If an account is deleted rather than disabled in Active Directory, nothing happens in ServiceNow.

Go to solution
pavana3
Tera Expert

2 weeks ago

Hi Team,

How to implement if if an User account  is deleted rather than disabled in Active Directory, nothing happens in ServiceNow. how to solve problem.
if an account is deleted or not found it will also be marked inactive in ServiceNow after 2 weeks. 

If any one know please Help me out.

 

Currently working for deactivated accounts but not working for deleted accounts 

Thanks & Regards,

PB

0 Helpfuls
  • 727 Views
1 ACCEPTED SOLUTION

Go to solution
pavana3
Tera Expert

yesterday

@bhu 

Can you help me script part i will schedule 2 weeks once  plan to update disabled users or deleted users as you said &  I have not receive any details from the integration regarding disabled user,  (sys_updated_on field of user records and if it is not recently updated, you can make it inactive. This can be done via scheduled job based on the frequency of your AD synchronization. ) - How to active this 

 

Thanks & regards,

PB

View solution in original post

0 Helpfuls
14 REPLIES 14

Go to solution
Bhuvan
Tera Sage
In response to pavana3

2 weeks ago

@pavana3 

 

I am not sure how your integration is setup. Typically, when you sync AD users & groups with ServiceNow, it happens via transform map. You will have a coalesce field [user_name or email] to identify whether a record is inserted or updated.

 

As I mentioned, first and preferred option must be to fix the process gap and align with AD team to make sure they do not delete the user records but deactivate them.

 

As a backup option, you can check updated time of sys_user records after transform maps are run and see if any of the user records are not updated. Below is for sample,

 

'source' == 'Azure AD' AND 'sys_updated_on' != today  

 

If user record is not updated after transform, it would mean user record is not available at source & make them inactive. Make sure coalesce field is set correctly as insert/update logic is based on that and test this in Sub-Production first before migrating to Production.

 

If this helped to answer your query, please mark it helpful & accept the solution.

 

Thanks,

Bhuvan

Go to solution
pavana3
Tera Expert

2 weeks ago

It says after 2 weeks of not being found to mark it deactivated 

0 Helpfuls

Go to solution
pavana3
Tera Expert

2 weeks ago

Hi Bhuvan,

Thank you ... I will try and let you know if it is works,

Regards,

Pavana

0 Helpfuls

Go to solution
pavana3
Tera Expert

Wednesday - last edited yesterday

Hi Bhuvan,

I have created one new test user in AD (ServiceNow test) after LDAP steps i followed and through transfer map i have inserted into ServiceNow sys_user table 

Step 2 : AD i have deactivated  (ServiceNow test) and LDAP node + browse its not showing after that i have followed same steps and then transform map updated into ServiceNow sys_user table ----- This time  ServiceNow test  user is Active only not changed to Inactive Onbefore transfoerm script i have writen code like 

below 

 
Thanks & Regards,
PB
0 Helpfuls

Go to solution
Bhuvan
Tera Sage
In response to pavana3

Wednesday

@pavana3 

 

Do you have any payload received in ServiceNow from LDAP for disabled or deactivated users ?

 

onBefore transform script will work before transform happens from import set table to target table. If you get a flag, user is deactivated or disabled from LDAP, we can use it to make user as inactive using transform event scripts.

 

https://developer.servicenow.com/dev.do#!/learn/courses/zurich/app_store_learnv2_importingdata_zuric...

 

If you do not receive any details from the integration regarding disabled user, we need to use a logic where you check sys_updated_on field of user records and if it is not recently updated, you can make it inactive. This can be done via scheduled job based on the frequency of your AD synchronization.

 

If this helped to answer your query, please mark it helpful & accept the solution. 

 

Thanks,

Bhuvan 

0 Helpfuls