How to clean up inactive users w groups and roles

Go to solution
Poonam Joshi
Tera Contributor

‎07-30-2025 03:02 AM

clean up inactive users w groups and roles

0 Helpfuls
  • 558 Views
2 ACCEPTED SOLUTIONS

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎07-30-2025 04:16 AM

@Poonam Joshi 

So what did you start with and where are you stuck?

Unless we know what's the script or error we can't help.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

0 Helpfuls

Go to solution
Aniket Chavan
Tera Sage
Tera Sage

‎07-30-2025 04:56 AM

Hello @Poonam Joshi ,

 

This is a question that’s been asked many times over the years in the community.

 

From what I’ve seen in various expert discussions and threads, the general consensus is that deleting inactive users is usually not recommended. While it might sound like a clean approach, removing user records can break historical links — like incident assignments, approvals, or change history — and result in orphaned sys_ids, which can make auditing and tracking really difficult down the line.

Instead, most experts recommend the following:

 

Recommended Approach:

  • Mark users as inactive instead of deleting them.

  • Remove them from their group memberships and roles if no longer needed.

  • Log or archive their data, if you want to keep your active directories clean, while still maintaining historical integrity.

Some teams even maintain a separate "archived" user handling strategy — such as tagging users with a specific role or flag so that reports and filters can exclude them but records still retain ownership or creator information or you can create separate tables as well for this.

 

Example Use Case: Clean up inactive users from groups

A common automation teams implement is to remove inactive users from groups — with exceptions to protect key historical relationships. For example, you might decide:

  • If the inactive user is part of less than 5 groups, remove them.

  • If they're in 5 or more groups, log their info for review instead of deleting.

 

Here’s a sample script that shows how this logic could be implemented:

 

var inactiveUsers = new GlideRecord('sys_user');
inactiveUsers.addQuery('active', false);
inactiveUsers.query();

while (inactiveUsers.next()) {
    var userGroupMembership = new GlideRecord('sys_user_grmember');
    userGroupMembership.addQuery('user', inactiveUsers.sys_id);
    userGroupMembership.query();

    var groupCount = 0;
    while (userGroupMembership.next()) {
        groupCount++;
    }

    if (groupCount >= 5) {
        gs.print('User with 5+ groups: ' + inactiveUsers.name + ' (' + inactiveUsers.email + ')');
    } else {
        userGroupMembership.query(); // requery
        while (userGroupMembership.next()) {
            userGroupMembership.deleteRecord();
        }
    }
}

 

So to summarize:
🔹 Don’t delete inactive users unless absolutely necessary
🔹 Remove from groups/roles with caution and logging
🔹 Use scripts to automate cleanup while preserving audit trails

 

Hope this gives you a solid direction. Let me know if you’re views or what you are planning....

 

🔹 Please mark Correct if this solves your query, and 👍 Helpful if you found the response valuable.

 

Best regards,
Aniket Chavan
🏆 ServiceNow MVP 2025 | 🌟 ServiceNow Rising Star 2024

 

View solution in original post

4 REPLIES 4

Go to solution
GlideFather
Tera Patron

‎07-30-2025 03:22 AM

Hi @Poonam Joshi 

 

there are my ways how to do such cleanup.

What is your blocker or question? :))

———
/* If my response wasn’t a total disaster ↙️ drop a Kudos or Accept as Solution ↘️ Cheers! */


0 Helpfuls

Go to solution
Nikhil Bajaj9
Giga Sage

‎07-30-2025 03:22 AM

Hi @Poonam Joshi ,

 

Move those to Archive table. Don't delete as historical data will be required for reproting/compliance purpose.

 

Regards,

Nikhil Bajaj

Please appreciate my efforts, help and support extended to you by clicking on – “Accept as Solution”; button under my answer. It will motivate me to help others as well.
Regards,
Nikhil Bajaj
0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎07-30-2025 04:16 AM

@Poonam Joshi 

So what did you start with and where are you stuck?

Unless we know what's the script or error we can't help.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
Aniket Chavan
Tera Sage
Tera Sage

‎07-30-2025 04:56 AM

Hello @Poonam Joshi ,

 

This is a question that’s been asked many times over the years in the community.

 

From what I’ve seen in various expert discussions and threads, the general consensus is that deleting inactive users is usually not recommended. While it might sound like a clean approach, removing user records can break historical links — like incident assignments, approvals, or change history — and result in orphaned sys_ids, which can make auditing and tracking really difficult down the line.

Instead, most experts recommend the following:

 

Recommended Approach:

  • Mark users as inactive instead of deleting them.

  • Remove them from their group memberships and roles if no longer needed.

  • Log or archive their data, if you want to keep your active directories clean, while still maintaining historical integrity.

Some teams even maintain a separate "archived" user handling strategy — such as tagging users with a specific role or flag so that reports and filters can exclude them but records still retain ownership or creator information or you can create separate tables as well for this.

 

Example Use Case: Clean up inactive users from groups

A common automation teams implement is to remove inactive users from groups — with exceptions to protect key historical relationships. For example, you might decide:

  • If the inactive user is part of less than 5 groups, remove them.

  • If they're in 5 or more groups, log their info for review instead of deleting.

 

Here’s a sample script that shows how this logic could be implemented:

 

var inactiveUsers = new GlideRecord('sys_user');
inactiveUsers.addQuery('active', false);
inactiveUsers.query();

while (inactiveUsers.next()) {
    var userGroupMembership = new GlideRecord('sys_user_grmember');
    userGroupMembership.addQuery('user', inactiveUsers.sys_id);
    userGroupMembership.query();

    var groupCount = 0;
    while (userGroupMembership.next()) {
        groupCount++;
    }

    if (groupCount >= 5) {
        gs.print('User with 5+ groups: ' + inactiveUsers.name + ' (' + inactiveUsers.email + ')');
    } else {
        userGroupMembership.query(); // requery
        while (userGroupMembership.next()) {
            userGroupMembership.deleteRecord();
        }
    }
}

 

So to summarize:
🔹 Don’t delete inactive users unless absolutely necessary
🔹 Remove from groups/roles with caution and logging
🔹 Use scripts to automate cleanup while preserving audit trails

 

Hope this gives you a solid direction. Let me know if you’re views or what you are planning....

 

🔹 Please mark Correct if this solves your query, and 👍 Helpful if you found the response valuable.

 

Best regards,
Aniket Chavan
🏆 ServiceNow MVP 2025 | 🌟 ServiceNow Rising Star 2024