Prevent Local Login For SOME Users

stevejarman · ‎09-07-2016

We've implemented SSO in a multi-domain, multi-customer environment. I'd like to prevent certain users (e.g. belonging to a particular company) from logging in locally. I'd be quite happy to do this by simply setting all of their local ServiceNow passwords to a random string.

Is there a way, via scripting, to iterate through users and change their password to a random string if they belong to a particular company? I just want to do this as a one-off background script whenever a particular customer is reconfigured for SSO.

There are some details documented here, but they don't apply in my case, or don't produce the results I want. They would basically be implemented on a transform script if bringing the users in from LDAP (for example). In my case, the users already exist and are maintained manually as their is no LDAP connection to this external customer's AD.

http://wiki.servicenow.com/?title=External_Authentication_(Single_Sign-On_-_SSO)#Restricting_Local_L...

stevejarman · ‎09-07-2016

Apologies - it looks like this is going to be a lot more obvious that I thought it would be. For future reference, refer to this article:

Reset Passwords for All Users to Set String - ServiceNow Wiki

Maverick E · ‎01-30-2020

I know this is super old, but I am trying to do the same thing. My question is, let's say you do reset everyone's local password to a random string. Can't they just go log in via SSO then go to change their local password via "reset password" link?

anguspalmer · ‎11-26-2019

I came across this post while looking for a similar answer. Since the wiki is long retired I thought I'd add the script that was described in the wiki article.

var gr = new GlideRecord("sys_user");
gr.query();
while (gr.next()) {
  gr.user_password.setDisplayValue("abc123");
  gs.log("updating password for " + gr.user_name);
  gr.update();
}