Hi,

For the archives, the below user_filter works nicely:

user_filter = (&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))

But another option, taken from the samba mailinglist is:

user_filter = (&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))(!(userAccountControl:1.2.840.113556.1.4.803:=2)

This one excludes various kinds of disabled accounts, including 514. The second one might actually be better.

MJ

On 8-3-2019 13:39, mj via dovecot wrote:

Hi,

I was revising our AD ldap user_filter and pass_filter to exclude more types of expired / disabled accounts.

I started adding things like:

...

(&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608)))

but then I thought, why not simply do:

...

(&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))

as 512 would your regular active user accounts only, excluding all other account types.

Looking here (https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontro...) there are some many different userAccountControl to check, that it might be smarter to only allow userAccountControl=512, or....?

Any ideas on this..?

(or examples of how you do it?)

MJ