How to update active to false on LDAP user import without otherwise updating the user account

Izzy B1 · ‎05-04-2023

My organization uses LDAP to import users from Azure AD. The issue that my team is having is that our import process brings in inactive users and their information with this import. Specifically this is an issue with location-related fields where users that left the company some time ago (with non-standard location assigned to them in AD) will keep getting brought in and Locations will get re-imported.

Using an OU Definition filter to ignore inactive users completely does not work because then users who leave the company will not get deactivated in the first place. I also tried to use variations of transform scripts (onBefore, OnStart) to try to set inactive users UserAccountControl value on their ServiceNow user profile, but with scripts I can only seem to manage to either update all the fields on the inactive user records or ignore the inactive user completely.

How can I update just one field on an inactive user’s account without doing a transform/import on all the other fields in a user’s account?

For more info, I am not able to remove Location or other user fields from the LDAP import process because Location is an important field for setting up IT support in our organization. I know that I could filter out inactive users and then run a schedule job on users that have not been refreshed from LDAP for a certain period of time to find inactive users… but my organization’s ServiceNow product owner does not like the idea of having any additional window of time where people who have left the company retain their ServiceNow access.

Information on our environment and attempts made below:

Our current LDAP OU Definition filter is (&(objectClass=person)(sn=*)(EmployeeID=*)(!(objectClass=computer))) and using this filter with (!(userAccountControl=512)) or to filter out specific OUs means that users are not made inactive when they leave the company. I don’t think a filter is going to work for what I need but I am open to suggestions.

The script below is one I’ve seen in a number of places, and people have suggested that this will do what I am hoping to accomplish but the reality is that all fields on inactive user accounts are still being updated. I have tried versions of this script as part of the table transform map script itself, and also as an onBefore and onStart transform script. I have only managed to either completely ignore the inactive account or update all of the fields on the account. I only want to update the userAccountControl field we have on the inactive user records and no other fields after they have been deactivated.

//This script results in inactive users records being updated in their entirety

//Deactivate LDAP-disabled users during transform based on 'userAccountControl' attribute value 514

    if (source.u_useraccountcontrol == '514') {

        target.active = false;

        target.locked_out = true;

        //Ignore any insert of a disabled record

        if (action == 'insert') {

            ignore = true;

        }

    }

I also tried the below script in a few places.

//This script has the same problem as a filter, and users who leave the company are not set to inactive

if (source.u_useraccountcontrol == '514' || action == 'insert') {

    target.u_ad_user_account = '514';

 //update; //when this is included it updates all the import fields for inactive users

 ignore = true;  


}

DrewW · ‎05-08-2023

Sounds like you need to name the field differently then so your manager is not confused on what it is for. Something like Last Seen in AD or something else. You can also add ACL's to the field so only an admin can see and read the field so no one will know its there.

Izzy B1 · ‎05-08-2023

It is named clearly. What my manager does not like is the sys_updated_on value updating every time the new u_last_ad_refresh field is updated.

DrewW · ‎05-08-2023

Then use autoSysFields(false).

https://developer.servicenow.com/dev.do#!/reference/api/sandiego/server_legacy/c_GlideRecordAPI#r_Gl...

Izzy B1 · ‎05-08-2023

I did not find info on how that be used during import to only skip updating sys_updated_on for updates to one single field (u_last_ad_refresh) and not when the other fields in the import are updated. Manager does not want Last AD Refresh changing Updated but any other information updated by LDAP on the user record such as Location, Job Title should be reflected by Updated field as they are now.

DrewW · ‎05-09-2023

So the other two options I see are
1 - Setup a second import that uses the filter (useraccountcontrol:1.2.840.113556.1.4.803:=2) so you only get Disabled accounts. Then in the transform map you map your key field and the active field then use a script to just return false so all of the accounts returned in the query are disabled. That will disable the users and your updated field will only show an update for the users that were disabled during that sync.

2 - Do not filter disabled users out and add useraccountcontrol to the fields that you are going to sync. Then add the Active field to your transform map and set it using a script. Then use this as the script

//Since userAccountControl will come over as a number we can convert it to an Int
// and then check bit 2 to see if it is set.  If set then the account is disabled and 
// if not set it is set to active.  This will cause accounts that are disabled to be 
// disabled in ServiceNow and when re-enabled to be set active again in ServiceNow.
answer = (function transformEntry(source) {

	return (parseInt(source.getValue("u_useraccountcontrol")) & 2) != 2;

})(source);

I generally do not like these options because if someone deletes an account instead of disabling it you will not know, and it will stay active in ServiceNow. So at some point you then have to do find the accounts that are not coming over which means you have to build a view and then run scripts against that. In my opinion its easier to just have a field that indicates when you last saw the user in AD, because sys_updated_on field gets updated when the user logs in and when other updates are made so its not a good indicator for what I think your manager wants, but everyone has their own needs and wants.