How do I remove disabled users in Active Directory from the Zscaler user database?

Description

When users are marked disabled in the Active Directory (AD) server, they are still returned by the AD server when you use the following filters to synchronize users from the Active Directory server:

  • the default User Search Filter:
 (objectClass=person)
  • the default Search Filter:
(objectClass=User)

As a result, users who were disabled in Active Directory are not deleted from the Zscaler database. Their cookies remain valid, allowing them to use the Zscaler service to browse the Internet. 

Solution

To make sure disabled users cannot browse through the Zscaler service, you need to specify a special LDAP search filter in the User Search Filter and Search Filter fields. This LDAP search filter instructs Active Directory to return all objects except those that have been disabled. To modify these filters, log into the admin portal and do the following:

  1. Go to Administration > Authentication Settings > Authentication Profile tab.
  2. To edit the synchronization settings, click Advanced Configuration.
  3. Add the following value to both the User Search Filter and Search Filter fields:
(!(UserAccountControl:1.2.840.113556.1.4.803:=2))

The following is an example:

(&(objectClass=User)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Solution
  1. Click Save and activate the change.