Excluding disabled users from AD Connector

We have had many customers demanding that disabled Active Directory user accounts are not imported into the SCSM CMDB through the Active Directory Connector. This can be achieved pretty easily with the introduction of LDAP filters in SCSM 2012. This post demonstrates how you can establish such a connector.

In my current test environment, I have an AD Connector set up to import all users and groups without any LDAP filter. With this setup, all users (and groups) from AD will be imported, also disabled accounts. As an example, see the imported Guest account in the below screenshot:

image

So let us delete this AD Connector and create a new one. The important configuration is found in the wizard step Select objects. Choose the option Provide LDAP query filters for computers, printers, users, or user groups (advanced), and then click the checkbox next to Users or User Groups. Enter the following LDAP filter in the textbox:

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

Click Test Queries to validate the query.

image

Now, complete the wizard, save the connector and wait for it to finish synchronizing. Now, let us check the CMDB again:

image

The Guest account is no longer here. Cool! :)

The field where the information about disabled accounts is stored in Active Directory is named userAccountControl. This is a bitmask property, hence the LDAP query we entered in the connector configuration is using bitwise filters. You can read more about bitwise filters here.

About these ads

4 Responses to Excluding disabled users from AD Connector

  1. hazeeb says:

    but it is not syncing my printers and computers. Can you tell me how to add computers and printers

  2. hazeeb says:

    Thank you Boss, that helped. Can you guide me to a good article which would help me with more ldap queries? like sync with particular OU only or users in particular departments.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: