Set disabled Active Directory users to inactive

Use the following script to automatically deactivate users when the associated AD user is disabled.

Before you begin

Role required: admin

About this task

You can identify disabled Active Directory users by checking the value of the userAccountControl attribute. This rule executes whenever the userAccountControl value changes and deactivates user accounts if the User Account Control signifies a disabled AD account.

Use the following script to automatically deactivate users when the associated AD user is disabled.

Procedure

  1. Configure the User form and create a new integer field called User Account Control.
  2. Add mapping for userAccountControl (external) to the new field.
  3. Create a new business rule with the following properties:
    Table 1. Disable AD Users business rule
    Business rule field Value
    Name Disable AD Users
    Table User [sys_user]
    When Before
    Condition current.u_user_account_control.changes()

    The Script field should contain the following:

    var disabledFlag = 2;
    //perform a bitwise comparison on userAccountControl to see if the 2 bit flag is enabled
    if (current.u_user_account_control & disabledFlag) {
      gs.log('Disabling user: ' + current.user_name + 'userAccountControl=' + current.u_user_account_control);
      current.active='false';
      current.locked_out='true';
    }