Best practice for user AD sync

JPing
Tera Expert

Hello All, 

 

Here is the issue we are having. 

Our Service Desk team creates AD records. Those AD records are then synced into SN and users are created and updated. When a user leaves the company, the AD record will updated to inactive and the user record in SN changes to inactive too (the record is never deleted in SN). After sometime (~6 months) the AD record will be deleted due to policy. Here is the problem:  Let's says we had a user named "John Smith" our username convention (and email convention) would give that user the username "jsmith" (jsmith@email.com) in AD and thus synced to SN. If there is another user, Jane Smith, and is working at the same time, they will get user name jsmith2. But if Jane doesn't start working after the ~6 month period when John has left (and his AD record was deleted) then Jane would get the username "jsmith". Service Desk is a bigger team (that changes all the time) and they don't keep track of old user names, they just try the convention, first initial + last name and then keep adding a digit until it works. 

 

The issue now is that when this record tries to sync into SN, the user record for (john smith) jsmith still exists and there is collision on the username, thus Jane's SN user record does not get created. Right now our process to fixing this, is to just go in SN user record and rename John Smith's username and email to ("jsmith(old)") - but now our SN record doesn't reflect the user's correct information if we were ever to go through old notes or tickets or SN activity (though generally this is not a functional issue as the sys id is the really key).   

 

So my question to the Best practice community  - how do you handle the situation in your organization, when an old and new employee have the same users name and there is collision preventing the new employee SN user record from being created?

 

Thanks in advance. 

3 REPLIES 3

Abbas_5
Tera Sage
Tera Sage

Hello @JPing,

Please refer to the below link:
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0820149

 

Mark my correct and helpful, if it is helpful and please hit the thumbs-up button to mark it as the correct solution.
Thanks & Regards,
Abbas Shaik

How is this relevant to the question asked?

a_mirosavljevic
Tera Contributor

We have faced similar issue, but just with email record that has been used as unique identifier for Azure SSO. 
When user leaves the company, mailbox is deleted and there is no need to store email address for inactive users in ServiceNow as well.
Hence remediate issue by removing email address from SN user once it get's deactivated.