TIP: How to LDAP deny disabled AD accounts

Unanswered Question
Dec 15th, 2008
User Badges:

Ironport LDAP queries will successfully lookup SMTP addresses of disabled AD accounts. For companies that disable accounts instead of deleting them, this can cause alot of junk mail to accumulate in the account's associated mailbox.

We currently move all disabled AD accounts to a DisabledAccounts OU.

By denying the AD user account used for lookups all rights to that specific OU and it's child objects, the Ironport now fails on lookups to that OU.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kluu_ironport Mon, 12/15/2008 - 21:29
User Badges:

Why not keep those "disabled" users in that OU and then create a custom incoming mail policy that matches incoming mail to the recipients that are members of that OU.

Then, you can create a content filter that simply drops those mail for that custom policy only.

steven_geerts Tue, 01/20/2009 - 23:32
User Badges:


I'm not an AD expert but I can imagine that the fact if a user is disables or not is just a simple attribute that is set to a certain value (or not set).

Try to find the correct value with the (terrible) MS tool LDP and extend your LDAP filter with it.

Beware: from what I know from the Exchange 5.5 "hide from address book" attribute, MS permits itself to have three possible situations for a attribute that can have only two values. (The attribute does not exist (false), the attribute ha a value of "1" (true) or the attribute has a value of "0"(false). I'm not sure if they have improved this within the AD

Regards Steven

borism.teched Mon, 04/06/2009 - 13:38
User Badges:


Does anyone knows working LDAP query. I'm testing few of them, but nothing worked yet.


jtw_ironport Mon, 04/06/2009 - 16:37
User Badges:

I'm trying to get the same thing working with no luck so far. It looks like the ldap engine on the appliance might not support those features of query strings, namely the ldap matching rules (!UserAccountControl:1.2.840.113556.1.4.803:=2), and, curiously, also the logical not operator ("!") which generates a syntax error.

I opened up a support case seeking guidance.

borism.teched Mon, 04/06/2009 - 16:50
User Badges:


This is one of the options:


but I'm not happy with that solution.
jtw_ironport Mon, 04/06/2009 - 16:59
User Badges:

I wouldn't be either. Using that construct you'd have to identify every valid value for userAccountControl and keep all of them in your query string.

steven_geerts Wed, 04/08/2009 - 21:57
User Badges:

Well... if I read the quoted MS article the value for a disabled user is 514

You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.

The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).

This means that you must ask your LDAP filter to accept any value other than 514. (Or "must not be 514")

It might contain an error, I did not test it, but I think the LDAP filter

(& (|(mail={a}) (proxyAddresses=smtp:{a}) ) (!(userAccountControl=514)))

Would do the job... (At least my LDAP filter editor does not complain about syntax errors)

jtw_ironport Thu, 04/09/2009 - 15:04
User Badges:

The issue is that value of '2' can be added onto different account states. 514 is not the only value that a disabled user can have, so you have to identify all possible values of UserAccountControl that contain that value. It'd be a lot easier (and better) if the IronPort appliances just supported ldap bitwise matching rules (they don't, at least according to Support).


This Discussion