-
Título
HOW TO: Filter disabled accounts out of an Active Directory Connector or Mapping in the Active Roles Synchronization Service -
Descrição
In some scenarios, it may be desired to filter disabled User accounts out of an Active Directory Connector or Mapping in the Active Roles Synchronization Service.
-
Causa
Active Directory User account enablement status is stored as a BITWISE AND 2 filter on the userAccountControl attribute. In other words, if a User account is disabled, 2 will be added to a base value. The base value differs depending on other statuses which are also stored in the userAccountControl attribute.
Querying the userAccountControl attribute is using a BITWISE AND filter is currently only possible using a PowerShell script.
-
Resolução
WORKAROUND
On the Scope tab of the Active Directory Connector or in the Mapping filter, configure a filter using the following PowerShell script:
$srcObj["userAccountControl"] -band 2
This cmdlet will return a value if 0 if an account is enabled and a value of 2 if an account is disabled.
STATUS
Enhancement ID 467535 has been created to include BITWISE operators in the Active Roles Synchronization Service so that this and other status filters can be used without requiring a custom PowerShell script.
Product Management will evaluate the request and this feature may become available in a future release of the product.
There are no guarantees that this specific enhancement request will be implemented in a future release.
For more information regarding our Enhancement Request policy, refer to our Global Support Guide on the Support Portal at: https://support.oneidentity.com/essentials/support-guide/
-
Solicitação de alteração
467535