GADS - Syncing only enabled users

[John Dombrowski]

Here's a tip to sync only those users who are enabled in Active
Directory. If a user is disabled in AD, it will either not sync the
user (if you are syncing a new OU) or suspend the user account (if the
user was previously in Google Apps) when GADS is run.

I had some trouble finding this solution, so I thought I would throw
it out there to the group.

When you setup a sync rule, enter this in for the "Rule" section:

(&(&(objectclass=user) (objectcategory=person)) (!(userAccountControl:
1.2.840.113556.1.4.803:=2)))

Regards,
John

[Demetri Orlando]

John,

I like this tip, thanks!  I have an existing rule in the User Sync screen of GADS tool which is:  (&(objectclass=user)(objectcategory=person)(mail=*))   so that we currently only sync users who have the email address filled in (AD field for email address).  How would these two rules be combined so that I only sync users who are active (not suspended) AND have an email address? Another way of asking this is how do I write the rule if I want to suspend GA users who are suspended in AD, even if they have an email address field populated?

thanks!

Demetri

[John Dombrowski]

I think you could simply combine the two rules like so:

(&(&(objectclass=user) (objectcategory=person) (mail=*)) (!
(userAccountControl:1.2.840.113556.1.4.803:=2)))

The first check (the inner "&") would check to see if the CN is a
user, a person, and has the mail field populated. The second check
(the outer "&") would then check to see if the user is enabled.

If that doesn't work, you might be able to write the rule like this:

(&(&(&(objectclass=user) (objectcategory=person)) (mail=*))) (!
(userAccountControl:1.2.840.113556.1.4.803:=2))))

But the third "&" might be superfulous.

I didn't test this, but I think the nesting is correct in both rules.

Regards,

John Dombrowski
Thornapple Kellogg Schools

[Demetri Orlando]

Fantastic! Your first suggestion works like a charm: (&(&(objectclass=user) (objectcategory=person) (mail=*)) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Users with an email address in AD, but suspended are now also suspended in GA.

thanks so much.

[Tim White]

We've just started doing this as well. Somehow I could not find any post like this when I needed it but came up with basically the same search rule to have GADS search on "user has a mail attribute" and "user is not disabled in AD" -- else disable (or do not create) matching Google Apps account. I was just about to post this same hint but thought I'd search again and found this post. Hopefully others will find this and save some time themselves!

And John is right, you can do it with just one AND operator:

(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

#user has a mail attribute

(&(objectCategory=person)(objectClass=user)(mail=*))

#user is not disabled

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

Since the mail attribute query was already an "AND" search it was as simple as slapping in the second search inside the "&" call:

#Combined:

(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))