PAM user termination through AD

Document ID : KB000012277
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How does CA PAM treat users that are disabled in AD?

Answer:

Users with the disabled flag set in AD get imported into, or remain in, CA PAM during group import or synchronization. They are not disabled in CA PAM, which has it's own disabled flag that is independent of the user's status in AD. A disabled AD user will not be able to logon to CA PAM because CA PAM will not authenticate the imported user locally but pass the authentication request on to AD, which will reject it. 
This functionality is in line with the purpose of the disable flag: The user will not be able to logon to CA PAM while the disabled flag is set in AD, but its configuration in CA PAM is retained.