If users are disabled in AD, Password Safe won't be aware of these changes unless the group containing the AD users is synchronized

If you are using a directory query (memberof=CN=...”, use advanced LDAP syntax to remove not include accounts that are disabled. 

If we've onboarded AD users individually from User Management and created groups locally in Password Safe to assign them, group synchronization won’t work as expected, right? Is there another configuration we can apply, or is it mandatory to onboard AD users along with their AD groups to ensure the correct user status is reflected?

Automatic Sync is already enabled, still we are getting around 100 users which are disabled in Active Directory and still showing inactive in PasswordSafe.

@Chitta2019 - 

Am I correct in my interpretation that inactive is a typo and the issue is that the accounts are still showing as active, based upon your previous description, rather than disabled/inactive as you expect based upon the AD state?

How large/complex is your domain? Is it possible that domain replication may not have completed for the accounts which are disabled, and PWS is interacting with a domain controller which has not yet completed replication?

Is the Automatic Sync option enabled both on the group and the RBAC > Active Directory Group Synchronization setting - and what frequency is it set to, is it the Global option of once per day or more frequently on the group?

If you are certain replication has occurred, have you forced a sync for that specific group manually to see if that produces a different result?

@Chitta2019

if you are referring to the users in configuration>(Role Based Access)User Management>Users. Once a user is onboarded either manually or by means of an active directory/local group. You can only remove users from here if they have not used PWS. That is because an audit trail exists and cannot be deleted. They will have the following Icons in the status column for their entry the icons are as follows:

Active - circle with a check

Inactive - Circle with a Minus

Expired - Alarm Clock

Quarantined - Radioactive symbol

Disabled - Circle with a Minus

inactive and disable both have the same icon, if you hover over the icons with your mouse you will see as in the example below which one it is.

That is how you can tell or you can filter by status but you may get multiple icons in that column.

now if you want to delete those that are expired/disabled/inactive chose one from the drop down for STATUS filter, I would chose disabled. you should see multiple icons in the status column. check the account you wish to delete (you must delete them one at a time) then click the ellipsis( three vertical dots) on the right and choose Delete User. you will be asked if you are sure you want to delete that user, select delete.

Now if you get an error then the user has events in the database and cannot be deleted. So you can only remove users from here if they have not used PWS. That is because an audit trail exists and cannot be deleted.

Please see the KB where the details are available to exclude disabled users in the LDAP query.

 https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017386

you can set a sync schedule for the user group by editing the group and set it to sync on a schedule, I do a custom and set it to recurring and frequency or hourly every 1 hour

Charles I think he is referring to the user management users. if so, as you know,  there is no directory query to run here.  @Chitta2019 can you please clarify where you are seeing this? is it in managed users or in user management? Thanks. Frank

Yes @frank.colvin you are right. I am getting this in user management. Your answer was accurate and it solved my queries. Thanks for your answer.

New users in AD group not appearing or users not appearing correctly in web console User Management groups - How to sync users in groups
 

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017083