AAA, NAC, Guest Access & BYOD

How to check if an AD account is disabled in CPPM with the userAccountControl attribute

Aruba Employee

This article talks about adding UserAccountControl attribute of AD/LDAP to CPPM.


Environment : This article best suits CPPM 6.2.


If CPPM is using AD/LDAP as an authentication source, It will authenticate any user which is present in the AD/LDAP even if the account is disabled if the AD/LDAP if the UserAccountControl attribute is not added.

Below are the steps to add this attribute.

Login to CPPM and navigate to "Configuration » Authentication » Sources"



Click on the AD or LDAP server which we are using as an authentication source. 


rtaImage (1).png


Click on the Attributes tab.


rtaImage (2).png

We have to add UserAccountControl  under Authentication.

Click on Authentication.


rtaImage (3).png

Click on "Click to add" and add the attribute as shown below.

rtaImage (4).png


Save the configuration.

We must be able to see userAccountControl added as an Authentication attribute.


rtaImage (5).png


Verify that AD is returning this attribute. Click on Authentication - > Browse.


rtaImage (6).png


On this Ldap Browser  query for any user on AD and check if AD is returning the userAccountControlattribute.


rtaImage (7).png

This verifies that CPPM is getting userAccountControl attribute.

When value of userAccountControl  is 66050 then its disabled else the account is enabled.

We can use this attribute in our service.

Create a new Role Mapping Policy as shown below and we can map this our Dot 1 X service.


rtaImage (8).png


We can also add new attributes based on our requirements. For more details on the Attributes list we can visit

Version history
Revision #:
1 of 1
Last update:
‎07-14-2014 06:29 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.