Are you using codes to identify inactive users? Microsoft Active Directory UserAccountControl

The out of the box onBefore Transform Map script should inactive the user with one of the inactive codes. The script also contains:

    if (action == 'insert')

          ignore = true;

which if you decided to map the OU Termed, would prevent all the Termed users come in.

While the scheduled job way will work, we prefer something more immediate. Once AD is inactivated, SN account is inactivated.

Hi Thomas,

You may follow use LDAP data sources to import everything into the in-trim tables & subsequently filter off the data that you would required.

My current implementation has a similar issue as well, my customer basically has 2 different forest in their active directory & multiple domains.

The challenge was to identify the real users within their Active Directory, as they have multiple duplicates identity within AD as well.

In the environment they have other system in place such as PeopleSoft -> Custom PeopleFinder Applications -> Forefront Identity Manager -> Active Directory.

The solution that after much discussion with my customer was to leverage on certain unique identifiers from the custom PeopleFinder application which pumps into an custom extension attributes to Active Directory for filtering purposes.

1.) I've used the LDAP filter to execute the first cut of filtering for each forest & domains. Below is the example.

(&(objectClass=person)(extensionAttribute9=*)(sAMAccountName=*)(mail=*)(!(mail=*@xxxx.com*))(!(mail=*@xxxx.com*))(!(objectClass=Contact))(!(objectClass=computer))

2.) Importing the person objects into interim tables thereafter using the script as attached in the below reference to automatically disable identities in ServiceNow.

Reference: Deactivating Users From LDAP - ServiceNow Guru

Reference: https://confluence.atlassian.com/display/DEV/How+to+write+LDAP+search+filters

3.) Schedule the LDAP import on a daily basis.

Hope this would help you in a way.

Regards,

Tristan Cheong