12 Replies Latest reply on May 4, 2017 7:52 AM by Mike90

    How to disable users via LDAP sync setup.

    Apprentice

      We are using Heat 2016.1.1 and we have begun using LDAP sync to pull in our employees from AD.  We have set the option within the LDAP sync setup to “Disable HEAT users who have been disabled AD”.  The LDAP field that we have set in this section is “useraccountcontrol”.  This setting asks for a “Value” to determine whether or not the user is disabled in AD.  The value that we see in AD when an account is disabled is a hex number (0x202).  If I’m doing my conversion correctly, this hex number converts to 514 in decimal.  My question is, what number should use in the LDAP settings?  Is it looking for the decimal equivalent of 0x202 or is it looking for the actual hex number that we see in AD?

        • 1. Re: How to disable users via LDAP sync setup.
          AlasdairRobertson ITSMMVPGroup

          By default the value is 2 unless someone has changed the AD Configuration

           

           

          Here is the Microsoft stuff on it :

          Property flagValue in hexadecimalValue in decimal
          ACCOUNTDISABLE0x00022

           

          https://support.microsoft.com/en-gb/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-prope…

          • 2. Re: How to disable users via LDAP sync setup.
            Apprentice

            In AD for us, I see “0x202” set for disabled accounts.  And this translate to a 514 decimal value.  I looked at the link that you provided and in one of the paragraphs above the table it says the following:  “To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).”  However in the table, it shows 0x0002 which is a decimal value of 2.  Any idea why they show both? 

             

            And what exactly happens in Heat when it sees one of these disabled accounts in AD?  How are they “disabled” in Heat?

            • 3. Re: How to disable users via LDAP sync setup.
              AlasdairRobertson ITSMMVPGroup

              The field in AD I understand to actually be a bitmask field so the values sort of add up.  Therefore 514 is actually is a different status.  If this is used in your system as disabled accounts you can set HEAT to use that field.

               

              With in HEAT all it does is set the account to Disabled so users cannot login to the system.

               

              1 of 1 people found this helpful
              • 4. Re: How to disable users via LDAP sync setup.
                Apprentice

                Ok, very helpful, thank you.

                • 5. Re: How to disable users via LDAP sync setup.
                  wynnb Apprentice

                  I've struggled with this same question - I have it set up as Alasdair said, but the accounts do not switch to disabled in HEAT. I think I know why: my LDAP sync is filtered to look only for active AD accounts (userAccountControl = 512), so I believe it is never seeing the disabled accounts. My question is: how are you setting your filter? In our case, I need to avoid test and service accounts, so we used: (&(objectClass=person)(mail=*)(userAccountControl=512)).

                   

                  Bryan

                  • 6. Re: How to disable users via LDAP sync setup.
                    Apprentice

                    Yes, we had a similar problem initially.  In order to avoid brining in test and service accounts, we found a field in AD (the phone number field) that we knew would only be populated for legitimate user accounts and we made that a required field in our filter for the LDAP sync.  Unfortunately though, we discovered that our Account Team was blanking out this phone number field when they disabled an account (for legitimate reasons that I won’t get into) so our LDAP sync was ignoring the accounts after they were disabled in AD… and therefore, was not disabling them in Heat.  Fortunately, we were able to work out a new process with our Account Team where, instead of blanking out that field, they would just put in a generic value of 9999… and this resolved our problem.  Our LDAP sync is no longer ignoring accounts in AD after they are disabled and it is now successfully disabling those accounts in Heat.

                     

                    So, I’d recommend looking in your own environment for a field in AD that you can depend on to only get populated for legitimate user accounts.  And if you don’t already have one, create a new process with your Account Team that all parties can agree to.

                     

                    I just wish there were additional options in Heat though when it comes to “disabling” an employee account.  As Alasdair mentions above, currently it only prevents them from being able to log into the system.  That doesn’t really help us.  We don’t use Self Service and out of our 5,000 employees, there are only 150 of them (IT folks) who have Heat access to begin with.  What would be nice is if it would tag these accounts in some way so that they no longer show up in the list that you see when you initiate a new incident for someone.  Think about it, in a few years, I’m going to have 100 “Smith’s” that I’m going to have to scroll through whenever I attempt to log a new incident for a current employee named Smith. 

                     

                    We currently have a custom external process in our Heat Classic environment that puts a “ZZ-“ (ex. ZZ-Smith) in front of the names of employees once they are disabled in AD.  We are looking to create a similar custom process in our new Heat environment.

                    • 7. Re: How to disable users via LDAP sync setup.
                      wynnb Apprentice

                      Yep, that's why we have the "mail=*" entry in the filter - our test/service accounts do not have an email address. I'll try removing the filter on userAccountControl in Dev and see how that works.

                       

                      Thanks-

                      • 8. Re: How to disable users via LDAP sync setup.
                        Apprentice

                        Yes, it should work for you once you remove the userAccountControl entry from the filter.  We don't have that set in our filter and we've had no issues.

                        • 9. Re: How to disable users via LDAP sync setup.
                          daveb1 Apprentice

                          Hi George,

                           

                          If you don't want to see the disabled users in your customer pick list in incident, there is a discussion thread about it https://community.heatsoftware.com/message/1743 .  According to it, if you are on 2016.X you can change the customer picker control on the form which allows for filtering, otherwise you will need to add a field, a business rule, and modify a relationship.

                           

                          David

                          • 10. Re: How to disable users via LDAP sync setup.
                            Mike90 Apprentice

                            In anyone's experience, does the value field allow OR statements? we have multiple possible values for disabled users in our environment. 

                            • 11. Re: How to disable users via LDAP sync setup.
                              AlasdairRobertson ITSMMVPGroup

                              No it is just a text box, you could pull in the actual value if you wanted to im to a field within HEAT and there are Bitwise operators so you could write a business rule to trigger on update to set the disabled flag based upon the bitwise calculation.

                               

                              Online Help - Bitwise Operators 

                              1 of 1 people found this helpful
                              • 12. Re: How to disable users via LDAP sync setup.
                                Mike90 Apprentice

                                That did not even occur to me haha. I'll have to give that a try.