Lock-out all non-admin users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-05-2012 11:55 AM
We have 3 instances (prod/test/dev) and I'd like to lock-out all non-admin users in test & dev. Is there any easy way to do so? Sounds like a routine script or option, but the only unhelpful reference to this is in the post-cloning checklist (User Access).
With 30000 users in our system, I need a quick way to lock-out users immediately after a clone.
Here is a script that lists all non-locked-out users, but includes admins. How can I omit admins from this list?
lockout_users();
function lockout_users() {
var gr = new GlideRecord("sys_user");
gr.addQuery('locked_out','false');
gr.addQuery('user_name','!=','admin');
gr.addQuery('user_name','!=','DiscoveryUser');
gr.query();
while (gr.next()) {
if (!gr.hasRole('admin')) {
// gr.locked_out = true;
gs.print(gr.user_name + ' - ' + gr.name + ' - ' +gr.locked_out);
gr.update();
}
}
gs.log("Completed locking out non-admin accounts");
}
Thanks,
Mac
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-05-2012 01:03 PM
Something like this:
lockout_users();
function lockout_users()
{
var gr = new GlideRecord("sys_user");
gr.addQuery('locked_out', 'false');
gr.addQuery('user_name', '!=', 'admin');
gr.addQuery('user_name', '!=', 'DiscoveryUser');
gr.query();
while (gr.next())
{
var role = new GlideRecord("sys_user_has_role");
role.addQuery("user", gr);
role.addQuery("role.name", 'admin');
role.query();
if (!role.hasNext())
{
// gr.locked_out = true;
gs.print(gr.user_name + ' - ' + gr.name + ' - ' + gr.locked_out);
// gr.update();
}
}
gs.log("Completed locking out non-admin accounts");
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-05-2012 01:42 PM
Thanks Matt - but so far it's still showing admin users as well.
If I happen to reverse the if statement to:
, I would expect to see only a list of admins, but instead, the result list is empty.
if (role.hasNext())
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-07-2012 09:51 AM
Since we only had a handful of users with the admin role, I manually defined them in the script and it worked ok.
However, my main goal here was to secure access to the non-production instances. I only wanted admins or other users we manually give rights to, to be able to login to test/dev. Locking out users doesn't seem to be the way to go as then we can't impersonate any of them. In order to impersonate a user, they must be active and not locked out.
We use ldap to authenticate users, and that must stay active to keep our user data current.
Anyone have a better technique for securing your non-production instances?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-07-2012 12:07 PM
Check out this SNGuru article for a better solution using installation exits.
http://www.servicenowguru.com/system-definition/custom-login-validation-installation-exits/
