Deactivate user when not found on the LDAP import

Mark_Bailey · ‎02-04-2014

Greetings

Our LDAP management seems to be a lot different than most companies. The out of box deactivation script is looking for the users to go into a specific OU of have a specific field marked.   I need a much simpler script. IF a user is not found on the AD import and already exist as active on ServiceNow AND was initially imported via LDAP (User Source is not blank) , then deactivate. 

I am hoping someone might have something very similar I can do some minor adjusting to. 




Out of Box on before deactivated scriptnot being used (Part of the LDAP import)
var ctrl = parseInt(source.u_useraccountcontrol, 10);
ctrl = ctrl.toString(16);


//The relevant digit is the final one
//A final hex digit value of '2' in 'ctrl' means disabled
if (ctrl.substr(-1) == "2") {
     target.active = false;
     target.locked_out = true;
     if (action == 'insert')
           ignore = true;
} else {
     //Optional: Reactivate and unlock the user account
     //target.active = true;
     //target.locked_out = ctrl.substr(-2, 1) == "1";
}

Mark_Bailey · ‎02-05-2014

Thanks again for the feedback. I think a scheduled job to run in the middle of the night is the way I will try and tackle this. Not sure exactly how that code might look at this time, but I'll figure it out eventually.

eican · ‎02-05-2014

We do something similar for our user records. However, we do not import them via LDAP but the principles would be the same.

We query the latest import set which contains all the user records. Then run this against your user records and deactivate those which were not found.

Mark_Bailey · ‎02-05-2014

Good suggestion , thank you Eican.

Do you mind posting your script I could start with?

eican · ‎02-05-2014

Well, I can't post the whole script here — that would be an IP issue.

However I can give you a quick walk through:

First of all we need to define the environment and make us aware of some facts:

1) Which records are we looking at?

As we are running an import all users which are supposed to be active are so afterwards. We are targeting those records which need to be deactivated.

2) When do we run the script?

Best is to do after an import — a separate scheduled job is possible but has the disadvantage that we no longer can dynamically can access the data_source variable

https://wiki.servicenow.com/index.php?title=Scheduling_Data_Imports#Scripting_Options

3) How can the records be identified?

You need to know the coalescence field of the imported data and your internal data (e.g. email address or user ID) => unique ID

In our case we start the clean-up process with a "post-import script" within the scheduled data import. This gives will set up the environment as described above.

Next are the steps which are performed by the script:

1) get data source which was used by the current scheduled data import

2) get sys_id of latest import set record for the data source

3) query latest data import of the data source using the retrieved import set ID

4) generate an array containing all unique IDs of the imported data

5) generate an array which contains all unique IDs of the to-be-cleaned target table record's

6) run targetTable array against impSetTable array and remove entries which were found (array.splice(i,1)) - removed entries are not required

7) run targetTable array against target table and deactivate all remaining records

Hope this helps to get you started.

Mark_Bailey · ‎02-05-2014

Thank you Eican,

You gave me enough to help me in the right direction. I appreciate it.

Like I said earlier, using the word easy was a big mistake.