function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
nksfnksf 

How to deactivate user in all salesforce sandboxes

We have multiple Sandboxes and it is a painful process to deactivate user in all the sandboxes. What are the best options to deactivate user in all sandboxes. If you think that there is a code involved please help me with the code because I am not a developer. 
Thanks in advance!
Mubeen QawiMubeen Qawi
Just run Anonymous executeable script in "Developer Console - Exceute Anonymous". To deactive all the users in the sandbox.

Steps: Your Name > Developer Console > Debug > Open Execute Anonymous Window > Copy past the below script > Highlight the copied script > Click on Execute Highlighted.

Here's the script that you can run > Bingo!
List <User> queryu = [Select ID, IsActive From User WHERE IsActive = TRUE  Limit 200];
List <User> User2Update = new List<User>();
If(!queryu.isEmpty())
{
  for (User u : queryu){
      u.IsActive= 'FALSE';
        User2Update.add(u);}
    Update User2Update;
}

Note,
 - You have run this script in each sandbox you want the users to be deactivated. There is no silver bullet to deactive all the users in all the sandbox with one click of button. :)
 - Its good practice to limit the batch update to 200 row at time. But you can increase it as you deemed appropriate.
 - Salesforce will throw exceptions if the governor limits has reached; ie Salesforce is not able to process all the rows. In this case, you have reduce the limit lets say from 500 to 300.
- Also ensure you deactivate any validation rules or other aspect / such workflows on user which triggers email notifications (for instance)  in the Sanbox that you are running this script.

All the best. Hope this helps you save ton of time.

Another alternate would be using dataloader. 

Regards,
Mubeen Qawi
Mubeen QawiMubeen Qawi
Another important point:

This script will deactivate all the users in the system. Regardless of usertype/ license. 
List <User> queryu = [Select ID, IsActive From User WHERE IsActive = TRUE  Limit 200];
List <User> User2Update = new List<User>();
If(!queryu.isEmpty())
{
  for (User u : queryu){
      u.IsActive= 'FALSE';
        User2Update.add(u);}
    Update User2Update;
}

If you want to deactivate only internal users i.e. Standard user type then specify in the query, as below:
List <User> queryu = [Select ID From User WHERE IsActive = TRUE AND UserType = 'Standard'  Limit 200];
nksfnksf
Hi Mubeen,
Thanks for your reply! But I am looking for a way/options to deactivate the user in all the Sandboxes at one go. 
Example: If the user is deactivated in Production, I am expecting all the Sandboxes to have the corresponding users deactivated.
We have more than 20 Sandboxes and it is very time consuming to manually deactivate one user from all the Sandboxes. 
Mubeen QawiMubeen Qawi
Oh I see. One option (in theory) I can think of is deactivating users in Production (lets say over a weekend) and then refreshing all the 20 sandboxes.  
nksfnksf
We can't take Sandboxes refresh option.  
I understand that there is no standard feature available to meet this requirement. I was just looking for the suggestion/workaround to meet this need. Do you know/recommend any app on the app exchange which have this kind of feature or can it be achieved by writing the code? If code option is there, what would be the complexity.
Ethan SpoelstraEthan Spoelstra
This might not be the "best" way since it is very involved on the frontend, but it can be automated after the initial setup. The method I've come up for doing this is creating a Connected App in Production (and each Sandbox if they don't automatically inherit it) linked to a "User Provisioning" Profile or similar Permission Set that can only create/deactivate users (and maybe do password resets to help "freeze" users and force SSO) and then have a "UserProvisioner" Admin/API user created and associated with that Profile and authorized for that Connected App (or set the setting within the app setup that admins are preauthorized) and then you can perform the above API calls against each environment using the corresponding "UserProvisioner" user you created for that environment.

This is the only way I can really see scaling horizontally across sandboxes or organizations easily. Another option if you are only worried about the Sandboxes and have another method of dealing with Production might be to publish a "Packaged App" as a development package so it is visible to any non-prod environments with similar permissions/settings as the above.

The code complexity doesn't necessarily have to be that high, as there are libraries like `simple_salesforce` that handle authenticating and interacting with the API, you just need to write the logic to perform the queries against your Users and perform the disabling.
Kaylee KiefaberKaylee Kiefaber
To build off of Mubeen's code I edited it so users with the system admin profile would be excluded as well as having a try catch so if it does error on a user it just skips over them and deactivates everyone that it can. This will allow for users that might still have workflows associated with them or system accounts that have permission errors.

//Value in profileID quotes needs to be pulled from the admin profile for each sandbox  
//Limit is for safety – can be removed or made a higher number 
List <User> queryu = [Select ID From User WHERE IsActive = TRUE AND ProfileId != '00eA00000015CVm' Limit 200];   
List <User> User2Update = new List<User>();  
If(!queryu.isEmpty())   
{   
    for (User u : queryu)  
    {   
        User2Update.clear(); //Clears the list so that it can skip users that it errors on 
        Try  
        {  
            u.IsActive = FALSE;   
            User2Update.add(u);  
            Update User2Update; 
        }   
        catch(Exception e)  
        {//do nothing to skip users that would cause errors 
            System.debug('Failed to Deactivate: ' + e.getMessage());  
        }   
    }