user in LDAP is deleted but still have them on service now
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-04-2018 12:56 PM
user in LDAP is deleted is not there anymore but still have them on service now, I want them to be locked on service now when the user is not on LDAP anymore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-04-2018 01:06 PM
Hi Ali,
Please check the LDAP Integration. How are you deleting record directly from Active Directory?
There should be a request, which should create a task for both Active Directory team and ServiceNow team to delete there corrsponding records.
If it is part of termination, the termination should also trigger a delete in ServiceNow. Usually we dont delete an AD record. We deactivate it on termination. And after 3 months if user is still inactive, we delete that record. It depends on your company policies.
Please mark this response as correct or helpful if it assisted you with your question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-04-2018 01:10 PM
Service now is connected to LDAP not to AD, so the account will be disabled in AD but it will deleted on LDAP, so service now will not see the user on LDAP anymore, so service now should mark this user as a locked user, but is not, is there is a way to do be locked auto
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-04-2018 01:14 PM
AD is the data source. LDAP is just a protocol. You need to find out from where and how it is getting deleted and control it from there.
Please mark this response as correct or helpful if it assisted you with your question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-04-2018 01:15 PM
Hello Ali,
My I suggest a scheduled job to set locked=true for the appropriate records?
If you update daily, your job could fitler the user table for user records that have a source starting with ldap and an updated date before yesterday. Run the job daily.
EDIT - FWIW: We added a custom field to the user record named "admin_notes". If you had a field like this, the record could update the admin notes to note the date/time that the record was locked. If the user is in any groups or has any special roles, those could be noted in the admin notes and the corresponding relation removed from the user record. Noting the group membership and roles will facilitate the situation where a user returns and the account needs to be reactivated.
