Deactivate groups not coming from LDAP

rambo1
Tera Guru

‎09-11-2024 09:20 PM

Hi team,

 

Need some suggestion on below case:

We are getting groups via LDAP, but we only get active groups but when groups are deactivated on AD they are removed and are not brought back to ServiceNow to mark them as inactive.

What would be best logic to deactivate groups which are deleted on AD in Servicenow?

for now I am thinking this way:

if in intial import 100 groups got created, in 2nd import if 20 groups are removed in AD .. LDAP brings only 80, so check groups which are not brought from LDAP and deactivate them.

But if load is too heavy this check would impact performance, please let me know if there is any other logic or sample code used in any of your requireements.

Thanks in advace

0 Helpfuls
  • 356 Views
3 REPLIES 3

Community Alums
Not applicable

‎09-11-2024 09:34 PM

Hi @rambo1 ,

To mark deleted groups in Active Directory as inactive in ServiceNow, you can use the Scheduled Job functionality of ServiceNow along with a PowerShell script to query Active Directory and update ServiceNow accordingly.

Here's an outline of the steps involved:

  1. Create a Scheduled Job in ServiceNow that will run on a regular basis (e.g. daily) to check for deleted groups in Active Directory.

  2. Write a PowerShell script that will query Active Directory for deleted groups and update the corresponding records in ServiceNow as inactive.

Here's some sample PowerShell code that can be used to accomplish this:

Import-Module ActiveDirectory
$deletedGroups = Get-ADObject -Filter {isDeleted -eq $true -and ObjectClass -eq "group"} -IncludeDeletedObjects
foreach ($group in $deletedGroups) {
    $groupName = $group.Name
    $snGroup = Get-ServiceNowGroup -Name $groupName
    if ($snGroup) {
        $snGroup.active = false
        $snGroup.update()
    }
}

 

From the thread :LDAP - Deactivating Groups in SN when deleted in Active Directory 
Another approach is mentioned : https://www.servicenow.com/community/developer-forum/ldap-deactivating-groups-in-sn-when-deleted-in-...
 

rambo1
Tera Guru
In response to Community Alums

‎09-11-2024 09:46 PM

Can you please explain on where to write this script and what permissions are required to access AD 

0 Helpfuls

Community Alums
Not applicable
In response to rambo1

‎09-11-2024 09:54 PM

Hi @rambo1 ,

You need to work with your AD team, this will happen from their side, just give the script to them, that's enough.

 

0 Helpfuls