search cancel

How to add Disabled Active Directory Accounts to the Excluded Group in PGP Universal Server


Article ID: 157301


Updated On:


Symantec Products


When a user leaves an organization their Active Directory account is often disabled.  You may wish to automatically add such user accounts to the Excluded group in PGP Universal Server using Directory Synchronization.


1. Ensure Directory Synchronization between PGP Universal Server and Active Directory is configured and working.

2. From the PGP Universal Server web interface, click on Consumers / Groups to list the groups.

3. Click on the Excluded group.

4. Check the option Match Consumers Via Directory Synchronization to enable it.

5. Under All LDAP Directories change the value in the drop down list to If any of the following apply.

6. Enter the following Attributes and Values:

  • Attribute: userAccountControl   Value: 514
  • Attribute: userAccountControl   Value: 546
  • Attribute: userAccountControl   Value: 66050
  • Attribute: userAccountControl   Value: 66082
  • Attribute: userAccountControl   Value: 262658
  • Attribute: userAccountControl   Value: 262690
  • Attribute: userAccountControl   Value: 328194
  • Attribute: userAccountControl   Value: 328226

7. Click Save.



The userAccountControl values have the following meanings.  You may wish to reduce the attributes you are checking if you know that some of these do not apply in your environment:

514 Disabled Account
546 Disabled, Password Not Required
66050 Disabled, Password Doesn't Expire
66082 Disabled, Password Doesn't Expire & Not Required
262658 Disabled, Smartcard Required
262690 Disabled, Smartcard Required, Password Not Required
328194 Disabled, Smartcard Required, Password Doesn't Expire
328226 Disabled, Smartcard Required, Password Doesn't Expire & Not Required

Note: Enabling the Match disabled Active Directory users option does not alter the way this LDAP matching works.

In some environments you may wish to apply these attributes and values against a specific LDAP directory rather than All LDAP directories.