Applies To:

GroupID 10 – Synchronize

Problem Statement:

We use GroupID Synchronize to provision user accounts in Active Directory from an HR database. We want to automate the process of disabling the accounts of the users who have not changed their account password in the last 180 days.


GroupID provides a pseudo-attribute, Disable Account with True or False as its possible values. Using GroupID Synchronize, we can locate the user accounts in Active Directory that have not changed or reset their passwords in the last 180 days and disable them.

  • Before making any changes to the current environment, it is recommended to create a backup/snapshot/checkpoint of the GroupID server.
  • We recommend that you first test the below-provided method on a small scale and once satisfied, use it to update in bulk.


  1. In GroupID Management Console, expand the Synchronize node, right-click All Jobs and select New Job.

  2. On the Job Template page, select the Blank Job option and click Next.

  3. Select Active Directory as the source provider and then select Active Directory as the destination provider. Enter the connection settings and click Next.

  4. On the Sync Object Options page, select the required object type, keep the default settings, and click Next.

  5. On the Select Fields page, select the attribute that will serve as the primary key. In this scenario, I will be using EmployeeID. Also, select Disable Account (pseudo-attribute) and click Next.

  6. On the Field Map(s) page, click Transform for the Disable Account attribute.

  7. On the Transform dialog box, select Script from the Set the destination field drop-down list.

  8. In the VB Script Editor, paste the following script and click the checkmark button to test the script before saving:

    Dim sResult as String 
    dim passDate as long = DTM.Source("pwdLastSet") 
    Dim passDate1 As DateTime = DateTime.FromFileTime(passDate) 
    passDate1 = passDate1.AddDays(180) 
    If System.DateTime.Compare(passDate1, System.DateTime.Now) < 0 Then 
    sResult = True 
    sResult = "False" 
    end if 
    DTM.Result = sResult
  9. Once the script is tested and saved for the Disable Account attribute, click Next and complete the job wizard.

  10. Preview the job and when you are satisfied with the results, simply run the job.
    On running the job, user accounts whose passwords have not been reset or changed in the last 180 days will get disabled.

Note:In case you run into problems, contact


  • GroupID Synchronize - User Guide