23.02.2023
14:52
I am attempting to control the AD sync on two different domains.
How do I filter out the disabled accounts on the domains?
There are users with the same names on both domains, is it possible to have the unique identifier the BPS ID as opposed to the Name so that users with the same name can by synced as 2 different accounts?
27.02.2023
10:02
Hi,
To filter out disabled accounts this LDAP filter should do the trick:
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
you can provide additional filters in bps users synchronization configuration in advanced tab.
Also, some reference related to above filter:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/4e638665-f466-4597-93c4-12f2ebfabab5?redirectedfrom=MSDN
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
As for the second question, i think that users will be synchronized as separate accounts, since the bps id includes the domain name
27.02.2023
10:20
Hi,
To filter out disabled accounts this LDAP filter should do the trick:
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
you can provide additional filters in bps users synchronization configuration in advanced tab.
Also, some reference related to above filter:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/4e638665-f466-4597-93c4-12f2ebfabab5?redirectedfrom=MSDN
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
As for the second question, i think that users will be synchronized as separate accounts, since the bps id includes the domain name
Thanks, shall follow up on the LDAP filter
For the second, I had assumed the same but not the case:
Distinguished names for duplicated BPS ID: hq.test@abc.com
- CN=HQ Test User,OU=Head Office,DC=abc,DC=com
- CN=HQ Test User,OU=Test,DC=abc,DC=int
Distinguished names for duplicated BPS ID: admin.test@abc.com
- CN=Admin test User,OU=0365 sync,DC=abc,DC=int
- CN=Admin test User,OU=OUTEST,DC=abc,DC=com
For each BPS ID, only the user with first listed distinguished name will be synchronized.
11.03.2023
19:15
Thanks, shall follow up on the LDAP filter
For the second, I had assumed the same but not the case:
Distinguished names for duplicated BPS ID: hq.test@abc.com
- CN=HQ Test User,OU=Head Office,DC=abc,DC=com
- CN=HQ Test User,OU=Test,DC=abc,DC=int
Distinguished names for duplicated BPS ID: admin.test@abc.com
- CN=Admin test User,OU=0365 sync,DC=abc,DC=int
- CN=Admin test User,OU=OUTEST,DC=abc,DC=com
For each BPS ID, only the user with first listed distinguished name will be synchronized.
As an update and conclusion,
Of my two domains, the new domain maintained the user logon name @suffix as the same identity, tying the 2 domains together.
This turns out to be great for the migration as the assignment of instances is maintained whichever domain account the user logs in.
The user sync recognizes and stops duplicates
"Distinguished names for duplicated BPS ID. For each BPS ID, only the user with first listed distinguished name will be synchronized."
The filter trick on disabled users works just fine: (!(userAccountControl:1.2.840.113556.1.4.803:=2))
In the end to manage the migration, users were created on both domains, the use logon name was maintained as the BPS identity suffix whereas the pre-windows logon name identified each domain
By disabling the users whom the migration was completed, Webcon sync also filtered and had a mirror of the AD config
It would have been nice to be able to filter out a specific OU such as 'Deactivated Users' as opposed to having to disable them
I attempted the below syntax with no success
(!(OU=abc.com/ABC Users/Deactivated Accounts))
or
(&(objectClass=user)(!(ou=Deactivated Accounts,ou=ABC Users,dc=abc,dc=com)))
Thanks @Kruger
