12-15-2008 06:22 PM
Ironport LDAP queries will successfully lookup SMTP addresses of disabled AD accounts. For companies that disable accounts instead of deleting them, this can cause alot of junk mail to accumulate in the account's associated mailbox.
We currently move all disabled AD accounts to a DisabledAccounts OU.
By denying the AD user account used for lookups all rights to that specific OU and it's child objects, the Ironport now fails on lookups to that OU.
-Matt
12-15-2008 09:29 PM
Why not keep those "disabled" users in that OU and then create a custom incoming mail policy that matches incoming mail to the recipients that are members of that OU.
Then, you can create a content filter that simply drops those mail for that custom policy only.
01-20-2009 11:32 PM
HI,
I'm not an AD expert but I can imagine that the fact if a user is disables or not is just a simple attribute that is set to a certain value (or not set).
Try to find the correct value with the (terrible) MS tool LDP and extend your LDAP filter with it.
Beware: from what I know from the Exchange 5.5 "hide from address book" attribute, MS permits itself to have three possible situations for a attribute that can have only two values. (The attribute does not exist (false), the attribute ha a value of "1" (true) or the attribute has a value of "0"(false). I'm not sure if they have improved this within the AD
Regards Steven
03-25-2009 11:38 PM
The AD attribute is userAccountControl and is bitmapped...
You have to AND its value with 0x2 and if the result is zero, the account is enabled.
http://support.microsoft.com/kb/305144
04-06-2009 01:38 PM
Hi,
Does anyone knows working LDAP query. I'm testing few of them, but nothing worked yet.
Regards,
Boris
04-06-2009 04:37 PM
I'm trying to get the same thing working with no luck so far. It looks like the ldap engine on the appliance might not support those features of query strings, namely the ldap matching rules (!UserAccountControl:1.2.840.113556.1.4.803:=2), and, curiously, also the logical not operator ("!") which generates a syntax error.
I opened up a support case seeking guidance.
04-06-2009 04:50 PM
Hi,
This is one of the options:
(&(|(mail={a})(proxyAddresses=smtp:{a}))(userAccountControl=512))
04-06-2009 04:59 PM
I wouldn't be either. Using that construct you'd have to identify every valid value for userAccountControl and keep all of them in your query string.
04-08-2009 09:57 PM
Well... if I read the quoted MS article the value for a disabled user is 514
You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.
The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
(& (|(mail={a}) (proxyAddresses=smtp:{a}) ) (!(userAccountControl=514)))
04-09-2009 03:04 PM
The issue is that value of '2' can be added onto different account states. 514 is not the only value that a disabled user can have, so you have to identify all possible values of UserAccountControl that contain that value. It'd be a lot easier (and better) if the IronPort appliances just supported ldap bitwise matching rules (they don't, at least according to Support).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide