Active directory disabled user info is not in sync with service now
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-04-2014 10:21 AM
Hi there,
I am venu gopal and recently started working with service now. We have an issue with the AD users info sync with service now. Service now has exported all the user info from active directory and when ever we update a user record in active directory it is getting synced in service now as well. But the only issue that we have is whenever an user disabled in active directory, the same user record should get disabled in service now also. But this is not happening due to which even after the user left from the company users assigning tickets to that user. Can somebody help us to resolve this syncronization issue between active directory and service now on disabled user accounts? This would be great help.
Thanks in advance!
Regards,
Venu
- Labels:
-
Ask the Expert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-04-2014 11:27 AM
sure it is one of your transform scripts.. should be the "onBefore" script... we are using the following code because in AD the code for inactive is 512 you would need to coordinate with your AD group to find out what the user account control for inactive is.
//Deactivate LDAP-disabled users during transform based on 'userAccountControl' attribute
//Convert the userAccountControl attribute back to a hex value
var ctrl = parseInt(source.u_useraccountcontrol, 10);
ctrl = ctrl.toString(16);
//The only digit we care about is the final one
//A final hex digit value of '2' in 'ctrl' means disabled
if(ctrl.substr(-1) == '2'){
//Deactivate and lock the user account
target.active = false;
target.locked_out = true;
//Ignore any insert of a disabled record
if(action == 'insert'){
ignore = true;
}
}
else {
//Optional: Reactivate and unlock the user account
target.active = true;
target.locked_out = ctrl.substr(-2, 1) == '1';
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-04-2014 10:08 PM
Hi Doug,
Many thanks for your help.
does this script run whenever an account disbled in AD?
Regards,
Venu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-05-2014 12:19 AM
Hi Venu,
In addition to what Doug Andrews mentioned please make sure that the filter you are using for isn't already filtering out inactive users.
Thanks,
Dhananjay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-05-2014 12:54 AM
Hi, Venu!
I believe Doug is talking about an onBefore transform script for LDAP user import. It will run every time the user import is performed. There is one on demo instances - you just need to consult with people responsible for AD maintenance to understand how to modify it, based on what attribute is used to mark disabled users in your AD.
Hope that helps,
Valery.
