LDAP - Deactivating Groups in SN when deleted in Active Directory
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2022 05:20 AM
I am looking for assistance with a solution to an LDAP issue I found recently. When a group is deleted in Active Directory it continues to be active in ServiceNow. The Updated field does not appear to be very useful in this case as it is not changing very often, even when new members are added to groups.
Does anyone have a method of marking these deleted groups as Inactive?
Thanks in advance,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2022 05:43 AM
Hi @Eric148 ,
User Accounts in ServiceNow may required for future Auditing purpose. These accounts may have referenced in multiple records, so by process they wouldnt be deleted when removed from AD. AD is just a source of information, AD in turn get these account information from SAP/PeopleSoft etc. So no user account in reality is deleted.
Groups are created manually. Nothing to do with AD unless you configure to get functional groups too. So we have to manually disable if no user exists under that Group. Could be achieved by an automated script.
To inactivate all Groups with no active users, you can create a background script (or fix script) which checks against groups table for all those possible groups with no active members in them. If yes, mark Group as inactive. you prefer not to delete which may impact your references.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2022 05:48 AM
Hey Sandeep, thank you for the response. I may not have worded my question correctly.
No issues with user accounts. I have those being flagged as inactive when they are disabled in Active Directory.
The issue is the ServiceNow groups that have been created from importing from Active Directory. If those groups are deleted in Active Directory, I have no way of knowing in ServiceNow and group memberships remain as is. I am hoping that through the LDAP Integration, some way can be set up to check if the group is still alive in Active Directory through the import process.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2022 05:50 AM
Hi @Eric148 ,
I spoke about both User Accounts and Groups!!
LDAP integration would not delete the Groups in ServiceNow side even if it gets deleted in AD.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2022 05:54 AM
I realize that LDAP integration would not delete the groups. I am hoping something can just tell me if that group is no longer listed in the LDAP Group Import, possibly through the Import Set Table, and thereby flagging the Group in ServiceNow as Inactive.
I appreciate your responses!
