In some scenarios, it may be desired to filter disabled User accounts out of an Active Directory Connector or Mapping in the Active Roles Synchronization Service.
Active Directory User account enablement status is stored as a BITWISE AND 2 filter on the userAccountControl attribute. In other words, if a User account is disabled, 2 will be added to a base value. The base value differs depending on other statuses which are also stored in the userAccountControl attribute.
Querying the userAccountControl attribute is using a BITWISE AND filter is currently only possible using a PowerShell script.
WORKAROUND
On the Scope tab of the Active Directory Connector or in the Mapping filter, configure a filter using the following PowerShell script:
$srcObj["userAccountControl"] -band 2
This cmdlet will return a value if 0 if an account is enabled and a value of 2 if an account is disabled.
STATUS
Enhancement ID 467535 has been created to include BITWISE operators in the Active Roles Synchronization Service so that this and other status filters can be used without requiring a custom PowerShell script.
Product Management will evaluate the request and this feature may become available in a future release of the product.
There are no guarantees that this specific enhancement request will be implemented in a future release.
For more information regarding our Enhancement Request policy, refer to our Global Support Guide on the Support Portal at: https://support.oneidentity.com/essentials/support-guide/
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center