Find inactive LDAP accounts using the lastRefresh time

Locate accounts with inactive or missing LDAP connections.

Before you begin

Role required: admin

About this task

One method is to add a lastRefresh field to the user record and set the value during the import process. Then create a scheduled job that checks for users that have not been refreshed in 30 days, and deactivate them.
Warning: If the LDAP import fails for 30 days then everyone is deactivated.

To find and deactivate inactive user accounts:

Procedure

  1. Create a datetime field on the User [sys_user] table. For example, u_last_refreshed.
  2. Create an LDAP transform script to set the field value.
    target.u_last_refreshed = gs.now();
    For more information on using scripts in transform maps, on the target variable, see Transformation script variables.
  3. Create a scheduled job to find and deactivate the user accounts that have not been refreshed in 30 days.
    disable_users();
     
    function disable_users() {
    /*
    * query for active users with ldap source and last updated more than 30 days ago
    * disable them
    */
    var gr = new GlideRecord("sys_user");
    gr.addQuery('u_last_refreshed', '<', gs.daysAgoStart(30));
    gr.addQuery('active', true);
    gr.addQuery('source', '!=', '');
    gr.query();
    while (gr.next()) {
    gr.active = false;
    gs.log("Disabled inactive user: " + gr.user_name + " - last updated: " + gr.u_last_refreshed);
    gr.update();
    }
    gs.log("Completed disabling inactive accounts");
    }
  4. Create a report of user accounts that have been inactive for 15 days.