This document explains how to hide users when you do not want them to appear in the corporate directory. These users can be CTI users, Attendant Console, Cisco Emergency Responder, Cisco Conference Connection, and so forth. The CCMSysUser, CCMAdministrator, and PMASysUser users are already hidden by default.
Cisco recommends that you have knowledge of these topics:
Cisco CallManager Administration.
The information in this document is based on Cisco CallManager 4.x and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Note: After you run the script, the user is hidden in the corporate directory and the CCMadmin user page. See the Unhide User section of this document in order to add the user back.
Complete these steps in order to hide users in DC Directory:
Open Notepad on the publisher server.
Cut and paste these four lines and save the file as a text file on the C: drive as hideuser.ldif.
Note: The spaces must appear as this output shows. Ensure that there are no extra spaces in the LDIF file. Otherwise, the script fails when you run it.
dn: cn=[userid], ou=users, o=cisco.com changeType:modify replace:Description Description:CiscoPrivateUser
Set the [userid] to be the user you want to hide. For example:
dn: cn=ctiuser, ou=users, o=cisco.com changeType:modify replace:Description Description:CiscoPrivateUser
Choose Start > Run > cmd in order to open a command prompt on the publisher server, and run this script in order to set the description field in DC Directory:
ldapmodify -h <server name> -p 8404 -D "cn=Directory Manager,o=cisco.com" -w <DCDAdmin Password> -c -f hideuser.ldif.txt
This output shows a successful run:
C:\>ldapmodify -h CallManagerPub -p 8404 -D "cn=Directory Manager, o=cisco.com" -w Cisco -c -f hideuser.ldif.txt modifying entry cn=ctiuser, ou=users, o=cisco.com
Use Microsoft Active Directory Service Interfaces (ADSIEdit), available as a part of the Windows 2000 Support Tools, or any other LDAP tool, in order to update the Description field. Add the string CiscoPrivateUser to the Description field of the user. If the tool is not available, use this output:
dn: cn=[userid], CN=users, dc=[domain], dc=com changeType: modify replace: Description Description: CiscoPrivateUser
Save this file on the Active Directory server as hideuser.ldif. Then execute ldifde -I -f hideuser.ldif on the Active Directory server.
Copy these five lines (note the '-' after the first four lines). In Active Directory 2003, this is required and has changed from Active Directory 2002 into a text file. Replace [userid] with the userid of the user that you need to hide. Replace [domain] with your domain. Save this file on the Active Directory server as hideuser.ldif.
dn: cn=[userid], CN=users, dc=[domain], dc=com changeType: modify replace: Description Description: CiscoPrivateUser -
Execute ldifde -i -f hideuser.ldif on the Active Directory server.
Hide users in DC Directory and Active Directory when syncronising with Cisco Unified Call Manager 5.x and later
Since LDAP integration architecture changed much between Cisco CallManager 4.x and Cisco CallManager 5.x, complete these steps in order to hide a user in Cisco CallManager 5.x.
Note: In Cisco Unified Communications Manager 5.x and later, you cannot set the Description to CiscoPrivateUser in order to hide the users. It is not supported.
If your Cisco Unified Communication Manager is Linux based, use these workarounds:
The application users do not appear in the corporate directory from the IP Phones. So, for users that you do not want to show up in the Corporate directory, make them as application users. After this, you can delete them from Active Directory or DC directory, if you upgrade to a Linux based Cisco Unified Communication Manager from Cisco CallManager 4.x
If you do not want to delete users in the Active Directory or DC Directory, you can also associate the users you want to hide with a different Organizational Unit so that Cisco Unified Communication Manager does not have to deal with them. Then, create new supplementary application users.
Refer to Configuring an Application User for more information.
If your Cisco Unified Communication Manager is Windows based, use these workarounds:
Cisco Unified Communication Manager does not sync users without the LastName attribute in the Active Directory or DC Directory. So you can remove the last name of the user that you want to hide from the Active directory or DC Directory.
You can configure access control lists on the Active Directory side in order to prevent the distinguished name to appear in the corporate directory.
You can add some special character, such as "[", to the First name or Last name attribute, and re-sync the LDAP. Those users will not appear in the corporate directory.
In order to unhide the user, the Description of the field must be changed to something other than CiscoPrivateUser. The procedure to change it is similar to the one you use to hide the user:
dn: cn=[user], ou=users, o=cisco.com changeType:modify replace:Description Description: PublicUser
dn: cn=[userid], CN=users, dc=[domain], dc=com changeType: modify replace: Description Description: PublicUser
Then, re-run the original script.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.