LDAP - Deactivating Groups in SN when deleted in Active Directory
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2022 05:20 AM
I am looking for assistance with a solution to an LDAP issue I found recently. When a group is deleted in Active Directory it continues to be active in ServiceNow. The Updated field does not appear to be very useful in this case as it is not changing very often, even when new members are added to groups.
Does anyone have a method of marking these deleted groups as Inactive?
Thanks in advance,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2022 05:59 AM
So @Eric148 for that, i think if you have a scheduled job that checks the LDAP import table to see if the group record has not been received for X number of days, then deactivate the group in ServiceNow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2022 06:12 AM
Is it possible to check the groups comparing from today's import to yesterday's to see if there were any missing, and how could I achieve this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2023 09:06 AM
There is no way to detect if a group is deleted from AD. It just simply won't be imported using the LDAP protocol.
1. Add a field to the groups table or override the sys_updated_on field to mark when the last time the group is imported from AD. After the import, just check if it hasn't been updated in several weeks, and mark it inactive.
2. I think what you are asking is if there is a way to see if the target record existed in the source, but if it's deleted I think that's a catch 22 and I'd have to do more research.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2023 09:34 AM
Hi @Eric148 ,
I trust you are doing great.
To mark deleted groups in Active Directory as inactive in ServiceNow, you can use the Scheduled Job functionality of ServiceNow along with a PowerShell script to query Active Directory and update ServiceNow accordingly.
Here's an outline of the steps involved:
Create a Scheduled Job in ServiceNow that will run on a regular basis (e.g. daily) to check for deleted groups in Active Directory.
Write a PowerShell script that will query Active Directory for deleted groups and update the corresponding records in ServiceNow as inactive.
Here's some sample PowerShell code that can be used to accomplish this:
Import-Module ActiveDirectory
$deletedGroups = Get-ADObject -Filter {isDeleted -eq $true -and ObjectClass -eq "group"} -IncludeDeletedObjects
foreach ($group in $deletedGroups) {
$groupName = $group.Name
$snGroup = Get-ServiceNowGroup -Name $groupName
if ($snGroup) {
$snGroup.active = false
$snGroup.update()
}
}
Was this answer helpful?
Please consider marking it correct or helpful.
Your feedback helps us improve!
Thank you!
Regards,
Amit Gujrathi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2024 08:56 AM
Here is a method that I've come up with for this very thing:
Prerequisites
- You need to add objectGUID to your ldap server attributes
- You need to store the AD Object GUID in the sys_user_group table
- Example: u_ad_object_guid
Follow these steps:
- In your Transform, create an OnStart script looks like the following
var adGroupList = [];
- Make sure that is all that is in the script, very important
- Create an onBefore that pushes the current row's objectGuid to the array
(function runTransformScript(source, map, log, target /*undefined onStart*/ ) {
//add the group to the list of groups pulled so that we can compare on complete
adGroupList.push(source.u_objectguid.toString());
})(source, map, log, target);
- Create an onComplete script that uses the array to compare it to the array of SN Group AD Object GUIDs. Then do a diff on the array. This will output the diff in a new array. You can then use that array to loop through groups in SN that no longer exist in AD. Like so:
(function runTransformScript(source, map, log, target /*undefined onStart*/ ) {
//compare all of the object GUIDs pulled from AD to the SN object GUIDs to see if we need to disable a group in SN
//first get the list of object GUIDs in SN
var snGroupList = [];
var adGroups = new GlideRecord('sys_user_group');
adGroups.addNotNullQuery('u_ad_object_guid');
adGroups.addActiveQuery();
adGroups.query();
while (adGroups.next()) {
snGroupList.push(adGroups.u_ad_object_guid.toString());
}
//now compare the arrays
var arrayUtil = new ArrayUtil();
var deletedGroups = arrayUtil.diff(snGroupList, adGroupList);
//now disable the groups
for (var x = 0; x < deletedGroups.length; x++) {
var groupToDeactivate = new GlideRecord('sys_user_group');
groupToDeactivate.addQuery('u_ad_object_guid', deletedGroups[x]);
groupToDeactivate.addActiveQuery();
groupToDeactivate.query();
if (groupToDeactivate.next()) {
groupToDeactivate.active = false;
groupToDeactivate.update();
}
}
})(source, map, log, target);
That should accomplish what you need.
