When synchronizing Active Directory (AD) users into your system, you may need to exclude users who are locked out. In AD, the lockedTime
attribute is used to identify whether an account is locked. To ensure that only non-locked accounts are synchronized, you should configure the system to ignore users with a lockedTime
attribute other than 0.
Configuration Based on the lockedTime Attribute:
- Modify Synchronization Settings:
- Adjust the synchronization settings to filter and exclude users whose
lockedTime
attribute is other than 0. This indicates that the account has been locked out and should not be imported into your system.
Using the UserAccountControl Attribute for Advanced Filtering:
- AD uses the
UserAccountControl
attribute to maintain various account state properties. For locked out users, you can identify the locked out status by checking for combinations of values in this attribute.
- Understanding UserAccountControl Values:
-
Normal Account: 512
-
Account Lockout: 16
-
To identify locked out accounts, you can search for those where
UserAccountControl
is equal to 528 (512 + 16).
- Configure Import Filter:
- Configure the system to search for and synchronize only accounts that have
UserAccountControl
equal to 512, indicating that the account is normal and not locked out.
Microsoft provides detailed documentation on how to manipulate and understand the UserAccountControl
attribute, which can be accessed at the link: UserAccountControl and Account Property Manipulation.