Filter Out Disabled Windows Accounts

If you use pam_ldap to authenticate against Active Directory you may have a problem you never thought of. You may be allowing disabled accounts access to your system. Use the following filter to exclude disabled accounts. The filter looks at the userAccountControl field which is a bit field. It checks the single bit that determines if an account is enabled or disabled. This snippet belongs in /etc/pam_ldap.conf.

pam_filter &(objectclass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))

On second thought this might not be desirable. This will filter out disabled accounts making them appear as though they do not exist which is different than being disabled.

This entry was posted in Geek, Tips. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s