Set all users inactive except user has admin and security_admin role

Vikram3 · ‎08-01-2018

Hi all,

Can anyone help me with background script to update all users set to active false except user has role admin & security_admin.

Mark Stanger · ‎08-01-2018

You can run this script from the 'Scripts - Background' module to lock out all non-admin users (which I'm guessing is what you want). If you really want to de-activate them, just replace all instances of 'locked_out' with 'active'. Note that the lines to actually update the records are commented out so that you can do a test run to check that it's getting the correct records. Once you've tested you can un-comment the 2 lines towards the bottom to actually execute the update.

lockout_users();

function lockout_users() {
  var gr = new GlideRecord("sys_user");
  gr.addQuery('locked_out', 'false');
  gr.addQuery('user_name', '!=', 'admin');
  gr.addQuery('user_name', '!=', 'DiscoveryUser');
  gr.query();
  while (gr.next()) {
    var role = new GlideRecord("sys_user_has_role");
    role.addQuery("user", gr);
    role.addQuery("role.name", 'admin');
    role.query();
    if (!role.hasNext()) {
      // gr.locked_out = true;
      gs.print(gr.user_name + ' - ' + gr.name + ' - ' + gr.locked_out);
      // gr.update();
    }
  }
  gs.log("Completed locking out non-admin accounts");
}

Typically, if you're trying to de-activate users, you're doing it because you don't want them to log into a dev environment or something similar. In my opinion, adjusting the login installation exit is a much better method than continually updating hundreds or thousands of user records after each clone. I created a solution at SN Guru that shows how you can do that if you prefer.

http://www.servicenowguru.com/system-definition/custom-login-validation-installation-exits/

View solution in original post

Mark Stanger · ‎08-01-2018

You can run this script from the 'Scripts - Background' module to lock out all non-admin users (which I'm guessing is what you want). If you really want to de-activate them, just replace all instances of 'locked_out' with 'active'. Note that the lines to actually update the records are commented out so that you can do a test run to check that it's getting the correct records. Once you've tested you can un-comment the 2 lines towards the bottom to actually execute the update.

lockout_users();

function lockout_users() {
  var gr = new GlideRecord("sys_user");
  gr.addQuery('locked_out', 'false');
  gr.addQuery('user_name', '!=', 'admin');
  gr.addQuery('user_name', '!=', 'DiscoveryUser');
  gr.query();
  while (gr.next()) {
    var role = new GlideRecord("sys_user_has_role");
    role.addQuery("user", gr);
    role.addQuery("role.name", 'admin');
    role.query();
    if (!role.hasNext()) {
      // gr.locked_out = true;
      gs.print(gr.user_name + ' - ' + gr.name + ' - ' + gr.locked_out);
      // gr.update();
    }
  }
  gs.log("Completed locking out non-admin accounts");
}

Typically, if you're trying to de-activate users, you're doing it because you don't want them to log into a dev environment or something similar. In my opinion, adjusting the login installation exit is a much better method than continually updating hundreds or thousands of user records after each clone. I created a solution at SN Guru that shows how you can do that if you prefer.

http://www.servicenowguru.com/system-definition/custom-login-validation-installation-exits/

Vikram3 · ‎08-01-2018

That was really helpful. Thanks a lot.

Mark Stanger · ‎08-01-2018

No problem. I also just noticed this solution (although I haven't used or tested it myself).

https://share.servicenow.com/app.do#/detailV2/45c76d302b504e004a1e976be8da151a/overview

Vikram3 · ‎08-01-2018

Wow. Looks cool. Thank you so much Mark.