the reason it does not work is useraccountcontrol never has the value "disabled"
it's a bitmap field, so you need to use a bitmask.
You can't though use a bitmask in a group mapping field, only in a filter.
Look at the user in something which gives you the REAL information like LDAP Browser and you'll see what information you can use.
Great information Simon. I looked in the browser and found the userAccountControl for disabled users was set to '514' as a text attribute. I changed the attribuate value in the mapping to 514 and voila! it works. Thanks so much for the help.
1 of 1 people found this helpful
514 won't be the only value which means a disabled user though - read the Microsoft article, it's a certain bit which changes, so there are a whole bunch of possible values which indicate the user is disabled.
Thanks. I'll look at the article. From what I can see though, it appears to be fairly complete. With over 6700 users, I won't be checking every one, but I've spot checked quite a few and haven't found any issues yet.
So after looking at the article, it seems that most (if not all) of the other bits are related to accounts I wouldn't be interested in anyway. They are computer accounts, service accounts, and other configurations not associated with a typical user. Again, thanks for pointing me in the right direction. I'll continue to look for values other than 512 or 514 so I don't get bitten.
yup, you are probably safe, but, in your big red project book you might want to make a note for future readers that what you did here is working out of convenience, rather than design.
of course, you can add the filter to the object search if you like, then the connector will completely disregard disabled users.