How to check if User Account is disabled in Active Directory from SharePoint using Nintex

Let’s jump straight in. It’s pretty straightforward to check if User Accout is disabled/enabled in Active Directory from sharepoint using Nintex.

 For this demo, just create a sharepoint list and  simply manually add emailIds of users from AD in it. You can also write a server code to copy users from AD into SP list which I will skip here.

Summary

1) Create a site workflow in Nintex.

2) Read all the users from SharePoint List and sore it in workflow collection.

3) Iterate through all the users in collection and check if their account is disabled in Active Directory.

4) Store all the disabled accounts in a seperate WF variable.

5) Send a notification to (some) system administrator with the list of  all disabled accounts which he can probably remove from AD.

Implementation       

Create a SP list named ‘ActiveDirectoryUsers’. Add a field ‘UserId’ of type text to store emailIds.

 1) Create a Site Workflow as shown below. (Please click images to enlarge. I have just added thumbnails for clarity.)

2)  Read all the users from SharePoint List and sore it in workflow collection.

 Drag and drop ‘Query List’ action into nintex designer. 

Configure it first to create a collection workflow variable which will store all user emails. Click on ‘variables’ link at the top navbar to create a workflow variable.

Now configure this action to store all useremails in above created WF variable of type collection. Click on ‘Action’ tab and then set it as shown in screenshot –

3) Now, iterate through all the users which are stored in collection and check if their account is disabled in AD.

Drag and drop ‘For each’ action in Nintex designer and configure it as shown below.

Set ‘TargetCollection’ to ‘ListItemCollection’.

Create Wf variable ‘EmailId’ and Set ‘Store Result in’ to ‘EmailId’.

Now drag and drop ‘Query LDAP’ action within ‘For each’ loop and configure it as –

Set LDAP path – [Set path to your AD].  To get AD path simply click the image icon at right side.

Set Query – (&(objectCategory=user)(mail={WorkflowVariable:EmailId}))

NOTE – If you want to query AD based on Accountname(domainname/username) then you can use this query. But just pass username to ‘sAMAccountName’ property in query. That is, it you accountname is ‘mydomain\XYZUser’ then just pass ‘XYZUser’.

 – (&(objectCategory=user)(sAMAccountName=XYZUser))

Enter ‘UserAccountControl’ in ‘Property to retrieve’ textbox and click Add. ‘UserAccountControl’ is one of the properties of AD account which tells whether account is enabled or disabled. It returns either 512(enabled) or 514(disabled). For more such properties, visit this link.

Create a new WFvariable ‘AccountStatus’ to hold the status of account. Set it to store AccontStatus by choosing it from drop downlist.

 

4) Store all the disabled accounts in a seperate list/variable.

Drag and drop ‘Run If’ action within for-each and configure it as shown in image below –

 Now, drag and drop ‘set variable’ action in if statement and configure it as –

Create a WF variable ‘AllDisabledUsers’. It will store emailIds of all disabled users. Set it as shown in pic below.

 5) Send a notification to (some) system administrator with the list of  all disabled accounts which he can probably remove from AD.

Drag and drop ‘Send Notification’ action outside for-each loop and configure it as

 

 

Finally, publish you workflow.

That’s it !!

In the end, you can either start this site workfllow manually or schedule it to run as per your requirement. On completion of  this workflow, an email will be sent to ‘someone’ with the list of all users whose accounts are disabled in AD.

 

Leave a Comment

Your email address will not be published. Required fields are marked *