https://community.splunk.com/t5/Security/How-can-I-exclude-disabled-Active-Directory-user-accounts-from/m-p/132259#M4022 <P>To configure Splunk to ignore inactive account, simply add the userAccountControl as follow in the "User base filter" field:</P> <P>(&amp;(objectCategory=Person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</P> Thu, 09 Apr 2015 20:23:50 GMT yungro 2015-04-09T20:23:50Z https://community.splunk.com/t5/Security/How-can-I-exclude-disabled-Active-Directory-user-accounts-from/m-p/132257#M4020 <P>When a user leaves the company, our IT department has a strict policy in place to deactivate the UserAccount instead of deleting it from the AD. This actually leaves a hole for us because Splunk will continue to sync the account as it does not understand the account has been deactivated within our AD. </P> <P>While this Answer <A href="http://answers.splunk.com/answers/118596/using-ldap-authentication-can-i-block-access-to-a-particular-user-in-splunk-without-removing-them-from-the-ad-group.html#answer-118602">post</A> seems to fit my situation, I'd prefer to NOT hide the account, and just ignore it. </P> <P>Anyone know of a workaround to have Splunk ignore disabled accounts??</P> Thu, 09 Apr 2015 17:53:23 GMT https://community.splunk.com/t5/Security/How-can-I-exclude-disabled-Active-Directory-user-accounts-from/m-p/132257#M4020 Chubbybunny 2015-04-09T17:53:23Z https://community.splunk.com/t5/Security/How-can-I-exclude-disabled-Active-Directory-user-accounts-from/m-p/132258#M4021 <P>I'll readily admit that I haven't done such in Splunk, but I've used LDAP queries to find disabled accounts. In Splunk you would modify the user base filter, to include a match that the appropriate bit(s) in the userAccountControl attribute are set or not set.</P> <P><A href="http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm">This site</A> seems to have an excellent guide to all of the bits that are encoded in the userAccountControl attribute. They also have <A href="http://www.selfadsi.org/ldap-filter.htm#BitAndOr">a guide to the bitwise ldap filters</A></P> <P>Edit: Maybe a filter like:</P> <PRE><CODE>(&amp; (objectClass=user) (userAccountControl:1.2.840.113556.1.4.803:=512) (! (userAccountControl:1.2.840.113556.1.4.803:=2) ) ) </CODE></PRE> <P>A user, who is a normal user and not a computer or something, where the account disable bit is not set. One line for easy copying:</P> <PRE><CODE>(&amp;(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) </CODE></PRE> Thu, 09 Apr 2015 18:50:13 GMT https://community.splunk.com/t5/Security/How-can-I-exclude-disabled-Active-Directory-user-accounts-from/m-p/132258#M4021 acharlieh 2015-04-09T18:50:13Z https://community.splunk.com/t5/Security/How-can-I-exclude-disabled-Active-Directory-user-accounts-from/m-p/132259#M4022 <P>To configure Splunk to ignore inactive account, simply add the userAccountControl as follow in the "User base filter" field:</P> <P>(&amp;(objectCategory=Person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</P> Thu, 09 Apr 2015 20:23:50 GMT https://community.splunk.com/t5/Security/How-can-I-exclude-disabled-Active-Directory-user-accounts-from/m-p/132259#M4022 yungro 2015-04-09T20:23:50Z https://community.splunk.com/t5/Security/How-can-I-exclude-disabled-Active-Directory-user-accounts-from/m-p/132260#M4023 <P>I have used it. Say I have two users in AD with attributes like</P> <P>AD User/account 'Rbal' has accountExpires=08/9/2015<BR /> and user 'Bill Paul' with accountExpires=never</P> <P>In Splunk Configured "User base filter" as </P> <P>User base filter” as (accountExpires=9223372036854775807) ( where 9223372036854775807 is for never)</P> <P>Now if I check under Access controls » Users found user 'Bill Paul' is filtered.</P> Fri, 17 Apr 2015 17:44:00 GMT https://community.splunk.com/t5/Security/How-can-I-exclude-disabled-Active-Directory-user-accounts-from/m-p/132260#M4023 rbal_splunk 2015-04-17T17:44:00Z