- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-12-2017 10:56 AM
Hey guys
Seems to be small one but confuses me a little. We have list of user accounts who were terminated in our company and their accounts ( associated groups )were removed at AD level. However we still see the accounts in SNOW in locked out/disabled mode, shouldn't the groups get auto removed from the users accounts as they don't exist in AD ? Is it something we have to do manual operation to remove the groups from user accounts at SNOW level ?
Regards
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-12-2017 11:27 AM
Thanks Sashikanth for you prompt reply:) But our groups are not manual. They are created at AD level and synced to Service Now. So you mean to say even the user gets deleted at AD level, associated groups to respective user accounts wont be auto deleted in SNOW ? Do we need to remove the groups manually from their accounts ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-12-2017 11:07 AM
Hi Nithin
User Accounts in ServiceNow may required for future Auditing purpose. These accounts may have referenced in multiple records, so by process they wouldnt be deleted when removed from AD. AD is just a source of information, AD in turn get these account information from SAP/PeopleSoft etc. So no user account in reality is deleted.
Groups are created manually. Nothing to do with AD unless you configure to get functional groups too. So we have to manually disable if no user exists under that Group. Could be achieved by an automated script.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-12-2017 11:27 AM
Thanks Sashikanth for you prompt reply:) But our groups are not manual. They are created at AD level and synced to Service Now. So you mean to say even the user gets deleted at AD level, associated groups to respective user accounts wont be auto deleted in SNOW ? Do we need to remove the groups manually from their accounts ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-12-2017 12:23 PM
If you're using LDAP to sync your groups and group members, you shouldn't have to manually remove a user that no longer exists in AD. When you remove or add users to a group, it should be the same. Now if you delete a group from AD, it is no longer going to manage the group members and would need updated manually.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-12-2017 01:15 PM
Yes, you have two options here.
1. Your current AD integration may not have 'auto delete' account either User account of a Group account when source record is removed. That is for auditing purpose. You don't want your old records to miss references if you hard delete them.
2. You have to manually update each group those have no active user listed. Few of active users still may exists in those groups with inactive users. So you have to put a process to auto inactive a Group with no users in place.
Solution:
To inactivate all Groups with no active users, you can create a background script (or fix script) which checks against groups table for all those possible groups with no active members in them. If yes, mark Group as inactive. you prefer not to delete which may impact your references.
Hope that answers your question!
