Prevent All Users from Logging on except for administrators

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-07-2009 06:00 AM
Hello,
We have an instance going live on Monday morning and would like to prevent all users from logging on from Thursday evening until we go-live. I don't obviously want to remove the accounts from Service-Now nor do I want to have to deactivate there accounts in AD as they need to continue to log on to the network.
I would appreciate anybody's feedback on this.
Thanks
Scott
- Labels:
-
Orchestration (ITOM)
-
Service Mapping

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-07-2009 08:58 AM
You can accomplish this by using an installation exit to override the standard 'Login' installation exit.
http://wiki.service-now.com/index.php?title=Installation_Exits
1) Navigate to 'System Definition -> Installation Exits'
2) Create a new Installation Exit record
3) Name the Installation Exit 'AdminOnlyLogin', set it to 'Active' and set the 'Overrides' field with a value of 'Login' (this is the name of the out-of-box 'Login' installation exit. When you are ready to let all users log in again you can simply de-activate the 'AdminOnlyLogin' installation exit record and everyone will be able to log in again.
4) Use the following script...
gs.include("PrototypeServer");
var Login = Class.create();
Login.prototype = {
initialize : function() {
},
process : function() {
// the request is passed in as a global
var userName = request.getParameter("user_name");
var userPassword = request.getParameter("user_password");
var user = Packages.com.glide.sys.User;
var isAdmin = false;
var rec = new GlideRecord('sys_user');
rec.addQuery('user_name', userName);
rec.query();
if(rec.next()){
//Query the roles table for this user
var rec1 = new GlideRecord('sys_user_has_role');
rec1.addQuery('user', rec.sys_id);
rec1.query();
while(rec1.next()){
if(rec1.role.getDisplayValue() == 'admin'){
isAdmin = true;
break;
}
}
}
var authed = user.authenticate(userName, userPassword);
if (authed && isAdmin)
return user.getUser(userName);
this.loginFailed();
return "login.failed";
},
loginFailed : function() {
var sysMessage = Packages.com.glide.ui.SysMessage;
var message = sysMessage.format("login_invalid");
var GlideSession = Packages.com.glide.sys.GlideSession.get();
GlideSession.addErrorMessage(message);
var userName = request.getParameter("user_name");
var EventManager = Packages.com.glide.policy.EventManager;
EventManager.queue("login.failed", "", userName, "");
}
}

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-07-2009 08:59 AM
Thanks for your response Mark. I have actually decided that I will disable the LDAP connection until the day we go-live and just use local accounts to logon to SNC.
Thanks again.
Scott

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-25-2020 03:46 PM
Hi Mark,
I have been looking at your solution for our upgrade process and was wondering if this also works with SSO? In the instance I am working on, I have the standard login script and a MultiSSOLogin override. Would I have to disable the SSO script when activating the AdminOnlyLogin script?
Thank you,
Jay

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-15-2010 02:05 PM
I've fully documented the solution I provided below. The script below actually has some problems. Here's the updated solution.
http://www.servicenowguru.com/system-definition/custom-login-validation-installation-exits/