TIP: How to LDAP deny disabled AD accounts

mgraci_ironport · ‎12-15-2008

Ironport LDAP queries will successfully lookup SMTP addresses of disabled AD accounts. For companies that disable accounts instead of deleting them, this can cause alot of junk mail to accumulate in the account's associated mailbox.

We currently move all disabled AD accounts to a DisabledAccounts OU.

By denying the AD user account used for lookups all rights to that specific OU and it's child objects, the Ironport now fails on lookups to that OU.

-Matt

kluu_ironport · ‎12-15-2008

Why not keep those "disabled" users in that OU and then create a custom incoming mail policy that matches incoming mail to the recipients that are members of that OU.

Then, you can create a content filter that simply drops those mail for that custom policy only.

steven_geerts · ‎01-20-2009

HI,

I'm not an AD expert but I can imagine that the fact if a user is disables or not is just a simple attribute that is set to a certain value (or not set).

Try to find the correct value with the (terrible) MS tool LDP and extend your LDAP filter with it.

Beware: from what I know from the Exchange 5.5 "hide from address book" attribute, MS permits itself to have three possible situations for a attribute that can have only two values. (The attribute does not exist (false), the attribute ha a value of "1" (true) or the attribute has a value of "0"(false). I'm not sure if they have improved this within the AD

Regards Steven

Ken Stieers · ‎03-25-2009

The AD attribute is userAccountControl and is bitmapped...

You have to AND its value with 0x2 and if the result is zero, the account is enabled.

http://support.microsoft.com/kb/305144

borism.teched · ‎04-06-2009

Hi,

Does anyone knows working LDAP query. I'm testing few of them, but nothing worked yet.

Regards,
Boris

jtw_ironport · ‎04-06-2009

I'm trying to get the same thing working with no luck so far. It looks like the ldap engine on the appliance might not support those features of query strings, namely the ldap matching rules (!UserAccountControl:1.2.840.113556.1.4.803:=2), and, curiously, also the logical not operator ("!") which generates a syntax error.

I opened up a support case seeking guidance.

borism.teched · ‎04-06-2009

Hi,

This is one of the options:

(&(|(mail={a})(proxyAddresses=smtp:{a}))(userAccountControl=512))

but I'm not happy with that solution.

jtw_ironport · ‎04-06-2009

I wouldn't be either. Using that construct you'd have to identify every valid value for userAccountControl and keep all of them in your query string.

steven_geerts · ‎04-08-2009

Well... if I read the quoted MS article the value for a disabled user is 514

You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.

The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).

This means that you must ask your LDAP filter to accept any value other than 514. (Or "must not be 514")

It might contain an error, I did not test it, but I think the LDAP filter

(& (|(mail={a}) (proxyAddresses=smtp:{a}) ) (!(userAccountControl=514)))

Would do the job... (At least my LDAP filter editor does not complain about syntax errors)

Steven

jtw_ironport · ‎04-09-2009

The issue is that value of '2' can be added onto different account states. 514 is not the only value that a disabled user can have, so you have to identify all possible values of UserAccountControl that contain that value. It'd be a lot easier (and better) if the IronPort appliances just supported ldap bitwise matching rules (they don't, at least according to Support).