Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4003
Views
15
Helpful
4
Replies

CUCM Active directory integretion question regarding the garbage collection process of "disabled" accounts

Go to solution
SlimPickens
Level 1
Level 1

‎05-11-2020 12:39 PM

So I have a customer that wants to integrate their CUCM 11.5 with their AD, however, their AD passwords do not unlock after a set amount of time after becoming locked due to too many attempts.  The user must call into their service desk to unlock the account.

 

As I understand it, when an account in AD is locked due to too many attempts CUCM sees this account as "disabled" and marks it as such.  Then the garbage collector runs at 3:15 am but spares this account this time around because it hasn't been disabled for 24 hours.  Now if that user doesn't call into their service desk and have their account unlocked by the following day at 3:15 am, then the garbage collector will delete this user.

 

Is this correct?

 

If so, when does CUCM query the ldap server to check for the "disabled" status?  Is it only when it syncs?  If so, what would be the behavior if I set CUCM to sync with LDAP only once per week instead of daily?  I know the garbage collector would still run every day at 3:15 am, but would it only actually purge users once per week since it wouldn't know how long the user had been in the "disabled" state?

 

Thanks in advance for any light that can be shed on this.  I read through the SRND but couldn't find an answer for this type of scenario.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Roger Kallberg
VIP
VIP

‎05-12-2020 01:10 AM

The default, unseen LDAP filter that is used by CUCM for AD is this "(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.80 3:=2)))". This default filter selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled. This can be read in the online help.
Snag_747078.png
From the picture the highlighted part is what you need to remove to allow disabled user to sync over to CUCM. To do that you would need to create a custom LDAP filter with this content "(&(objectclass=user)(!(objectclass=Computer)))" and apply that to the LDAP Directory configuration you have.

We use this with some additional filter criteria to only sync users that have a valid email address for our domain and a few other things needed for our setup.



Response Signature


View solution in original post

4 Replies 4

Go to solution
Roger Kallberg
VIP
VIP

‎05-11-2020 01:01 PM

You can change the behaviour of how CUCM synchronise users from AD by using a custom LDAP filter. We allow disabled users to still synchronise in our setup. I’ll post the filter we use tomorrow morning CEST time when I’m at work again. (Or at least working from home due to the small thing called a COVID-19 lockdown).



Response Signature


Go to solution
Roger Kallberg
VIP
VIP

‎05-12-2020 01:10 AM

The default, unseen LDAP filter that is used by CUCM for AD is this "(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.80 3:=2)))". This default filter selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled. This can be read in the online help.
Snag_747078.png
From the picture the highlighted part is what you need to remove to allow disabled user to sync over to CUCM. To do that you would need to create a custom LDAP filter with this content "(&(objectclass=user)(!(objectclass=Computer)))" and apply that to the LDAP Directory configuration you have.

We use this with some additional filter criteria to only sync users that have a valid email address for our domain and a few other things needed for our setup.



Response Signature


Go to solution
SlimPickens
Level 1
Level 1
In response to Roger Kallberg

‎05-12-2020 07:04 AM

Great information, thank you!

 

If we get Call Manager to pull in "disabled" accounts, will that prevent the garbage collection process from removing those accounts at 3:15 am each time it realizes that they've been disabled for over 24 hours?  Or would it delete those users and then re-add them when the AD sync next happened?

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to SlimPickens

‎05-12-2020 07:21 AM

The garbage collector would not know about the account being disabled, they will show up in CUCM end user list as any other user. For them to be removed by the garbage collector it has to be marked for removal and that would happen if the user(s) are actually removed from AD or moved to a location, if applicable, that CUCM directory sync doesn't have access to.



Response Signature


0 Helpful
Customers Also Viewed These Support Documents