Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Find inactive LDAP accounts using the userAccountControl field

Find inactive LDAP accounts using the userAccountControl field

Identify when an Active Directory (AD) user is deleted (or made inactive).

Before you begin

Role required: admin

About this task

One method is to track the active status of AD users and create a business rule to update corresponding accounts when an AD account is inactive.

To find and deactivate inactive user accounts:

Procedure

  1. Create a new string field on the User [sys_user] table to track the value of the AD userAccountControl field. For example: u_ad_user_account.
  2. Create an LDAP transform script to set the field value.
    target.u_ad_user_account = source.userAccountControl
  3. Update the LDAP filter to show disabled AD accounts.
    Here is an example of a filter.
    (&(objectClass=person)(sn=*)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

    Here is an example of a replacement filter you can use.

    (&(objectClass=person)(sn=*)(!(objectClass=computer)))
  4. Create an onChange business rule to set the active field to false whenever the u_ad_user_account field has the value 514.
    '514' indicates an inactive account.