LDAP Nested Groups

mflora
Kilo Contributor

‎09-08-2010 08:42 AM

I am currently working on an integration with Active Directory. Within AD, we are using groups to designate the Assignment Groups within Service-now. This is working just fine as long as, in AD, the members of the groups are individual users. If another AD group is added as a member of this group, we are not able to see the individual user accounts within the nested group.

Does anyone know of a way to have Service-now traverse the nested group members?

Also, there are multiple levels within the nested groups (e.g. groups within groups within groups, etc.).

Any help or suggestions would be greatly appreciated.

Thanks

  • 11,707 Views
27 REPLIES 27

Joel_Miller
Mega Contributor
In response to BHSCorp

‎03-26-2014 12:08 PM

I am not sure if this was just not possible in previous versions but I am on Dublin and I can have groups as members of groups. Everything flows perfectly. However, at this point I can only manually nest groups. I do not have any way of having the LDAP import make a group a member of a group. This is critical for us.



This logic should be almost identical to how users are memberOf several groups. There is a script in ServiceNow that will set all the user members of groups. There is no script to set all the group members of groups.


0 Helpfuls

Chris Bui
Giga Expert

‎02-22-2016 09:40 AM

This is an old post, but for anyone finding this...



It is possible to do an AD filter for members of a group and all groups within that group.   Say you have an AD group named ServiceNow and you have users and groups as members.   The following filter will get you everyone contained in ServiceNow.



(&(objectClass=user)(|(memberof:1.2.840.113556.1.4.1941:=CN=ServiceNow,OU=Groups,OU=Administration,DC=domain,DC=com)))



Just plugin the distinguished name of the AD group you want to start with.



Here is a good source for other LDAP filters.



http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters...


tstocking
Tera Guru
In response to Chris Bui

‎03-31-2016 12:44 PM

Hi Chris,



Would your method work for the following scenario?



We have an OU structure like this:



OU A


        sub OU B


                  IT Help Desk Unit Group


                  IT Networking Unit Group


        sub OU C


                  IT Help Desk Assignment Group


                            contains IT Help Desk Unit Group from sub OU B


                  IT Networking Assignment Group


                            contains IT Networking Unit Group from sub OU B



So we have our groups for ServiceNow in sub OU C, and they are populated with groups from sub OU B (they are dynamic).   We are looking to have the members in the sub OU B groups be added directly to the sub OU C groups.


0 Helpfuls

Chris Bui
Giga Expert
In response to tstocking

‎03-31-2016 01:13 PM

I don't see why not, but I'm not an AD person.   I just know if you want to get all the members of a group that also contains groups, you can use that LDAP filter.   It's fairly simple to test.   Once you apply the filter, the browse feature will show you all the users that are returned from your filter.  


0 Helpfuls

tstocking
Tera Guru
In response to Chris Bui

‎04-01-2016 08:31 AM

Chris,



Your method is for synching users from LDAP right?   We have our users synching based on a single group.   We are looking to sync groups and those groups have nested groups, so we are looking to grab those members and ultimately add them to the original sync group.  



For example:



IT Department Group contains different groups like Network Team, Help Desk, Web Developers, etc. and those subgroups all have users in them.   We are looking for the "IT Department Group" to contain those users found in the subgroups.


0 Helpfuls