Disable User In All SF Environments/Orgs (Production and Sandbox)

Anyone know of a clever way to disable users who’s left the company in all Orgs? In our particular case, one Production with several Sandboxes.

The closest I can come up with is to perhaps grab their UserID and set Active to False (essentially) to each Org using Excel Connection (which I use regularly) or Data Loader (blah).

I searched around and saw nothing about this. Seems like something “everyone” would want to do at the Administration level, as people leave the company and have a valid login in one Production, seven Sandboxes, and some Admins may only disable their user in Production…



Restrict by IP

Profile restrictions can prevent the user from logging in through remote locations, and this setting copies on Sandbox refreshes. Very simple procedure to kick them off your network, and they’ll be unable to log in.

Force Single Sign On

If SSO is enabled, and forced through My Domain, you can stop them from logging in through test.salesforce.com. There’s a small amount of work required to configure ADFS and Salesforce whenever you refresh a Sandbox, but it’s only a few minutes of effort for peace of mind.

Delegated Authentication

If you’re using delegated authentication, saleforce.com calls a webservice of your choosing to authenticate users. If this webservice is tied to, for example, to Active Directory, simply shutting off their network access also eliminates their salesforce.com access simultaneously– their license will be active, but they can’t actually log in.


Similarly, you could build a tool to freeze a user across many orgs all at once. For larger orgs where this may be a fairly common occurrence, it would probably be worth investing resources into, especially if it’s less expensive than the alternative (data leaks, legal liability, etc).

Source : Link , Question Author : AMM , Answer Author :

Leave a Comment