Help
CodeShare
Have some code. Share some code.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Integrate APM Sessions with AD Account Management

Cody_Green
F5 Employee
F5 Employee

on ‎11-Mar-2015 13:43

Problem this snippet solves:

This iApp will query Active Directory for any locked-out or disabled accounts as well as accounts that have changed their passwords in the last n-minutes. It will then delete any APM sessions these users may have. This was created for a large Hospital in the Texas Medial Center that needed to terminate external access when MS FIM disabled/locked-out an account. They also wanted to cover the use case of a device is lost/stolen so the user's password is changed to prevent unauthorized access.

Things to note

The LDAP query only looks for accounts that have a http://support.microsoft.com/kb/305144 userAccountControl value of 514. If you're using other types (such as password never expires) you'll need to update this value.

Code :

45221
Labels:
ad_disabled_account_verification.tcl
0 Kudos
Comments
Walter_Kacynski
Cirrostratus
Cirrostratus
‎20-Jul-2015 06:28
session.user.starttime is a standard field as of 11.5.0 and 11.6.0 at least. There should be no need for session.custom.session_create_time
0 Kudos
Version history
Last update:
‎11-Mar-2015 13:43
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC