cancel
Showing results for 
Search instead for 
Did you mean: 

Authentication - Windows AD - Stop Disabled Users From Coming In

omacoder
Active Contributor
0 Kudos

Hi gurus- any assistance on how to prevent disabled Windows AD users from coming in through the CMC \ Authentication \ Windows AD sync process?

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Active Contributor
0 Kudos

The group mapping in the AD plugin is designed to key in on existing objects not the state of the existing objects, now AD users that are disabled will not be able to login to BI but they will be mapped in unless they are removed from all the groups that are mapped into BI

The BI plugin can be set to map in users manually, in the CMC > authentication > windows AD > options, but most do not use this option and it still wouldn't remove any users because they were disabled.

The only way to remove users is by removing them from the mapped AD groups and updating the AD plugin (manually or by scheduling user alias updates)

-Tim

Answers (1)

Answers (1)

bernhard_keimel
Active Participant
0 Kudos

We found out that in WinAD there is an attribute named "userAccountControl" describing the state of the account. We then added this as a named attribute in CMC so that this attribute displays at the users properties page. This allows us to see in the CMC if a user account got disabled in WinAD. We then set up processes to remove the users from the mapped WinAD groups, as they would still remain in publication recipient groups where the publications then cannot be delivered as a result from the disabled state in WinAD.