When users are marked disabled in the Active Directory (AD) server, they are still returned by the AD server when you use the following filters to synchronize users from the Active Directory server:
As a result, users who were disabled in Active Directory are not deleted from the Zscaler database. Their cookies remain valid, allowing them to use the Zscaler service to browse the Internet.
To make sure disabled users cannot browse through the Zscaler service, you need to specify a special LDAP search filter in the User Search Filter and Search Filter fields. This LDAP search filter instructs Active Directory to return all objects except those that have been disabled. To modify these filters, log into the admin portal and do the following:
The following is an example: