Currently importing users from AD using LDAP queries.  This has been working great until we noticed a number of users we knew were gone from the company still had active accounts in ServiceNow.  For a user to get a ServiceNow account they have to of course be in AD, but also part of a special group.  If a user is disabled in AD, the normal LDAP process will disable the user.  But, what we found out is when a user is disabled, the Account Mgmt people are also removing them from the special group.  So, my initial LDAP query doesn't even look at them anymore to know they were disabled.

So, I setup a separate lDAP definition to query AD ofr only disabled accounts.  I then process the import table, check each user imported against my user table and if they exist, set active to false.  Saw a number of posts they said all I had to do was add this to the Import script:

target.active = false;

Well, it didn't set the active field to false and after running numerous tests, I found thousands of empty user records had been added to my user table. Got it to work by creating an onBefore script that would not only query the user table, but set the record it found to active=false and then follow that up with an update().  I also would set the ignore variable to true.  Didn't think this was the best practice to do this, but I could never get the target.active to work without it inserting an empty record.

There's got to be a better way to do this, but from what I've read:

• onBefore: executes at the start of a row transformation and before the row is transformed into the target row

So the onBefore won't work without the update statement because it's not been transformed into the target yet.

This is what I have that works:

//Deactivate LDAP-disabled users during transform based on 'userAccountControl' attribute.
//This transform script is inactive by default
//
//NOTE: User records must be visible based on the OU filter in order to be disabled

//Convert the userAccountControl attribute to a hex value
ignore = true;
//gs.log('Processing: ' + source.u_userprincipalname);
//gs.log('Action => ' + action);
var user = new GlideRecord('sys_user');
user.addQuery('user_name', source.u_userprincipalname);
user.query();
if (user.next()) {
	var ctrl = parseInt(source.u_useraccountcontrol, 10);
	ctrl     = ctrl.toString(16);
	//gs.log('UC set to: ' + ctrl);
	
	//The relevant digit is the final one
	//A final hex digit value of '2' in 'ctrl' means disabled
	if (ctrl.substr(-1) == "2") {
		gs.log('User Control = ' + ctrl.substr(-1) + ' for: ' + source.u_userprincipalname);
		//target.active = false;
		//target.locked_out = true;
		user.active = false;
		user.locked_out = true;
		user.update();
	}
}