Hi
I am getting investigations on a user whos AD account is shown as disabled in IDR but the users account is actually enabled when checking in AD.
At first I thought it was a LDAP log source collection issues which I checked and it is not.
Anything else I can check to see why this is happening?
Hi @antmar904,
I’d recommend you raise a support case so that we can take a closer look at the specific user.
You are right that usually the issue lies with the LDAP event source. As this is the source of truth IDR uses to establish a users account status.
However its possible that IDR is not updating a user record for some unknown reason, we will need to know the user details to troubleshoot further.
David