Question on deactivating users from LDAP - Best Practice, How others are doing this.

BLangley
Tera Contributor

‎02-19-2012 12:46 PM

We are preparing to integrate to Service-Now, and will be using LDAP to retrieve our user records. I've reviewed a few articles on how to detect disabled users in the LDAP process. Two methods are mentioned; Using a Separate LDAP process to filter out disabled users, and Using Filtering with the Main LDAP Refresh Process. What I would like to find out is how others are performing this task and if one method out weights the other. Below are the two articles I have read. Thanks for any insight you can provide!

http://wiki.service-now.com/index.php?title=Detecting_Disabled_LDAP_Records
http://www.servicenowguru.com/system-definition/imports/deactivating-users-ldap/

0 Helpfuls
  • 2,723 Views
4 REPLIES 4

gmat11
Kilo Explorer

‎03-05-2012 03:13 PM

My company also uses LDAP to retrieve user records. I've employed the Filtering method in section 4 of the referenced Wiki article and the onBefore script by Valor Poland as mentioned in the guru article to disable/enable a SN account once that account is disabled/enabled in ADUC and so far it seems to work great.

However, I am less clear about how to handle a user account that gets deleted from ADUC without it first being disabled. My LDAP runs at 3am and any deletions to a user account in ADUC before that account is disabled, and before the nightly LDAP process runs, will not disable the user account in SN. The SN account will stay active. The above referenced Wiki article has a section about that (Section 5: Removing Users), though it's not very clear to me.

I have a number of questions based off of quotes taken from the Wiki article.

1."Another scheduled job can be created to run a daily script that checks for user accounts that have not been refreshed via LDAP in more than 30 days. Once detected, these accounts can be inactivated" — I'm assuming that this means that a new LDAP job needs to be created. Is there a way to include this in the LDAP job that already runs each night?

2."In order for this to work, you will need to add a custom field to the sys_user table that keeps track of the last time the record was refreshed from your LDAP server." — Does this mean that I create a new field in the User form (which can be named Last Refreshed), and if so, what type of field is it? A string? If I don't add a field to the User form, how do I add a custom field to the sys_user table?

3."You will also need to create a transform script that updates this field with the current date/time, every time LDAP refreshes the record. That script should have a line of code like: target.u_last_refreshed = gs.now();" - When should this script run? onBefore, onStart? Is there any other code in this script that is needed?

4.The article then has a script written out but it is not clear to me where or how that script is to be used.

Any help with these questions would be welcomed.


0 Helpfuls

andric
Giga Contributor
In response to gmat11

‎10-16-2014 02:19 AM

Hi Gary,



I was able to follow Detecting Disabled LDAP Records - ServiceNow Wiki guide regarding users removed from AD.



Here is the summary of required tasks:


1. Create u_last_refreshed filed in sys_user table


2. Add find_real_file.pngto your LDAP user import transformation map. Do not add it to transform scripts but instead to the main script. This will ensure date is written to every checked record.


3. Run the import to ensure the script is writing dates to u_last_refreshed field.


4. Create a daily schedule to run after your LDAP import (I have it running 30 minutes latter).


Create a new schedule System Definition > Scheduled Jobs and click New.


Set schedule and time.


Paste the below script:



disable_users();



function disable_users() {


  var gr = new GlideRecord("sys_user");


  gr.addNotNullQuery('source');


  gr.addActiveQuery();


  gr.query();


  while (gr.next()) {


    if ((gr.u_last_refreshed.toString() < gs.daysAgoStart(30))) {


  gs.log("Disabled inactive user: " + gr.user_name + " - last updated: " + gr.u_last_refreshed);


  gr.active = false;


  gr.update();


    }


  }


  gs.log("Completed disabling inactive accounts");


}



PS.
I recommend above steps be performed in dev instance and captured in update set for upload to production once working.


Scheduled jobs are not captured in update sets so this will need to be created manually.




Best of luck...




Preview file
1 KB

ash_usman
ServiceNow Employee
ServiceNow Employee

‎03-06-2012 08:13 AM

There is no single right or wrong answer which applies to all customers. You need to do what is right for your organisation and there are a number of different approaches for achieving this - the links you included mention a few possible approaches you should evaluate. In addition check the LDAP Control field (http://ldapwiki.willeke.com/wiki/User-Account-Control%20Attribute), you can interrogate it in an onBefore Transform Script. i.e

//Determine if the AD account has a disabled userAccountControl
if(source.u_useraccountcontrol == "514" || source.u_useraccountcontrol == "66050"){
target.active = false;
}
else{
target.active = true;
}

Or you can add a filter to the LDAP so that you only pull active users (but obviously this means that you don't automatically set the status of existing ones in the system).

Hope this helps.


0 Helpfuls

Community Alums
Not applicable

‎03-13-2013 02:10 PM

gmat11 - Have you had any progress on this? You're questions are precisely where I'm at right now.


0 Helpfuls