Hi,

I was revising our AD ldap user_filter and pass_filter to exclude more types of expired / disabled accounts.

I started adding things like:

(&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608)))

but then I thought, why not simply do:

(&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))

as 512 would your regular active user accounts only, excluding all other account types.

Looking here (https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties) there are some many different userAccountControl to check, that it might be smarter to only allow userAccountControl=512, or....?

Any ideas on this..?

(or examples of how you do it?)

MJ

Reply via email to