Skip to main content

LDAP Users

The LDAP Users screen is the raw catalog of accounts read from the corporate LDAP / Active Directory directory. One line per directory entry, with the Active Directory attributes side-by-side.

This list is the identity reference against which Nomasx-1 reconciles the user accounts found in each connected application. A user known to the source system but absent from this list lands on Users without AD; a department here drives the Users by applications matrix.

At a glance

Nomasx-1 · Security · LDAP · UsersSAM ACCOUNTDISPLAY NAMEDEPARTMENTUPNEXPIRESjdoeJohn DoeFIN-APjdoe@corp.localNevermsmithMary SmithHRmsmith@corp.localNeverext.acme01External Acme 01EXText.acme01@corp.local2026-06-30svc.batchBatch service accountIT-OPSsvc.batch@corp.localNever1 — 50 of 2 463 directory entries · 14 expiring next 90 days

Goal of the view

The directory pull is the single source of truth for human identity. The screen answers:

  • Does this person exist in the corporate directory? Every account on a connected application that does not show up here is either a technical / batch account, an externally-managed identity (e.g. service account, legacy login) or an outright ghost — the Users without AD screen lists them explicitly.
  • What department do they belong to? The Department attribute drives the Users by applications matrix — it is the lever that maps people to the applications they should have access to.
  • When does the account expire? Contractors usually have an accountExpires date — sorting by this column surfaces who is about to lose AD access (and therefore likely needs to be deprovisioned in every connected application too).
  • What is the corporate communication context? Mail, phone, manager — useful when an audit finding requires reaching the person quickly.

Columns

ColumnSource (AD attribute)What it tells you
SAM AccountLDAP_ACCOUNTsamAccountName.The Windows login name. This is what most source systems use to match a JDE / SAP / etc. account against the AD identity.
DNLDAP_DNdistinguishedName.Full LDAP path — useful when the directory has nested OUs and the AD admin needs to find the entry.
NameLDAP_NAMEname.First "name" attribute of the directory entry — typically the legal full name.
UPNLDAP_LOGONuserPrincipalName.Federation-style login (user@domain). Used by SSO scenarios.
CompanyLDAP_COMPANYcompany.Legal entity the person belongs to — useful when the AD covers several subsidiaries.
CityLDAP_CITYl (locality).Geographic location.
DepartmentLDAP_DEPARTMENTdepartment.The grouping key that drives the Users by applications mapping.
DescriptionLDAP_DESCRIPTIONdescription.Free text — often carries the HR registration / matricule used to match the AD entry to the source-system account.
Display NameLDAP_DISPLAY_NAMEdisplayName.What appears in the AD address book.
MailLDAP_MAILmail.Email address.
ManagerLDAP_MANAGERmanager.DN of the manager — useful for approval workflows.
OfficeLDAP_OFFICEphysicalDeliveryOfficeName.Office location.
TelephoneLDAP_TELEPHONEtelephoneNumber.Office phone.
MobileLDAP_MOBILEmobile.Mobile phone.
TitleLDAP_TITLEtitle.Job title.
WhenCreatedLDAP_CREATIONwhenCreated.Date the AD entry was provisioned.
AccountExpiresLDAP_EXPIRESaccountExpires.Scheduled expiration date — empty / Never for permanent staff.
userAccountControlLDAP_NEVER_EXPIRESuserAccountControl flag.Boolean derived flag indicating that the account is set to never expire.

Hidden columns kept on the row: LDAP_REFRESH (last sync timestamp), LDAP_UKID (technical row id).

Tips & best practices

  • Sort by AccountExpires ascending to surface every contractor about to lose AD access. Cross-check with the Assignments screen — every soon-to-expire account that still holds a role on a source system must be deprovisioned there too.
  • The Description attribute often carries the HR matricule — when present, it makes the join to the source-system Registration field straightforward. Inconsistent values in that field are the typical cause of Users without AD false positives.
  • Look at Title and Department together to spot misconfigurations (e.g. an accountant marked in the IT department) before they impact the Users by applications mapping.
  • The LDAP scan runs on the schedule configured at the connector level. A stale WhenCreated column on every row usually means the LDAP connector hasn't run lately.