How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I exclude specific users from syncing during LiveSync in IDM (All versions)?

Last updated Apr 8, 2021

The purpose of this article is to provide information on excluding specific users from syncing during LiveSync in IDM using the accountSynchronizationFilter. You can also include specific users using the accountSynchronizationFilter to ensure you only sync the users you choose. This information applies to syncing between an external system (such as an LDAP server like DS or Active Directory®) and IDM.

Specifying users to sync

You can specify users to sync during LiveSync by defining the accountSynchronizationFilter in your LDAP provisioner config file (for example, provisioner.openicf-ldap.json), which is located in the /path/to/idm/conf directory. The accountSynchronizationFilter allows you to sync a subset of users by specifying standard LDAP search filters to either include or exclude specific users. Only users matching the accountSynchronizationFilter are synced; by default it is set to null and therefore syncs all users during a LiveSync.

An LDAP search filter consists of one or more criterion which can be joined using AND, OR or NOT operators. Each of these operators is represented by a character, which must be specified before the criteria it applies to; each criterion must be contained within brackets, and the operator and all applicable criteria must also be contained within brackets:

  • AND represented by & - (&(criterion1)(criterion2)) - this operator can be used in a search filter even if there is currently only one criterion.
  • OR represented by | - (|(criterion1)(criterion2))
  • NOT represented by ! - (!(criterion1))

You can combine operators within a single search filter to exactly define your subset of users.


When you are combining operators into a single search filter, you must ensure all opening brackets have corresponding closing brackets for the search filter to work.

Example Search Filters

  • You can exclude a specific user with the following filter:"accountSynchronizationFilter" : "(!(uid=userID))"
  • You can include all users who are a direct member of one of two groups "accountSynchronizationFilter" : "(|(memberOf=cn=internal,ou=employees,ou=north,dc=example,dc=com)(memberOf=cn=internal,ou=employees,ou=south,dc=example,dc=com))"

Example Search Filters for Active Directory only

For syncing between Active Directory and IDM, you can make use of the userAccountControl attribute; this is an Active Directory® attribute that provides information about a user's account status.

  • You can exclude all inactive users (that is, only include active users) with the following filter: "accountSynchronizationFilter" : "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
  • You can include only active users whose organisational unit is customers with the following filter: "accountSynchronizationFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(ou=customers))"

See Also

How do I exclude specific users from syncing during reconciliation in IDM (All versions)?

How do I test LDAP search filters in the Generic LDAP Connector for IDM (All versions)?

Connectors Guide › Controlling What the LDAP Connector Synchronizes

LDAP User Guide › LDAP Search

Active Directory: LDAP Syntax Filters

Related Training

ForgeRock Identity Management Core Concepts (IDM-400)

Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.