-
Title
Excluding deactivated user accounts in Dynamic groups and Managed Units in ActiveRoles Server -
Description
When you create a Dynamic Group or a Managed Unit in Active Roles, by default and depending on your criteria, deactivated user accounts will appear in the membership lists.
-
Cause
This is by design.
-
Resolution
Dynamic Groups and Managed Units, as well as Query-based Distribution Groups, use LDAP (Lightweight Directory Access Protocol) to query objects in Active Directory (AD).
An LDAP filter on the appropriate User Account Control flag can be used to filter out deactivated accounts.
Microsoft provides more information on User Account Control flag values in this resource.
For example, normal User Accounts have a User Account Control flag of 512. Deactivated Accounts have a User Account Control flag of 2.
So, a deactivated User Account has a User Account Control of 512+2, or 514.
Using an LDAP Filter to return a User Account Control value of 2 will return all deactivated accounts of all types.
To exclude deactivated accounts from a query use an "Exclude by Query" membership rule, and enter this LDAP query as part of the "Custom Search" option:
((userAccountControl:1.2.840.113556.1.4.803:=2)) -
Additional Information
There are several online resources specific to LDAP queries and how to construct them. The following is from Technet and provides some of the basics: http://technet.microsoft.com/en-us/library/aa996205(EXCHG.65).aspx.
The ARS SDK and Resource kit also has a section entitled "LDAP Search Filter Syntax".