Hmm.. the only thing i can think of offhand is if the LDAP sync is seeing them as not active in AD and so it is taking action as defined at the bottom of the LDAP setting page:
When LDAP Records Are Removed Delete Client Deactivate Client No Action
Is there anything common about the accounts that are getting disabled - like they are all in an isolated OU in the domain or all are in a certain Location or something like that?
Now, of course if they are valid AD users AND they are still in the same container that the LDAP record is pointing to then i'm not sure what might be happening here and a support ticket may be warranted.
I think I remember something like this happening to us and the fix we put in place was on the AD/LDAP options panel, I choose NO for Sync With Existing WHD Clients Only
I could be mistaken though...
Hope this helps - Erik
As far as we've been able to tell, these users aren't in some weird secluded OU. They're all in a very large OU that makes up the bulk of our regular users.
Currently, we have it set so that when LDAP records are removed, it deactivates the account, but wouldn't that mean if the user was removed entirely and not just marked as locked out in AD?
As for Edwelly's suggestion, this potential fix is not really feasible within our environment since we want their WHD account password to sync up with their current AD password.
Edit: Misread Edwelly's suggestion. We already have our users set up in this way.
We have this too. Of our 2600 active LDAP/AD staff accounts (clients) maybe 4-5 will randomly show (I), but if I manually run another sync during the day, it switches them back to active. I haven't investigated too much on this since it seems pretty random and the next sync at 1am nightly usually resolves it for them.
You can try the following:
1. Re-create your LDAP connection (delete the existing and create a new one)
2. If the issue is consistent on particular user, you can login to the webhelpdesk database and run the following query:
Update client set inactive='0' where user_name=
The workaround will prevent the users from deactivating everytime the scheduled ldap sync would run