Showing results for 
Search instead for 
Did you mean: 
F5 Employee
F5 Employee

Problem this snippet solves:

This iApp will query Active Directory for any locked-out or disabled accounts as well as accounts that have changed their passwords in the last n-minutes. It will then delete any APM sessions these users may have. This was created for a large Hospital in the Texas Medial Center that needed to terminate external access when MS FIM disabled/locked-out an account. They also wanted to cover the use case of a device is lost/stolen so the user's password is changed to prevent unauthorized access.

Things to note

The LDAP query only looks for accounts that have a userAccountControl value of 514. If you're using other types (such as password never expires) you'll need to update this value.

Code :

session.user.starttime is a standard field as of 11.5.0 and 11.6.0 at least. There should be no need for session.custom.session_create_time
Version history
Last update:
‎11-Mar-2015 13:43
Updated by: