Optimizing Unrestricted User Licensing - Identifying Required Users via AD Groups
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2026 12:24 PM
Hi Community,
We're working to optimize our ServiceNow licensing costs for products using the Unrestricted User model (IRM, BCM, and AppEngine) and looking for guidance on user population management strategies.
Background: Per our ServiceNow representative, our IRM, BCM, and AppEngine products are licensed via the Unrestricted User model, which is based on every active user in the User (sys_user) table. We currently pay for 5,124 active users, but we suspect many of these users may not actually need access to our ServiceNow processes.
Our Goal: We want to rightsize our sys_user table to include only users who actually require access for existing business processes, rather than syncing all active directory users by default.
Our Approach:
- Audit existing processes - Review each ServiceNow process to identify which user groups are actually required
- Identify ungrouped users - Determine if users without EGRC AD group assignments are actually participating in any processes
- Create targeted AD groups - Work with our Product team to establish specific AD groups for legitimate process participants
- Modify AD integration - Adjust our Active Directory integration to populate sys_user only with members of these identified groups
Questions for the Community:
Has anyone successfully reduced Unrestricted User licensing costs through AD group management?
- What was your process for identifying truly necessary users?
- What percentage reduction did you achieve?
What's the best approach for auditing user requirements across processes?
- Automated reporting/queries to identify active users by process?
- Tools or scripts you've used to map users to actual process participation?
- How do you handle edge cases (occasional users, seasonal access, etc.)?
How do you manage AD integration to control sys_user population?
- Do you sync only specific AD groups rather than all users?
- How do you handle new user onboarding to ensure legitimate users get added?
- Any pitfalls or gotchas with filtering AD sync?
What governance did you put in place?
- How do you prevent sys_user table bloat over time?
- Process for requesting new user additions?
- Regular audits or cleanup procedures?
How did you handle stakeholder communication?
- Pushback from departments losing broad access?
- How did you document and justify which users were retained vs. removed?
Licensing implications and best practices:
- Did ServiceNow have any specific requirements or recommendations for this approach?
- Any contract or compliance considerations we should be aware of?
- Is there risk that ServiceNow audits could challenge this approach?
What We're Looking For:
- Real-world examples of successful user table optimization
- Proven methodologies for identifying required users
- Technical approaches for AD group-based user management
- Potential risks or downsides we should consider
- Any queries, reports, or scripts that helped with the analysis
Additional Context:
- We have EGRC (IRM) deployed along with BCM and AppEngine
- Currently syncing broadly from AD, resulting in 5,000+ active users
- Looking to reduce licensing costs while maintaining process functionality
Has anyone tackled a similar challenge? Any guidance would be greatly appreciated!
Thanks in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2026 01:45 PM
Administration: Subscription Management & Licensing || Knowledge & Troubleshooting Resources
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti