- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2023 03:10 PM
Dear Team,
To create users & their information, servicenow instance synced with our Active Directory and when any user left the organisation his/her active directory account got removed from our end. Now the requirement is, how can we Deactivate all those user's ServiceNow account whose active directory account got deleted due to above stated reason.
In other words we need to make servicenow instance to check if any user's active directory account is not available then deactivate their servicenow account.
please help with the steps that needs to be followed to get this achieved.
Thanks in advance, will mark desired response as helpful & accepted as solution.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2023 11:02 AM
Hey @rishabh31,
In our organization, we have a Disabled User Account OU in Active Directory where employee account objects are moved for 6 months after termination.
In ServiceNow, under LDAP Servers, I have a LDAP OU Definition for Disabled User Accounts, and as part of the transform I have mapped the userAccountControl field from AD to a field on the sys_user table. This field gets populated with a numerical attribute that notes if the account is active or inactive.
Then, an OnBefore Transform Script for the LDAP OU Definition of Disabled User Accounts catches the inactive AD accounts (marked as 514 or 546 depending on account type) and marks their ServiceNow account as inactive and locked out:
//Deactivate LDAP-disabled users during transform based on 'userAccountControl' attribute.
if(source.u_useraccountcontrol == '514' || source.u_useraccountcontrol == '546'){
target.active=false;
target.locked_out=true;
}
Hope this helps,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2023 03:51 PM
How are you currently syncing with active directory? Potentially part of the sync job can compare users in ServiceNow vs users in AD and deactivate them in ServiceNow if they are not found in AD.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2023 07:31 PM
Hi @Jared Wason ,
Active directory integrated with servicenow instance.
Could you please help me with the steps if this can be achievable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2023 11:02 AM
Hey @rishabh31,
In our organization, we have a Disabled User Account OU in Active Directory where employee account objects are moved for 6 months after termination.
In ServiceNow, under LDAP Servers, I have a LDAP OU Definition for Disabled User Accounts, and as part of the transform I have mapped the userAccountControl field from AD to a field on the sys_user table. This field gets populated with a numerical attribute that notes if the account is active or inactive.
Then, an OnBefore Transform Script for the LDAP OU Definition of Disabled User Accounts catches the inactive AD accounts (marked as 514 or 546 depending on account type) and marks their ServiceNow account as inactive and locked out:
//Deactivate LDAP-disabled users during transform based on 'userAccountControl' attribute.
if(source.u_useraccountcontrol == '514' || source.u_useraccountcontrol == '546'){
target.active=false;
target.locked_out=true;
}
Hope this helps,
