Find inactive LDAP accounts using the userAccountControl field Identify when an Active Directory (AD) user is deleted (or made inactive). Before you beginRole required: admin About this taskOne method is to track the active status of AD users and create a business rule to update corresponding accounts when an AD account is inactive.To find and deactivate inactive user accounts: Procedure Create a new string field on the User [sys_user] table to track the value of the AD userAccountControl field. For example: u_ad_user_account. Create an LDAP transform script to set the field value. target.u_ad_user_account = source.userAccountControl Update the LDAP filter to show disabled AD accounts. Here is an example of a filter. (&(objectClass=person)(sn=*)(!(objectClass=computer))(!(userAccountControl:1.2.840.113522.214.171.1243:=2))) Here is an example of a replacement filter you can use. (&(objectClass=person)(sn=*)(!(objectClass=computer))) Create an onChange business rule to set the active field to false whenever the u_ad_user_account field has the value 514. '514' indicates an inactive account.