Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store

Find inactive LDAP accounts using the lastRefresh time

Find inactive LDAP accounts using the lastRefresh time

Locate accounts with inactive or missing LDAP connections.

Before you begin

Role required: admin

About this task

One method is to add a lastRefresh field to the user record and set the value during the import process. Then create a scheduled job that checks for users that have not been refreshed in 30 days, and deactivate them.
Warning: If the LDAP import fails for 30 days then everyone is deactivated.

To find and deactivate inactive user accounts:


  1. Create a datetime field on the User [sys_user] table. For example, u_last_refreshed.
  2. Create an LDAP transform script to set the field value.
    target.u_last_refreshed =;
    For more information on using scripts in transform maps, on the target variable, see Transformation script variables.
  3. Create a scheduled job to find and deactivate the user accounts that have not been refreshed in 30 days.
    function disable_users() {
    * query for active users with ldap source and last updated more than 30 days ago
    * disable them
    var gr = new GlideRecord("sys_user");
    gr.addQuery('u_last_refreshed', '<', gs.daysAgoStart(30));
    gr.addQuery('active', true);
    gr.addQuery('source', '!=', '');
    while ( { = false;
    gs.log("Disabled inactive user: " + gr.user_name + " - last updated: " + gr.u_last_refreshed);
    gs.log("Completed disabling inactive accounts");
  4. Create a report of user accounts that have been inactive for 15 days.