Map AD enable value to ServiceNow using LDAP

Admin7267 · 3 weeks ago

We're storing the AD admin account data in one of the custom table u_admin and the issue we're facing is when admin account in AD is inactive we're trying to get 'userAccountControl' values from AD and updating same account inactive in u_admin in ServiceNow.

Now I wanted to validate if admin account is active or not using Enable field in AD and if enable is false for a particular account then I wanted to make admin account active false in custom table u_admin

Admin7267 · 3 weeks ago

, @Bhuvan u_ldap_import_admin

Bhuvan · 3 weeks ago

@Admin7267

Below is the script include that does daily import of data from LDAP to import set table and in turn maps the data to target table sys_user

https://www.servicenow.com/docs/bundle/zurich-platform-security/page/integrate/ldap/concept/c_LDAPTr...

Refer below documentation on how to set disabled user in AD to active=false in ServiceNow sys_user table by using Business Rule. Use the similar logic to create a new business rule and map it for your custom table u_admin and set field active=false

https://www.servicenow.com/docs/bundle/zurich-platform-security/page/integrate/ldap/reference/r_Comm...

I do not have a LDAP integration to test this. Please test it in your environment and let me know

Sometimes post with external url is flagged and removed, hence not sharing Microsoft link. Look up in google for UserAccessControl property flags

When an account is disabled in AD, payload in import set table will have value of 514 in field 'u_useraccountcontrol' and you can use it to make the user inactive in ServiceNow

If this helped to answer your query, please mark it helpful & accept the solution.

Thanks,

Bhuvan

Admin7267 · 3 weeks ago

Thank you @Bhuvan for the information. Below is the script that we're using for now.

(function runTransformScript(source, map, log, target /*undefined onStart*/ ) {	
var disabled = 514;
var disabled2 = 66050;
if (source.u_useraccountcontrol == disabled || source.u_useraccountcontrol == disabled2) {
  target.u_active='false';
}
else{
   target.u_active='true';
}
})(source, map, log, target);

But AD can send other than 512 and 66050 as well if account is set to inactive in AD based on other field values of that account(like password never expires)

UserAccountControl property flags - Windows Server | Microsoft Learn

AD team can't provide the all the possible values when an account is inactive in AD.

Now we can only rely on enable field in AD

Bhuvan · 3 weeks ago

@Admin7267

You have 2 options,

Option 1 : Check with your AD admin and identify potential values that could be received for disabled user in u_useraccountcontrol field and map it in transform script

Option 2 : Identify extension attribute that can be used to map the enabled field from AD to ServiceNow import set map and use that field in transform map to set active=false in custom table

Below are the steps to add extension attributes for Azure AD - ServiceNow integration. Please check with AD administrator on the steps to send payload for extension attributes and test it

https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes

Please delete your reply with xml payload as it might contain sensitive information.

If this helped to answer your query, please mark it helpful & accept the solution.

Thanks,

Bhuvan

Bhuvan · 3 weeks ago

@Admin7267

Did you get a chance to review this ?

I hope you appreciate the efforts to provide you with detailed information. If my responses helped to guide you or answer your query, please mark it helpful & accept the solution.

Thanks,

Bhuvan