Keep Active Directory (AD) and SNow groups in sync

Go to solution
Sarah Powell
Mega Expert

‎08-01-2016 09:09 AM

We currently use LDAP to import our AD groups into a custom table. We are not using AD groups for roles or assignments within ServiceNow, which is why we chose a custom table vs sys_user_group. The import works fine and I get a count of over 7000 groups each time.

My struggle is that the groups don't actually stay in sync. When I say sync, I mean when a group is deleted in AD the group remains in ServiceNow. I need the two systems to be a mirror of on another.

Does anyone have any ideas on how I can get AD and ServiceNow to stay in sync?

0 Helpfuls
  • 8,515 Views
1 ACCEPTED SOLUTION

Go to solution
tstocking
Tera Guru

‎08-09-2016 05:29 AM

Hi Sarah,



Just looked into this myself since we are setting up ServiceNow for the first time and came up with the following solution based on a SN Wiki Article.   The problem with just using the LDAP listener is that if a group or user is deleted, ServiceNow won't know about it.   The below method is just an example so use at your own risk.   It is also set up for users but you could do the same for groups.   Hope this helps!



1.   Add a Date field to the sys_user table, we called ours "u_last_date_refreshed_from_ad"


2.   Update your transform map for LDAP to include a field map for the new field, and then just use a script as the field source to set the date:



var gDT = new GlideDate();

return gDT;


3.   Create a Scheduled Load to execute as often as you like, could be once a day or a few times a day depending on how near real time you want it


4.   Then just   add a post import script, for example:



var cleanUpActiveDirectoryUsers = function() {


var gr = new GlideRecord('sys_user');

var gdt = new GlideDateTime();

gdt.addDays(-1);

gr.addQuery('u_last_date_refreshed_from_ad', '<', gdt);

gr.addEncodedQuery('u_last_date_refreshed_from_ad!=NULL');

gr.query();

while (gr.next()){

   gr.active = false;

   gr.locked_out = true;

   gr.update();

   gs.log(gr.name + ' was set to inactive and locked out because their last Active Directory refresh was: ' + gr.u_last_date_refreshed_from_ad);

}

};


cleanUpActiveDirectoryUsers();

View solution in original post

14 REPLIES 14

Go to solution
Chuck Tomasi
Tera Patron

‎08-01-2016 09:22 AM

Hi Sarah,



As a best practice, you don't want to delete data like users and groups in ServiceNow (even on custom tables.) If any records are referencing that information, and you delete the record it is referencing, you've lost valuable information.



A better approach is to use an Active field and set it to false to filter out unwanted information.



So your next question is "How do you know when a group has been deleted in AD so you can set it 'active=false' in ServiceNow?", right? One option is to set them all to Active=false at the start of your import and only the ones that come over are set back to active=true by your transform script. The risk there is that there is a period of time during the import that all are inactive.



Import Sets - ServiceNow Wiki


Creating New Transform Maps - ServiceNow Wiki  


Go to solution
Sarah Powell
Mega Expert
In response to Chuck Tomasi

‎08-01-2016 09:27 AM

Thanks for the quick response!



I had a conversation with my coworker this morning and I mentioned using an "Active" status instead of deleting. He was concerned about the table growing large. I told him by not deleting the historical data would be retained.



I will give this a try and update the post! Thanks again


0 Helpfuls

Go to solution
Chuck Tomasi
Tera Patron
In response to Sarah Powell

‎08-01-2016 09:31 AM

Don't worry about the table growing. That's what cloud storage is for!



We have customers with millions of records in a single table. Having even a few thousand groups is nothing to be concerned about.


Go to solution
tstocking
Tera Guru

‎08-09-2016 05:29 AM

Hi Sarah,



Just looked into this myself since we are setting up ServiceNow for the first time and came up with the following solution based on a SN Wiki Article.   The problem with just using the LDAP listener is that if a group or user is deleted, ServiceNow won't know about it.   The below method is just an example so use at your own risk.   It is also set up for users but you could do the same for groups.   Hope this helps!



1.   Add a Date field to the sys_user table, we called ours "u_last_date_refreshed_from_ad"


2.   Update your transform map for LDAP to include a field map for the new field, and then just use a script as the field source to set the date:



var gDT = new GlideDate();

return gDT;


3.   Create a Scheduled Load to execute as often as you like, could be once a day or a few times a day depending on how near real time you want it


4.   Then just   add a post import script, for example:



var cleanUpActiveDirectoryUsers = function() {


var gr = new GlideRecord('sys_user');

var gdt = new GlideDateTime();

gdt.addDays(-1);

gr.addQuery('u_last_date_refreshed_from_ad', '<', gdt);

gr.addEncodedQuery('u_last_date_refreshed_from_ad!=NULL');

gr.query();

while (gr.next()){

   gr.active = false;

   gr.locked_out = true;

   gr.update();

   gs.log(gr.name + ' was set to inactive and locked out because their last Active Directory refresh was: ' + gr.u_last_date_refreshed_from_ad);

}

};


cleanUpActiveDirectoryUsers();