LDAP Group for Disabled Users

djrory
Contributor

I'd like JAMF to notify me when a user is moved to the "Disabled" OU in AD, this way I will know when a Mac user has left the business and I can begin chasing down their device.

I have tried changing the LDAP settings for "Position" mapping to "memberOf" however since the user never logs into the device after being terminated the inventory doesn't get updated.

How can I get JAMF to query LDAP for users in the "Disabled" OU?

4 REPLIES 4

notverypc
New Contributor III

We use an EA that looks at the userAccountControl Attribute from AD.
Then have a smart group that looks for a AccountControl ID of 514. As 514 mean the account has been disabled. Hope this helps.
9d4bf94292c74785a22d84f1c5a6f0c7

djrory
Contributor

@notverypc but what triggers this LDAP lookup? If it is a Computer Inventory EA will it not only be triggered when a user is logged in and the device does an Inventory Update?

What if the device is say handed to their manager, placed in a drawer then the leaving users account is moved to the disabled OU? The device remains in the drawer and will not check in to trigger the Inventory Update right?

Or am I completely misunderstanding the functions of JAMF here?

notverypc
New Contributor III

@djrory The Mac will need to checkin/recon for the EA to be updated. If the device is locked in a drawer then it wont update.

If you want a notification as soon as a user is disable, you probably need to look at AD not Jamf?

R_C
New Contributor II

Bug with this process.

From my testing, if the Account doesn't exist in LDAP, the EA will not change. So if a user gets Deleted instead of Disabled, JAMF will continue to show the same AccountControl ID from the last time the account existed. It doesn't appear to zero out the entry which would be better than leaving it as is.