Remove deleted Groups/Users (LDAP import)

BerndKlus
Kilo Expert

‎06-24-2015 06:22 AM

Hi All,

I'm wondering that SN has no "out-of-the-box" Solution for this (or maybe I havn't seen it yet)

We perform a User/Group Import everyday and we have of course users and groups which are removed from our Active Directoy.

How can I handle these removed users/groups the best way?

thanks in advance

regards Bernd

0 Helpfuls
  • 3,176 Views
2 REPLIES 2

Michael Kaufman
Giga Guru

‎06-24-2015 07:00 AM

Yes, ServiceNow has an example deactivation script in the OOB user import.   You can see it in the Transform Map, "LDAP User Import".   There isn't an example group deactivation, but you could create one based on the user deactivation example.



The User deactivation script runs based on the userAccountControl parameter in LDAP.



//Deactivate LDAP-disabled users during transform based on 'userAccountControl' attribute.



//This transform script is inactive by default



//



//NOTE: User records must be visible based on the OU filter in order to be disabled









//Convert the userAccountControl attribute to a hex value



var ctrl = parseInt(source.u_useraccountcontrol, 10);



ctrl = ctrl.toString(16);









//The relevant digit is the final one



//A final hex digit value of '2' in 'ctrl' means disabled



if (ctrl.substr(-1) == "2") {



     target.active = false;



     target.locked_out = true;



     if (action == 'insert')



           ignore = true;



} else {



     //Optional: Reactivate and unlock the user account



     //target.active = true;



     //target.locked_out = ctrl.substr(-2, 1) == "1";



}
0 Helpfuls

bernyalvarado
Mega Sage

‎06-24-2015 10:14 PM

Hi Bernd Klus, Mike Kaufman   there's not actually an OOB way to manage when a user or group is deleted from your AD. The example shared above by Mike is for the scenario of when a user is disabled, which is different than the problem that Bernd is stating.



One way of managing this is by having a LDAP last update date in your user and group table, the one is updated every time a user or a group is updated from LDAP. Based on that timestamp, then you can have a scheduled job which inactivates your users or groups in ServiceNow if these haven't been updated in a X amount of hour or days of your preference.



I hope this is helpful! Greetings guys!



Thanks,


Berny


0 Helpfuls