When synchronizing Active Directory (AD) users into your system, you may need to exclude users who are locked out. In AD, the lockedTime attribute is used to identify whether an account is locked. To ensure that only non-locked accounts are synchronized, you should configure the system to ignore users with a lockedTime attribute other than 0.
Configuration Based on the lockedTime Attribute:
- Modify Synchronization Settings:
- Adjust the synchronization settings to filter and exclude users whose
lockedTimeattribute is other than 0. This indicates that the account has been locked out and should not be imported into your system.
Using the UserAccountControl Attribute for Advanced Filtering:
- AD uses the
UserAccountControlattribute to maintain various account state properties. For locked out users, you can identify the locked out status by checking for combinations of values in this attribute.
- Understanding UserAccountControl Values:
-
Normal Account: 512
-
Account Lockout: 16
-
To identify locked out accounts, you can search for those where
UserAccountControlis equal to 528 (512 + 16).
- Configure Import Filter:
- Configure the system to search for and synchronize only accounts that have
UserAccountControlequal to 512, indicating that the account is normal and not locked out.
Microsoft provides detailed documentation on how to manipulate and understand the UserAccountControl attribute, which can be accessed at the link: UserAccountControl and Account Property Manipulation.