ServiceDesk

Dear all,

Using SD7.1 SP1, sometimes it would be nice to be able to (bulk) disable accounts using SQL. I tried to put the "AccountActive"-field in the table "User" to value 0, but some time later it is put to 1 again and the accounts are enabled.

Are there other values I have to change in order to disable an account in SQL?

Thanks for your help!

Are these AD accounts?  If so, an AD sync will likely sync those values back to 1.  you may need to ensure that the accounts are disabled on the AD side, assuming that's applicable.

This can be accomplished by writing an insert/update database trigger for the [User] table in the ProcessManager database. While it wouldn't necessarily be supported by Symantec, it'd be the easiest way to ensure that the AD sync doesn't reset the flag - the trigger would just reset it back.

When I disable an account using the portal, there is no problem, the accounts stay disabled after AD sync. So I think there must be some other value in some other table that sets the AccountActive flag to true again.

The account keep the "is AD user" flag as wel, so that cannot be the answer.

Thanks

Koen

When I need do something about that I create a temporary integraion project with Query to get the users and use in a temporary webform to active they users using default components.

Works fine for me. Maybe you can try.

If works fine for you, then you can create a procedure to get users id in a especific table and using in a DataServices Project to disable or enable user. So when you can do that, you insert the users needed to update and run the WebService.

africo is correct.  If you are using syncing with AD, the sync process will reset this value.  Even though I knew this, just to confirm, I disabled on of my accounts and ran the sync.  My account was reactivated.

You could always create a workflow to handle it as well.  Using the "Update User" component, you could be sure that the action is going to be basically the same as taking action through the console.  

As far as the values resetting, I still think you'll need to either exclude the users from the sync in some way, or (better yet) disable the user accounts in AD in order to prevent the sync of those accounts.  

In your test in which you mentioned:

When I disable an account using the portal, there is no problem, the accounts stay disabled after AD sync.

Did you then run a reset sync afterwards?  If not, run a reset sync and observe any changes with the account(s) you disabled via the console.

OK, I ran a reset sync and indeed all of the disabled accounts were enabled.

Is there a way to exclude OU's in AD? That would make things easier!!

Thanks for your help.

My memory of 7.1 SP1 is a little foggy.  If I remember right you can change the connection profile (Should be under either Admin > AD Server or Admin > Active Directory) for the domain to exclude certain OUs by checking the Organizational Unit box and then checking only the OUs you want to sync with.  The screenshot below shows how it is in 7.5 SP1 but I remember it being almost identical to 7.1 SP1.

Thanks for your input Justin. This might work but I am not responsible for AD-management. But, I have found a simpler solution. I get the results I want when I lock the accounts that should not make tickets.

I can do this using SQL there is no connection with AD so an AD sync will not change this flag.

Thank you all for your input!

Cheers

Koen