Excluding disabled users from AD Connector

We have had many customers demanding that disabled Active Directory user accounts are not imported into the SCSM CMDB through the Active Directory Connector. This can be achieved pretty easily with the introduction of LDAP filters in SCSM 2012. This post demonstrates how you can establish such a connector.

In my current test environment, I have an AD Connector set up to import all users and groups without any LDAP filter. With this setup, all users (and groups) from AD will be imported, also disabled accounts. As an example, see the imported Guest account in the below screenshot:


So let us delete this AD Connector and create a new one. The important configuration is found in the wizard step Select objects. Choose the option Provide LDAP query filters for computers, printers, users, or user groups (advanced), and then click the checkbox next to Users or User Groups. Enter the following LDAP filter in the textbox:


Click Test Queries to validate the query.


Now, complete the wizard, save the connector and wait for it to finish synchronizing. Now, let us check the CMDB again:


The Guest account is no longer here. Cool! 🙂

The field where the information about disabled accounts is stored in Active Directory is named userAccountControl. This is a bitmask property, hence the LDAP query we entered in the connector configuration is using bitwise filters. You can read more about bitwise filters here.


6 thoughts on “Excluding disabled users from AD Connector

  1. hazeeb May 13, 2013 / 14:58

    but it is not syncing my printers and computers. Can you tell me how to add computers and printers

    • Dieter Gasser May 13, 2013 / 15:03

      try ticking the checkbox and use “(cn=*)” as the LDAP filter criteria (without quotation marks).

  2. hazeeb May 16, 2013 / 07:23

    Thank you Boss, that helped. Can you guide me to a good article which would help me with more ldap queries? like sync with particular OU only or users in particular departments.

  3. Dann Cox October 5, 2016 / 19:38

    This is helpful. However, what I’m seeing is accounts returned by searches that no longer exist in AD; removed user accounts. How can we purge these accounts?

    • Dieter Gasser March 15, 2018 / 23:31

      The AD Connector is not remove accounts which no longer exist in AD. You have to take care of this yourself (with a custom script/workflow/runbook)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s