- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-02-2020 09:55 AM
I need help in removing members from groups that I import from AD.
Today I import both AD accounts and groups into the ServiceNow environment. I had had great success in populating the necessary fields; managers, members, owners. etc. etc.. However I am stuck on how I go about removing members from the AD groups. Note: I do not want to remove AD accounts, those will need to stay in ServiceNow for historical and audit reasons. But we used the AD groups to assign roles in ServiceNow. So when people are no longer with the company or change role, they are removed from the AD group from AD. But these members still reside in the group in ServiceNow.
Is there an existing script call for account cleanup for group transforms; when an existing group member is no longer reported in a group? Or is there and post-cleanup scripts I can run on a nightly or weekly schedule, that will look at the groups' memberships and check to make sure they are indeed still in the group?
Thank you for your advise.
Oh and one least thing as I'm still new to SNow. Is there a 'verse (repository) of sorts of collated scripts admin/implementers like to share? Like a GitHub or something?
Solved! Go to Solution.
- Labels:
-
Instance Configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-02-2020 11:15 AM
It has been my experience that the process should automatically remove group members in ServiceNow if they are removed in LDAP however, the "source" field must match. Is this a situation perhaps where the user is being removed from the groups and then put in another OU or something that changes the DN that is set as the source?
Does the same thing happen when active users are removed from a group?
You could potentially add to the onAfter script in your transform map to remove all users from the group, and then repopulate only with those in LDAP (as sort of suggested above) but I'd only go this route if you are certain that you would never need to have users manually added to a group in ServiceNow that was created via LDAP.
Are the users in question being marked as inactive in ServiceNow? If so, then a better solution might be to run a scheduled job that would find all inactive users and remove them from any group memberships.
Hope this helps!
If this was helpful or correct, please be kind and click appropriately!
Michael Jones - Proud member of the CloudPires Team!
Michael D. Jones
Proud member of the GlideFast Consulting Team!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-02-2020 10:32 AM
You can configure scheduled job to remove group members.
Use below as sample script
var grp1 = new GlideRecord('sys_user_grmember');
grp1.addQuery('group','sysid_of_managers_group');
grp1.addQuery('user',current.sys_id);
grp1.query();
if(grp1.next())
{
grp1.deleteRecord();
}
}
Servicenow provides OOB integration with github where you can maintain your source control.
Regards,
Sachin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-02-2020 11:15 AM
It has been my experience that the process should automatically remove group members in ServiceNow if they are removed in LDAP however, the "source" field must match. Is this a situation perhaps where the user is being removed from the groups and then put in another OU or something that changes the DN that is set as the source?
Does the same thing happen when active users are removed from a group?
You could potentially add to the onAfter script in your transform map to remove all users from the group, and then repopulate only with those in LDAP (as sort of suggested above) but I'd only go this route if you are certain that you would never need to have users manually added to a group in ServiceNow that was created via LDAP.
Are the users in question being marked as inactive in ServiceNow? If so, then a better solution might be to run a scheduled job that would find all inactive users and remove them from any group memberships.
Hope this helps!
If this was helpful or correct, please be kind and click appropriately!
Michael Jones - Proud member of the CloudPires Team!
Michael D. Jones
Proud member of the GlideFast Consulting Team!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-02-2020 01:34 PM
Turns out I was not patient enough. The backend process on AD took 2 hours to propogate and then 1 hour on the transform to complete. So I now know OOTB member removal from groups is possible on the transform.
Thank you for your reply.
