these attributes.
Because these attributes are computed, it is not possible to search by either edsaAccountLockedOut or edsaAccountIsDisabled.
It is described in Active Roles SDK Using Virtual Attributes chapter:
Built-in virtual attributes: Built-in VAs are created at the ActiveRoles Administration Service installation time. These attributes are only calculated when used and are not stored in the ActiveRoles Administration database. The objects that represent the built-in VAs (objects of the attributeSchema type ) are stored in the container:
"CN=Schema,CN=Application Configuration,cn=Configuration".
Computed Virtual Attributes are not cached and cannot be searched. You can access and modify these attributes using the Get, GetEx, Put, PutEx methods of the IADs interface. The built-in VAs for some object classes are described in ActiveRoles Server Schema
You can use LDAP queries as follows to achieve desired:
Disabled normal accounts - (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=514))
Locked accounts - (&(objectClass=user)(sAMAccountType=805306368)(lockoutTime>=127953970800000000))
In the Active Roles Console, it is possible to perform a Find operation on the Advanced tab by performing a Bitwise operator search.
For example, in order to retrieve all disabled normal accounts:
userAccountControl Bitwise AND 514
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center