If you have noticed that disabled users in Active Directory AD in your company are still showing up in the sync, you would like may be to update the sync so that it only pulls in active users.
Answer:
The userAccountControl attribute is used to store the account options for an AD user object. These options include the status of the account (e.g. disabled, or locked out). Each option is a property flag. These flags are cumulative and thus there is only ever one value for userAccountControl.
Therefore it makes sense to create an exclusion filter to avoid synchronizing disabled accounts and so on. This one is easy and finds it’s way into most documentation such as the very good Configure profile synchronization. However, it is a bit more tricky when dealing with other property flags and combinations of them.
Now, for the steps,
- Go to your Central Admin website
- Go to "Application Management"
- Go to "Service Applications -> Manage Service Applications"
- Click on "User Profile Service Application"
- Click on "Synchronization -> Configure Synchronization Connections"
- Click on your connection and select "Edit Connection Filters" from the menu
- Add a new Exclusion Filter for Users and select "userAccountControl" as the attribute, "Bit on equals" as the operator, and "2" as the filter. Make sure also that you correctly have AND and OR selected if there are any other exclusion filters already there.userAccountControl Bit on Equals 2
- Click "OK"
The next time that it syncs your disabled accounts should be gone.
No comments:
Post a Comment
Thank you, we will reply soon.