While working with a client recently we noticed that they were still seeing disabled accounts in the people search results. That is, generally speaking, bad. But it’s actually pretty easy to fix this with a tweak of the LDAP query being used to generate the profiles. First we have to get there so go to…
- Central Administration
- Shared Service Provider (the one that hosts user profiles)
- User profiles and properties
- View import connections
- Hover over the connection you want to change’s name and click edit
There’s an option in the Search Settings section titled user filter that probably has in it:
What we want is that plus a part of the query that says not account disabled. It happens that account disabled is a part of the userAccessControl bitmapped field in AD – which means it’s not simple to determine if a bit is set or not. However, it’s possible. There is a technet “Hey, Scripting Guy” article which answers the question “How Can I Get a List of All the Disabled User Accounts in Active Directory?” It turns out the post has in it the magic key we need.
If we wrap this up in a not, and add it to our query we get the results we want. By the way, the funny number in the middle of that statement is just telling LDAP to use a bitwise AND. That means that only items will be returned where the account disabled is set. Since we want the reverse we’ll wrap that up in a not, and we get a query that looks like this:
Immediately after doing this and doing a profile import you may be thinking that the disabled users should be gone, unfortunately no. But that’s an artifact of search.
Search doesn’t remove an entry until the entry has been missing for three full imports in a row. The thinking is that a site might be temporarily offline during the index and it would be bad to remove it from the index just for a bit of bad timing. So if you want to delete the user from the search results do three full imports and the users should disappear.