Deactivate user when not found on the LDAP import

Mark_Bailey
Mega Guru

‎02-04-2014 03:23 PM 

Greetings




Our LDAP management seems to be a lot different than most companies. The out of box deactivation script is looking for the users to go into a specific OU of have a specific field marked.   I need a much simpler script. IF a user is not found on the AD import and already exist as active on ServiceNow AND was initially imported via LDAP (User Source is not blank) , then deactivate. 




I am hoping someone might have something very similar I can do some minor adjusting to. 










Out of Box on before deactivated scriptnot being used (Part of the LDAP import)


var ctrl = parseInt(source.u_useraccountcontrol, 10);


ctrl = ctrl.toString(16);






//The relevant digit is the final one


//A final hex digit value of '2' in 'ctrl' means disabled


if (ctrl.substr(-1) == "2") {


     target.active = false;


     target.locked_out = true;


     if (action == 'insert')


           ignore = true;


} else {


     //Optional: Reactivate and unlock the user account


     //target.active = true;


     //target.locked_out = ctrl.substr(-2, 1) == "1";


}
0 Helpfuls
  • 7,603 Views
28 REPLIES 28

justin_drysdale
Mega Guru

‎02-04-2014 03:46 PM

I am not sure you can do this using an On Before.   The reason being that you can't really know who is not found on the AD import without some heavy lifting (scripting). You can perform script actions on what you find from AD, but not on what you DONT find.   First you would have to cross check the values in your user import table with the active users on sys_user.   Once you find the active users on sys_user that aren't part of the AD import (and have a User Source value) then you can deactivate/lockout.   I don't consider these actions as part of a simple script .   Of course I could be wrong and someone will come along with a better answer.



I would consider a business rule for this instead of an On Before.


Mark_Bailey
Mega Guru
In response to justin_drysdale

‎02-04-2014 04:08 PM

Thanks for commenting. As soon as I hit post, I asked myself why I wrote "simple".


Every time I think something will be simple, I can't find a solution.



A business script would not bother me at all. I really don't care how It is done.


But in a business script I still have the same delima, which is I hope to borrow someone else's script to adjust a   little. I don't know where to begin from scratch with this, and it seems I am the only one looking for this.


danielbilling
Kilo Guru

‎02-05-2014 05:42 AM

i'm doing a similar thing with a CMDB import.


Discovery(3rd party) finds network relations as well as relation to processes. the not so fun part is that i will not report on "deleted" relations. So we created a scheduled job that inactive relations that have been create via the import but not updated within a certain number of days.


haldroid
Tera Contributor
In response to danielbilling

‎02-05-2014 06:38 AM

I think there is a real opportunity here for SN wizards in ITIL and Discovery to blog about best practices for life cycle of data. A significant part of our effort in rolling out SN CMDB, Service Request, and Asset apps has been figuring out existing function and aligning default ServiceNow data models with our on-boarding and off-boarding of people, equipment, and infrastructure.