Keep Active Directory (AD) and SNow groups in sync

Sarah Powell · ‎08-01-2016

We currently use LDAP to import our AD groups into a custom table. We are not using AD groups for roles or assignments within ServiceNow, which is why we chose a custom table vs sys_user_group. The import works fine and I get a count of over 7000 groups each time.

My struggle is that the groups don't actually stay in sync. When I say sync, I mean when a group is deleted in AD the group remains in ServiceNow. I need the two systems to be a mirror of on another.

Does anyone have any ideas on how I can get AD and ServiceNow to stay in sync?

tstocking · ‎08-09-2016

Hi Sarah,

Just looked into this myself since we are setting up ServiceNow for the first time and came up with the following solution based on a SN Wiki Article. The problem with just using the LDAP listener is that if a group or user is deleted, ServiceNow won't know about it. The below method is just an example so use at your own risk. It is also set up for users but you could do the same for groups. Hope this helps!

1. Add a Date field to the sys_user table, we called ours "u_last_date_refreshed_from_ad"

2. Update your transform map for LDAP to include a field map for the new field, and then just use a script as the field source to set the date:

var gDT = new GlideDate();

return gDT;

3. Create a Scheduled Load to execute as often as you like, could be once a day or a few times a day depending on how near real time you want it

4. Then just add a post import script, for example:

var cleanUpActiveDirectoryUsers = function() {


var gr = new GlideRecord('sys_user');

var gdt = new GlideDateTime();

gdt.addDays(-1);

gr.addQuery('u_last_date_refreshed_from_ad', '<', gdt);

gr.addEncodedQuery('u_last_date_refreshed_from_ad!=NULL');

gr.query();

while (gr.next()){

   gr.active = false;

   gr.locked_out = true;

   gr.update();

   gs.log(gr.name + ' was set to inactive and locked out because their last Active Directory refresh was: ' + gr.u_last_date_refreshed_from_ad);

}

};


cleanUpActiveDirectoryUsers();

View solution in original post

tstocking · ‎08-10-2016

Not sure then, if you can't find a reason in the logs maybe a ticket is needed with HI.

Sarah Powell · ‎08-10-2016

I'll open a ticket and see what they can tell me.

Thanks for all your help!!!

michaellshively · ‎10-05-2016

Curious; did you find the resolution to your long load times? I am getting ready to set this up to import 100K students daily. If the script slows to a few hours for 8K records then this may not be the solution I need.

Not sure how cozy I am feeling with the "mark all Inactive" solution. I can see issue with this in my environment.

Thanks,

M

Sarah Powell · ‎10-05-2016

Michael,

I did open a HI ticket and they explained that because I was querying a table repeatedly the run time was the norm. I was also concerned about the run time so I keep thinking about what other options we had... We now run the import then a scheduled job to set the active/inactive value.

LDAP import of groups
- Field map sets the "Refreshed Date"
Scheduled job
- The job runs the table query setting the active/inactive status

We have the import and scheduled job running an hour apart. Both execute daily during the early morning hours.

Sarah

JLizard1 · ‎02-10-2025

Hi Sarah, I am looking to start with configuring LDAP integration to import AD groups to a custom table to help with automating requests to add users to groups.

Could you point me toward any documentation to get started with this?

Thanks

Jude