We have had many customers demanding that disabled Active Directory user accounts are not imported into the SCSM CMDB through the Active Directory Connector. This can be achieved pretty easily with the introduction of LDAP filters in SCSM 2012. This post demonstrates how you can establish such a connector.
In my current test environment, I have an AD Connector set up to import all users and groups without any LDAP filter. With this setup, all users (and groups) from AD will be imported, also disabled accounts. As an example, see the imported Guest account in the below screenshot:
So let us delete this AD Connector and create a new one. The important configuration is found in the wizard step Select objects. Choose the option Provide LDAP query filters for computers, printers, users, or user groups (advanced), and then click the checkbox next to Users or User Groups. Enter the following LDAP filter in the textbox:
Click Test Queries to validate the query.
Now, complete the wizard, save the connector and wait for it to finish synchronizing. Now, let us check the CMDB again:
The Guest account is no longer here. Cool!🙂
The field where the information about disabled accounts is stored in Active Directory is named userAccountControl. This is a bitmask property, hence the LDAP query we entered in the connector configuration is using bitwise filters. You can read more about bitwise filters here.