Disable Users from LDAP

Go to solution
sgmartin
Kilo Guru

‎07-29-2019 01:42 PM

Currently importing users from AD using LDAP queries.  This has been working great until we noticed a number of users we knew were gone from the company still had active accounts in ServiceNow.  For a user to get a ServiceNow account they have to of course be in AD, but also part of a special group.  If a user is disabled in AD, the normal LDAP process will disable the user.  But, what we found out is when a user is disabled, the Account Mgmt people are also removing them from the special group.  So, my initial LDAP query doesn't even look at them anymore to know they were disabled.

So, I setup a separate lDAP definition to query AD ofr only disabled accounts.  I then process the import table, check each user imported against my user table and if they exist, set active to false.  Saw a number of posts they said all I had to do was add this to the Import script:

target.active = false;

Well, it didn't set the active field to false and after running numerous tests, I found thousands of empty user records had been added to my user table. Got it to work by creating an onBefore script that would not only query the user table, but set the record it found to active=false and then follow that up with an update().  I also would set the ignore variable to true.  Didn't think this was the best practice to do this, but I could never get the target.active to work without it inserting an empty record.

There's got to be a better way to do this, but from what I've read:

  • onBefore: executes at the start of a row transformation and before the row is transformed into the target row

So the onBefore won't work without the update statement because it's not been transformed into the target yet.

This is what I have that works:

//Deactivate LDAP-disabled users during transform based on 'userAccountControl' attribute.
//This transform script is inactive by default
//
//NOTE: User records must be visible based on the OU filter in order to be disabled

//Convert the userAccountControl attribute to a hex value
ignore = true;
//gs.log('Processing: ' + source.u_userprincipalname);
//gs.log('Action => ' + action);
var user = new GlideRecord('sys_user');
user.addQuery('user_name', source.u_userprincipalname);
user.query();
if (user.next()) {
	var ctrl = parseInt(source.u_useraccountcontrol, 10);
	ctrl     = ctrl.toString(16);
	//gs.log('UC set to: ' + ctrl);
	
	//The relevant digit is the final one
	//A final hex digit value of '2' in 'ctrl' means disabled
	if (ctrl.substr(-1) == "2") {
		gs.log('User Control = ' + ctrl.substr(-1) + ' for: ' + source.u_userprincipalname);
		//target.active = false;
		//target.locked_out = true;
		user.active = false;
		user.locked_out = true;
		user.update();
	}
}

 

0 Helpfuls
  • 4,184 Views
1 ACCEPTED SOLUTION

Go to solution
SanjivMeher
Kilo Patron
Kilo Patron

‎07-29-2019 01:56 PM

I think, your ignore should be inside the if loop

 

//Deactivate LDAP-disabled users during transform based on 'userAccountControl' attribute.
//This transform script is inactive by default
//
//NOTE: User records must be visible based on the OU filter in order to be disabled

//Convert the userAccountControl attribute to a hex value

//gs.log('Processing: ' + source.u_userprincipalname);
//gs.log('Action => ' + action);
var user = new GlideRecord('sys_user');
user.addQuery('user_name', source.u_userprincipalname);
user.query();
if (user.next()) {
	var ctrl = parseInt(source.u_useraccountcontrol, 10);
	ctrl     = ctrl.toString(16);
	//gs.log('UC set to: ' + ctrl);
	
	//The relevant digit is the final one
	//A final hex digit value of '2' in 'ctrl' means disabled
	if (ctrl.substr(-1) == "2") {
		gs.log('User Control = ' + ctrl.substr(-1) + ' for: ' + source.u_userprincipalname);
		//target.active = false;
		//target.locked_out = true;
		user.active = false;
		user.locked_out = true;
		user.update();
ignore = true;
	}
}

Please mark this response as correct or helpful if it assisted you with your question.

View solution in original post

5 REPLIES 5

Go to solution
Allen Andreas
Administrator
Administrator

‎07-29-2019 01:53 PM

Hi,

Here's a thread with some discussion on it and please scroll down and see the post by mdomke where he created an execute post import script to scan through all users and if not found in the sync (due to being moved to another OU or something like that that's outside your scope) they are deactivated in ServiceNow: https://community.servicenow.com/community?id=community_question&sys_id=0e5547addbd8dbc01dcaf3231f96...

Please mark reply as Helpful/Correct, if applicable. Thanks!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls

Go to solution
SanjivMeher
Kilo Patron
Kilo Patron

‎07-29-2019 01:56 PM

I think, your ignore should be inside the if loop

 

//Deactivate LDAP-disabled users during transform based on 'userAccountControl' attribute.
//This transform script is inactive by default
//
//NOTE: User records must be visible based on the OU filter in order to be disabled

//Convert the userAccountControl attribute to a hex value

//gs.log('Processing: ' + source.u_userprincipalname);
//gs.log('Action => ' + action);
var user = new GlideRecord('sys_user');
user.addQuery('user_name', source.u_userprincipalname);
user.query();
if (user.next()) {
	var ctrl = parseInt(source.u_useraccountcontrol, 10);
	ctrl     = ctrl.toString(16);
	//gs.log('UC set to: ' + ctrl);
	
	//The relevant digit is the final one
	//A final hex digit value of '2' in 'ctrl' means disabled
	if (ctrl.substr(-1) == "2") {
		gs.log('User Control = ' + ctrl.substr(-1) + ' for: ' + source.u_userprincipalname);
		//target.active = false;
		//target.locked_out = true;
		user.active = false;
		user.locked_out = true;
		user.update();
ignore = true;
	}
}

Please mark this response as correct or helpful if it assisted you with your question.

Go to solution
SanjivMeher
Kilo Patron
Kilo Patron
In response to SanjivMeher

‎07-29-2019 01:59 PM

Also make sure, choice action is set to ignore for every transform mappings


Please mark this response as correct or helpful if it assisted you with your question.
0 Helpfuls

Go to solution
sgmartin
Kilo Guru
In response to SanjivMeher

‎08-02-2019 07:18 AM

Curious.  You said make sure choice action is set to ignore.  What I've read is action has only two choices, insert or update.

Anyway, my onBefore script seems to be working as designed.  I didn't see any difference putting the ignore = true inside the 'if' loop.

We came up with an additional requirement to also remove that user from any groups he/she might be a member of.  The logic seems pretty simple, but when a user is a member of multiple groups it only removes them from the first one and then I receive a message about a Slow Business Rule 'Group Member Delete' that is an OOB Business Rule that will remove roles from the user once removed from the group.  So, now I'm fighting that.

Thanks for taking a look at the onBefore script.

0 Helpfuls