Hello all, question on LDAP synchronization with Windows AD. If an AD account is disabled, is that account included during the sync process in CUC?
I was looking at this doc, https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/design/guide/b_11xcucdg/b_11xcucdg_chapter_01010.pdf, but wasn't find the answer to my question.
When the LDAP user account for a Unity Connection user is disabled or deleted, or if an LDAP directory configuration is deleted from the Unity Connection system, the following occurs:
1. Initially, when Unity Connection users try to sign in to a Unity Connection web application, LDAP authentication fails because Unity Connection is still trying to authenticate against the LDAP directory.
If you have multiple LDAP directory configurations accessing multiple LDAP user search bases, and if only one configuration was deleted, only the users in the associated user search base are affected. Users in other user search bases are still able to sign in to Unity Connection web applications.
3. At the next scheduled synchronization that occurs at least 24 hours after users are marked as “LDAP inactive,” all Unity Connection users whose accounts were associated with LDAP accounts are converted to Unity Connection standalone users.
For each Unity Connection user, the password for Unity Connection web applications and for IMAP email access to Unity Connection voice messages becomes the password that was stored in the Unity Connection database when the user account was created. (This is usually the password in the user template that was used to create the user.) Unity Connection users do not know this password, so an administrator must reset it.
Note the following regarding Unity Connection users whose LDAP user accounts were disabled or deleted, or who were synchronized via an LDAP directory configuration that was deleted from Unity Connection:
Note LDAP phone numbers are converted to Unity Connection extensions only once, when you first synchronize Unity Connection data with LDAP data. On subsequent, scheduled synchronizations, values in the Connection Extension field are not updated with changes to the LDAP phone number. As a result, you can change the LDAP phone number as required, including specifying a completely different number, and the extension will not be overwritten the next time that Connection
Hope this Helps
***Please rate helpful posts***
As others have pointed out, by default users marked as Disabled in AD will not synchronize initially, and if they are set to Disabled after synchronization then CUCM/CUC will mark them for deletion and they will be purged after 24 hours. If you want to synchronize disabled users, or do not want disabled users to be "un-syncrhonized" you will need to use a custom LDAP filter.
The default LDAP filter is the following:
The (!(UserAccountControl:1.2.840.1135126.96.36.1993:=2)) is the part that checks to see if an account is disabled. And the "!" at the beginning of the argument says to not import if it is disabled..
Therefore, to have disabled accounts synchronize and/or to continue to be replicated after they are disabled the filter can be:
This will import users (all users - active and disabled), but not groups and not computers. The user account would have to be deleted altogether in order to have it stop being replicated to CUCM/CUC.