Setting Up to Exclude Locked Users in Active Directory Synchronization

When synchronizing Active Directory (AD) users into your system, you may need to exclude users who are locked out. In AD, the lockedTime attribute is used to identify whether an account is locked. To ensure that only non-locked accounts are synchronized, you should configure the system to ignore users with a lockedTime attribute other than 0.

Configuration Based on the lockedTime Attribute:

  1. Modify Synchronization Settings:
  • Adjust the synchronization settings to filter and exclude users whose lockedTime attribute is other than 0. This indicates that the account has been locked out and should not be imported into your system.

Using the UserAccountControl Attribute for Advanced Filtering:

  • AD uses the UserAccountControl attribute to maintain various account state properties. For locked out users, you can identify the locked out status by checking for combinations of values ​​in this attribute.
  1. Understanding UserAccountControl Values:
  • Normal Account: 512

  • Account Lockout: 16

  • To identify locked out accounts, you can search for those where UserAccountControl is equal to 528 (512 + 16).

  1. Configure Import Filter:
  • Configure the system to search for and synchronize only accounts that have UserAccountControl equal to 512, indicating that the account is normal and not locked out.

Microsoft provides detailed documentation on how to manipulate and understand the UserAccountControl attribute, which can be accessed at the link: UserAccountControl and Account Property Manipulation.