When users are marked disabled in the Active Directory (AD) server, they are still returned by the AD server when you use the following filters to synchronize users from the Active Directory server:

• User Search Filter

(objectClass=person)

• Search Filter

(objectClass=User)

As a result, users who were disabled in the AD aren't deleted from the Zscaler user database. Their cookies remain valid, allowing them to use the Zscaler service to browse the Internet.

Removing Disabled Users in the Active Directory

To make sure disabled users cannot browse through the Zscaler service, you need to specify a special LDAP search filter in the User Search Filter and Search Filter fields. This LDAP search filter instructs the AD to return all objects except those that have been disabled.

To modify these filters and remove disabled users from the AD:

1. Go to Administration > Authentication Settings.
2. In the Authentication Profile tab, under Directory Type, click Advanced Configuration.
3. Add the following value to both the User Search Filter and Search Filter fields:
   See image.

   

   Close

(!(UserAccountControl:1.2.840.113556.1.4.803:=2))

The following is an example:

(&(objectClass=User)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

4. Click Save and activate the change.