A rule like this is created.
When a NSX manager is configured to integrate into and Active Directory domain, NSX pulls in user and group information to keep a local, secure, copy for quick lookups and validation. For many of our customers, once you have an AD account created, it is never removed even if you leave the organization. When you leave, they simply disable the account. AD sets a flag on the account to indicate it is disabled which in our use cases means it cannot be a valid account to login with. In the past we would have kept that account in our local copy even though it never would have been used. This means it is taking up resources and if a customer has thousands or tens of thousands of disabled users, it can have a negative impact on scalability.
To address this consideration, we added the ability to have the IDFW ignore disabled users and the good news is that to enable it, it's just a selection from the configuration. Piece of cake! See below where this feature is disabled.
So how do you enable it? Simply click on the pencil icon and you'll see this.
On a side note, event log access is not required and now you can skip the step via this new screen.
If you are considering NSX in an EUC environment, then this design guide is for you - fresh off the press June 22, 2016.
NSX EUC Design Guide