Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Find inactive LDAP accounts using the lastRefresh time

Find inactive LDAP accounts using the lastRefresh time

Locate accounts with inactive or missing LDAP connections.

Before you begin

Role required: admin

About this task

One method is to add a lastRefresh field to the user record and set the value during the import process. Then create a scheduled job that checks for users that have not been refreshed in 30 days, and deactivate them.
Warning: If the LDAP import fails for 30 days then everyone is deactivated.

To find and deactivate inactive user accounts:

Procedure

  1. Create a datetime field on the User [sys_user] table. For example, u_last_refreshed.
  2. Create an LDAP transform script to set the field value.
    target.u_last_refreshed = gs.now();
    For more information on using scripts in transform maps, on the target variable, see Transformation script variables.
  3. Create a scheduled job to find and deactivate the user accounts that have not been refreshed in 30 days.
    disable_users();
     
    function disable_users() {
    /*
    * query for active users with ldap source and last updated more than 30 days ago
    * disable them
    */
    var gr = new GlideRecord("sys_user");
    gr.addQuery('u_last_refreshed', '<', gs.daysAgoStart(30));
    gr.addQuery('active', true);
    gr.addQuery('source', '!=', '');
    gr.query();
    while (gr.next()) {
    gr.active = false;
    gs.log("Disabled inactive user: " + gr.user_name + " - last updated: " + gr.u_last_refreshed);
    gr.update();
    }
    gs.log("Completed disabling inactive accounts");
    }
  4. Create a report of user accounts that have been inactive for 15 days.