Excluding Disabled Users From Schemus Search
search cancel

Excluding Disabled Users From Schemus Search

book

Article ID: 281569

calendar_today

Updated On: 04-30-2025

Products

Email Security.cloud

Issue/Introduction

 Disabled users' accounts do still exist in Active Directory and by default are returned by the Active Directory search.

Resolution

 
Disabled users can be excluded from the search by excluding those with the 'disabled' flag set in the userAccountControl attribute. Active Directory provides the Extensible Match rule '1.2.840.113556.1.4.803' for this purpose.
 
The filter to disregard disabled users is (!(userAccountControl:1.2.840.113556.1.4.803:=2)).
 
For example, if you are selecting All Users and Groups (the default in Schemus), the search filter will be: 
(|(&(objectCategory=person)(objectClass=user))(objectCategory=group))
Exclude disabled users by modifying the search filter as follows:
(|(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
To change this in Schemus,
  • start the application, open the configuration then click 'Modify'
  • click on 'LDAP search'
  • click the small button to the right of the search base
  • edit the text in the 'Search filter' field as above.
  • click 'Save'
  • Perform a 'Test update' to check whether disabled users would be removed.