Deactivate user when not found on the LDAP import
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2014 03:23 PM
Greetings
Our LDAP management seems to be a lot different than most companies. The out of box deactivation script is looking for the users to go into a specific OU of have a specific field marked. I need a much simpler script. IF a user is not found on the AD import and already exist as active on ServiceNow AND was initially imported via LDAP (User Source is not blank) , then deactivate.
I am hoping someone might have something very similar I can do some minor adjusting to.
Out of Box on before deactivated scriptnot being used (Part of the LDAP import)
var ctrl = parseInt(source.u_useraccountcontrol, 10);
ctrl = ctrl.toString(16);
//The relevant digit is the final one
//A final hex digit value of '2' in 'ctrl' means disabled
if (ctrl.substr(-1) == "2") {
target.active = false;
target.locked_out = true;
if (action == 'insert')
ignore = true;
} else {
//Optional: Reactivate and unlock the user account
//target.active = true;
//target.locked_out = ctrl.substr(-2, 1) == "1";
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2016 02:42 PM
When you say "All users", do you mean all 11,995 from the sysuser_arr?
Is the for loop you posted an exact copy/paste from your code? Because the logic as you posted should only try to disable those items found in inactive_arr. In your example, it should only disable 2,494 user accounts.
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2016 07:14 AM
Yeah, all active users - weird I know. When I replaced the user variable with inacuser it all worked as expected:
// For each user in the inactive_arr array, inactivate their ServiceNow users account (active=false)
for (var i = 0; i < inactive_arr.length; i++) {
inacuser = new GlideRecord('sys_user');
if (inacuser.get(inactive_arr[i])) {
//inacuser.active = false;
//inacuser.u_comments = 'Deactivated during LDAP update ' + importSet + '. User not found in AD.';
//inacuser.update();
gs.log('Disabled user: ' + inacuser.getDisplayValue() + ", " + inacuser.location.getDisplayValue() + ". User not found in AD.");
}
}
Thanks for the code, it works as expected; now I need to make sure I only run this transform when I load ALL users and not just a subset.
Cheers!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2016 07:45 AM
Declaring a new variable for the user object during the deactivation loop is probably good practice anyway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2016 09:09 AM
Two things I would add to this.
1) I would not loop through all users in the database. You most likely have some users that are manually created (e.g. admin users, technical users for interfaces etc). I would 'mark' all users during import by using either the source field or create a new field. The transform map can simple put a static value in it (e.g. imported from XYZ). Than the query for existing users can use this information to only work on imported records.
2) I would put some threshold on number of records to be deactived. Assume your source system has an issue one day, it would deactivate all users in one shot. Could have some serious impact... (and yes, I have been down that road before....)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2016 04:00 PM
Hi Mark Bailey,
i have one question, AD inactive user are active in Service-now right ?
AD inactive user active in service now ,Service now User ID looks like x_user_id is active = true and user_id active= false right
