Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
LDAP OU Definition containing "(userAccountControl:1.2.840.113556.1.4.803:=2)" could retrieve locked accounts beside inactive users - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • LDAP OU Definition containing "(userAccountControl:1.2.840.113556.1.4.803:=2)" could retrieve locked accounts beside inactive users
KB0679975

LDAP OU Definition containing "(userAccountControl:1.2.840.113556.1.4.803:=2)" could retrieve locked accounts beside inactive users


39331 Views Last updated : Sep 16, 2023 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Issue

Some customers would like to retrieve inactive accounts by importing them using our LDAP integration. However, on some LDAP, the userAccountControl:1.2.840.113556.1.4.803:=2 search will fetch both inactive and locked accounts.

Inactive accounts are accounts disabled on the LDAP server. Locked accounts are accounts on which the password needs to be reset or too many incorrect passwords have happened, etc. In some cases, locked accounts are still active and users will unlock the accounts at some point.

If you disable LDAP locked accounts on the instance, once they unlocked their accounts on their LDAP server, they will not be able to log in to the instance and your administrators might need to re-enable the account on the instance.

Symptoms

You will notice this problem if:

  • You have an LDAP import to retrieve the inactive accounts
  • Your inactive accounts are fetched using the LDAP OU Definition filter: (userAccountControl:1.2.840.113556.1.4.803:=2)
  • Some active users report that their users can not log in to the instance and those users have recently had their accounts locked (e.g. too many password retries).
  • Some users report their accounts have been set disabled while their LDAP account remains active.

Cause

The LDAP server searching for (userAccountControl:1.2.840.113556.1.4.803:=2) retrieves inactive and locked accounts.

Resolution

Please educate your system administrators on the LDAP query containing userAccessControl could retrieve both inactive and locked users.

To avoid importing locked accounts, please modify the filter to avoid the records where userAccountControl is 512* or 544*, or modify the LDAP import transformation map onBefore script to avoid disabling the required user.

 Note: userAccountControl is a cumulative attribute defined on the LDAP server itself as it controls the User account properties by masks. Please contact your LDAP administrator to validate if there is a better query to cover your business requirement.

The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.