Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

TIP: How to LDAP deny disabled AD accounts

Ironport LDAP queries will successfully lookup SMTP addresses of disabled AD accounts. For companies that disable accounts instead of deleting them, this can cause alot of junk mail to accumulate in the account's associated mailbox.

We currently move all disabled AD accounts to a DisabledAccounts OU.

By denying the AD user account used for lookups all rights to that specific OU and it's child objects, the Ironport now fails on lookups to that OU.

-Matt

9 REPLIES
New Member

Re: TIP: How to LDAP deny disabled AD accounts

Why not keep those "disabled" users in that OU and then create a custom incoming mail policy that matches incoming mail to the recipients that are members of that OU.

Then, you can create a content filter that simply drops those mail for that custom policy only.

New Member

Re: TIP: How to LDAP deny disabled AD accounts

HI,

I'm not an AD expert but I can imagine that the fact if a user is disables or not is just a simple attribute that is set to a certain value (or not set).

Try to find the correct value with the (terrible) MS tool LDP and extend your LDAP filter with it.

Beware: from what I know from the Exchange 5.5 "hide from address book" attribute, MS permits itself to have three possible situations for a attribute that can have only two values. (The attribute does not exist (false), the attribute ha a value of "1" (true) or the attribute has a value of "0"(false). I'm not sure if they have improved this within the AD

Regards Steven

Re: TIP: How to LDAP deny disabled AD accounts

The AD attribute is userAccountControl and is bitmapped...

You have to AND its value with 0x2 and if the result is zero, the account is enabled.

http://support.microsoft.com/kb/305144

New Member

Re: TIP: How to LDAP deny disabled AD accounts

Hi,

Does anyone knows working LDAP query. I'm testing few of them, but nothing worked yet.

Regards,
Boris

New Member

Re: TIP: How to LDAP deny disabled AD accounts

I'm trying to get the same thing working with no luck so far. It looks like the ldap engine on the appliance might not support those features of query strings, namely the ldap matching rules (!UserAccountControl:1.2.840.113556.1.4.803:=2), and, curiously, also the logical not operator ("!") which generates a syntax error.

I opened up a support case seeking guidance.

New Member

Re: TIP: How to LDAP deny disabled AD accounts

Hi,

This is one of the options:

(&(|(mail={a})(proxyAddresses=smtp:{a}))(userAccountControl=512))


but I'm not happy with that solution.

New Member

Re: TIP: How to LDAP deny disabled AD accounts

I wouldn't be either. Using that construct you'd have to identify every valid value for userAccountControl and keep all of them in your query string.

New Member

Re: TIP: How to LDAP deny disabled AD accounts

Well... if I read the quoted MS article the value for a disabled user is 514

You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.

The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).


This means that you must ask your LDAP filter to accept any value other than 514. (Or "must not be 514")

It might contain an error, I did not test it, but I think the LDAP filter

(& (|(mail={a}) (proxyAddresses=smtp:{a}) ) (!(userAccountControl=514)))


Would do the job... (At least my LDAP filter editor does not complain about syntax errors)


Steven

New Member

Re: TIP: How to LDAP deny disabled AD accounts

The issue is that value of '2' can be added onto different account states. 514 is not the only value that a disabled user can have, so you have to identify all possible values of UserAccountControl that contain that value. It'd be a lot easier (and better) if the IronPort appliances just supported ldap bitwise matching rules (they don't, at least according to Support).

607
Views
0
Helpful
9
Replies