Hi there

When the LDAP user account for a Unity Connection user is disabled or deleted, or if an LDAP directory configuration is deleted from the Unity Connection system, the following occurs:

1. Initially, when Unity Connection users try to sign in to a Unity Connection web application, LDAP authentication fails because Unity Connection is still trying to authenticate against the LDAP directory.

If you have multiple LDAP directory configurations accessing multiple LDAP user search bases, and if only one configuration was deleted, only the users in the associated user search base are affected. Users in other user search bases are still able to sign in to Unity Connection web applications.

2. At the first scheduled synchronization, users are marked as “LDAP inactive” in Unity Connection.

Attempts to sign in to Unity Connection web applications continue to fail.

3. At the next scheduled synchronization that occurs at least 24 hours after users are marked as “LDAP inactive,” all Unity Connection users whose accounts were associated with LDAP accounts are converted to Unity Connection standalone users.

For each Unity Connection user, the password for Unity Connection web applications and for IMAP email access to Unity Connection voice messages becomes the password that was stored in the Unity Connection database when the user account was created. (This is usually the password in the user template that was used to create the user.) Unity Connection users do not know this password, so an administrator must reset it.

The numeric password (PIN) for the telephone user interface and the voice user interface remains unchanged.

Note the following regarding Unity Connection users whose LDAP user accounts were disabled or deleted, or who were synchronized via an LDAP directory configuration that was deleted from Unity Connection:

• The users can continue to sign in to Unity Connection by phone during the period in which Unity Connection is converting them from an LDAP-synchronized user to a standalone user.
• Their messages are not deleted.
• Callers can continue to leave messages for these Unity Connection users.

Note LDAP phone numbers are converted to Unity Connection extensions only once, when you first synchronize Unity Connection data with LDAP data. On subsequent, scheduled synchronizations, values in the Connection Extension field are not updated with changes to the LDAP phone number. As a result, you can change the LDAP phone number as required, including specifying a completely different number, and the extension will not be overwritten the next time that Connection

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/design/guide/10xcucdgx/10xcucdg040.html

Hope this Helps

Cheers
Rath!
***Please rate helpful posts***

As others have pointed out, by default users marked as Disabled in AD will not synchronize initially, and if they are set to Disabled after synchronization then CUCM/CUC will mark them for deletion and they will be purged after 24 hours. If you want to synchronize disabled users, or do not want disabled users to be "un-syncrhonized" you will need to use a custom LDAP filter.

The default LDAP filter is the following:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

The (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) is the part that checks to see if an account is disabled. And the "!" at the beginning of the argument says to not import if it is disabled..

Therefore, to have disabled accounts synchronize and/or to continue to be replicated after they are disabled the filter can be:

(&(objectclass=user)(!(objectclass=Computer)))

This will import users (all users - active and disabled), but not groups and not computers. The user account would have to be deleted altogether in order to have it stop being replicated to CUCM/CUC.

Maren