This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Inactive Users Deprovisioning - Filter not working

Hi,

I have a workflow that finds inactive user accounts, this has two filters to exclude accounts that have "NODEL" in the comment filed, OR the account password is set to never expire, but the password expiration filter does not seem to be working. 

Workflow - Find Inactive Users:

Find: Inactive Accounts In: Users (domain.net/Users)

Search Options

Retrieve these account Types: Users

Retrieve accounts that meet any of these conditions:

    Account has not logged on in the past 120 days

    Account's password has not changed in the past 120 days

    Account expired more than 30 days before the current date

Filter:

OR group (any of these conditions is true):

    Description (description) does not contain "NODEL"

    Password Never Expires (edsaPasswordNeverExpires) does not equal True

From the workflow history:

Filter: (&)|(!description=*NODEL*))(!(esdaPasswordNeverExpires=True)))(&(sAMAccount=805306368)(|(|(&(!(lastLogonTimeStamp=*))(whenCreated<=20180718033000.0Z))(lastLogonTimeStamp<=131763582005507498))(&(pwsLastSet>=1)(pwdLastSet<=131763582005507498))(&(accountExpires>=1)(accountExpires<=131841342005507498)))))

On an account that was deprovisioned, I have checked via Powershell that the account is set to never expire (True) and via ActiveRoles, the Password expires is set to Never.

Can anyone shed any light as to why it is deprovisioning accounts that have their passwords set to never expire please?

Regards,

John