Integrate APM Sessions with AD Account Management

Problem this snippet solves:

This iApp will query Active Directory for any locked-out or disabled accounts as well as accounts that have changed their passwords in the last n-minutes. It will then delete any APM sessions these users may have. This was created for a large Hospital in the Texas Medial Center that needed to terminate external access when MS FIM disabled/locked-out an account. They also wanted to cover the use case of a device is lost/stolen so the user's password is changed to prevent unauthorized access.

Things to note

The LDAP query only looks for accounts that have a http://support.microsoft.com/kb/305144 userAccountControl value of 514. If you're using other types (such as password never expires) you'll need to update this value.

Code :

45221
Published Mar 11, 2015
Version 1.0
  • session.user.starttime is a standard field as of 11.5.0 and 11.6.0 at least. There should be no need for session.custom.session_create_time