Excluding Disabled Users From Schemus Search
Article ID: 281569
Updated On: 04-30-2025
Products
Email Security.cloud
Issue/Introduction
Disabled users' accounts do still exist in Active Directory and by default are returned by the Active Directory search.
Resolution
Disabled users can be excluded from the search by excluding those with the 'disabled' flag set in the userAccountControl attribute. Active Directory provides the Extensible Match rule '1.2.840.113556.1.4.803' for this purpose.
The filter to disregard disabled users is (!(userAccountControl:1.2.840.113556.1.4.803:=2)).
For example, if you are selecting All Users and Groups (the default in Schemus), the search filter will be:
(|(&(objectCategory=person)(objectClass=user))( objectCategory=group))
Exclude disabled users by modifying the search filter as follows:
(|(&(objectCategory=person)(objectClass=user)(!( userAccountControl:1.2.840. 113556.1.4.803:=2))
To change this in Schemus,
- start the application, open the configuration then click 'Modify'
- click on 'LDAP search'
- click the small button to the right of the search base
- edit the text in the 'Search filter' field as above.
- click 'Save'
- Perform a 'Test update' to check whether disabled users would be removed.
Feedback
Yes
No
Powered by
