Jamf Nation Community

djrory · ‎07-08-2020

I'd like JAMF to notify me when a user is moved to the "Disabled" OU in AD, this way I will know when a Mac user has left the business and I can begin chasing down their device.

I have tried changing the LDAP settings for "Position" mapping to "memberOf" however since the user never logs into the device after being terminated the inventory doesn't get updated.

How can I get JAMF to query LDAP for users in the "Disabled" OU?

notverypc · ‎07-08-2020

We use an EA that looks at the userAccountControl Attribute from AD.
Then have a smart group that looks for a AccountControl ID of 514. As 514 mean the account has been disabled. Hope this helps.

djrory · ‎07-08-2020

@notverypc but what triggers this LDAP lookup? If it is a Computer Inventory EA will it not only be triggered when a user is logged in and the device does an Inventory Update?

What if the device is say handed to their manager, placed in a drawer then the leaving users account is moved to the disabled OU? The device remains in the drawer and will not check in to trigger the Inventory Update right?

Or am I completely misunderstanding the functions of JAMF here?

notverypc · ‎07-09-2020

@djrory The Mac will need to checkin/recon for the EA to be updated. If the device is locked in a drawer then it wont update.

If you want a notification as soon as a user is disable, you probably need to look at AD not Jamf?

R_C · ‎08-04-2021

Bug with this process.

From my testing, if the Account doesn't exist in LDAP, the EA will not change. So if a user gets Deleted instead of Disabled, JAMF will continue to show the same AccountControl ID from the last time the account existed. It doesn't appear to zero out the entry which would be better than leaving it as is.

Jamf Nation Community

LDAP Group for Disabled Users