LDAP: Adding Users to Group

justin_drysdale · ‎08-28-2014

I am running into an issue with group imports and adding users to groups. I am using ldapUtil.addMembers(source,target) in an on-after transform script which works for the most part. Users are being added to groups. However it looks like it is also adding users to non-existent phantom groups.

In 'sys_user_grmember' after the import, I see ~300 records where there is a valid user and an invalid group. I've queried some of the phantom groups and they report back with:

"Get for non-existent record: sys_user_group:d6c2c871ad2e6100998001b56318c5f8, initializing".

Odd how the non-existent group has a sys_id. If I take the sys_id and query 'sys_user_group' the group doesn't exist. Any idea what could cause this behavior?

I also checked deleted records and did not find any matching sys_ids.

conmic · ‎08-29-2014

Are you sure these groups have been created with the import?

I had this behavior when I cloned an instance and added the sys_user an sys_user_group to the exclusion list, causing all the references to be maintained, but links still pointing to the old sys_ids of users. This messed up all the tables used to link a user to a group, a role or basically anything...

I think in your case it messes up, because it probably tries to link to a group that is not yet existing or your script that returns the group to link to, returns a faulty value. Try to add an if-statement, verifying the group you try to link your user to.

I'm not really into using 'ldapUtil.addMembers(source,target)' as I got no or wrong results. Unfortunately there is no real documentation on how to use it, and retracing the source-code of it made me think to use an easier method.

I found a really simple script written by Mark Stanger (Crossfuze) and explained in this discussion:

Can you add users to Groups with script?

I slightly modified the script to be used also in an onAfter transform script (on a transform map that is importing Users from our Active Directory), it works like a charm:

//Create a new group relationship record for this user


var addUsr = target.sys_id;


var toGrp = 'Your_Group_SysID_here';




var rec1 = new GlideRecord('sys_user_grmember');


rec1.addQuery('user',addUsr);


rec1.addQuery('group',toGrp);


rec1.query();


if(!rec1.next() && !addUsr.nil() && !toGrp.nil()){


   rec1.initialize();


   rec1.user = addUsr;


   rec1.group = toGrp;


   rec1.insert();


}

Kind Regards,

Michel Conter

View solution in original post

jesusemelendezm · ‎08-07-2015

What's the field type for u_members and the length

jesusemelendezm · ‎08-07-2015

Resolved. The import set table that I was using the field u_managers was 40 length. I increased to 255. It is working well now.

catchdini · ‎09-27-2015

Hi Michel,

I have the same issue. Users imported from AD are not added to a group. Im thinking of making use of your script given in this discussion. Can you plz clarify what you mean by

var toGrp = 'Your_Group_SysID_here';

I have distribution lists stored in a table (u_distribution_group) and this is where I want the users to be visible, similar to what we have in Groups in ServiceNow. In this case, how do I define sysID here?

Thanks in advance.

pablor · ‎01-21-2016

Hi Michel,

We are facing same issue but in the other way:

Our Group Members list [sys_user_grmember] is showing in some cases empty users.

JamesEcoStratus · ‎09-01-2015

Thanks for posting justin.drysdale. Thanks for added insight Michel Conter