Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ironport ldap accept-query for disabled Active Directory Accounts

I have a C170 Ironport running version 8.0.1-023

My existing LDAP query "(|(mail={a})(proxyAddresses=smtp:{a}))" works like a charm. I've attempted to change the query so that it can detect if the AD account is disabled. I've used this query as suggested from another website (see below): "(&(|(mail={a})(proxyAddresses=smtp:{a}))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" and the test feature fails every time.


Interestingly, I've also tested this query using dsquery from the domain controller, and that works fine.


Any ideas on how to get this feature working on the Ironport? I'd love to bounce all emails for disabled accounts.

This is the site that had the suggested query:


Any help is appreciated.

New Member

Did you find a solution to

Did you find a solution to this? I saw another post from 2008 that says to use 514 instead of 2.

New Member

No, I remember at the time,

No, I remember at the time, that I tried all of those, but the query was never accepted. My solution was to do it at the Exchange server. If an account is located in "Disabled" OU, then the email is bounced to the originator.

There have been several updates to the ironport software, so it might work now, but my solution is working for my needs, and I don't have time to dig into it now.

New Member

After searching and testing

After searching and testing for a couple hours I got it. The syntax that works for a user that only has disabled checked is "(&(|(mail={a})(proxyAddresses=smtp:{a}))(!(userAccountControl=514)))". I then expanded to included users that are disabled and have the password never expires checked and that syntax is "(&(|(mail={a})(proxyAddresses=smtp:{a}))(!(userAccountControl=514))(!(userAccountControl=66050)))".

These values are based on adding the decimal values from AD.

CreatePlease to create content