Technical Tip: Disable user account in AD LDAP
Description
This article describes the behavior of FortiNAC when a user is disabled from Active Directory.
Scope
FortiNAC.
Solution
If the LDAP entry is configured with the default values, when a user account is disabled in Active Directory, FortiNAC will:
- Disable the User Account.
- Disable the Hosts and all the adapters that are registered by this User.
Note: The changes are applied after the next scheduled or manual Directory synchronization.
These actions are also recorded in the Events log:
The status of the User, Host, and Adapters appear as shown below:
 
There are specific cases when disabling the host is not required or may cause access disruption for existing hosts. In this case, the LDAP configuration can be changed by removing the Disabled Attribute [userAccountControl] completely or only the Disabled Value [0x02] as shown below:
Helpful debugs:
diag debug plugin enable DirectoryManager
diag debug plugin enable DirectoryAuthentication
diag tail -f output.master
yams INFO :: 2024-11-05 10:37:05:148 :: #388 :: Requested Attributes = [distinguishedName, msDS-PrincipalName, givenName, sn, sAMAccountName, streetAddress, l, st, postalCode, homePhone, mobile, mobileProvider, mail, title, userAccountControl]
yams INFO :: 2024-11-05 10:37:05:151 :: #388 :: PRINTING ATTRIBUTES FOR CN=gimi,OU=Usr,DC=eb,DC=eu
yams INFO :: 2024-11-05 10:37:05:152 :: #388 :: =>mobile: +123 11111
yams INFO :: 2024-11-05 10:37:05:152 :: #388 :: =>givenName: gimi
yams INFO :: 2024-11-05 10:37:05:152 :: #388 :: =>msDS-PrincipalName: EB\gimi
yams INFO :: 2024-11-05 10:37:05:152 :: #388 :: =>mail: gimi@eb.eu
yams INFO :: 2024-11-05 10:37:05:152 :: #388 :: =>distinguishedName: CN=gimi,OU=Usr,DC=eb,DC=eu
yams INFO :: 2024-11-05 10:37:05:152 :: #388 :: =>homePhone: 70001
yams INFO :: 2024-11-05 10:37:05:152 :: #388 :: =>sAMAccountName: gimi
yams INFO :: 2024-11-05 10:37:05:152 :: #388 :: =>title: Shef IT
yams INFO :: 2024-11-05 10:37:05:152 :: #388 :: =>userAccountControl: 514
Related documents: