reactivated deleted AD accounts

Kirk2
Giga Contributor

‎08-13-2014 01:04 PM

We currently sync our SNOW users with our AD accounts nightly to ensure all new employees are added to SNOW automatically.   We currently colase on the ObjectGUID as its the only field that is guaranteed to be different between users.

When Security disables the AD account for a user, SNOW automatically disables their account in SNOW.

When the employee comes back, their account is automatically reactivated.

We are running into a bit of a challenge when a user is DELETED from our AD.   Service Now will deactivate them properly, which is a good thing.   The challenge is when the user is rehired a month or so later Service Now can not reactivate them as their user info is already in the system and they have a different ObjectGUID.

Surely we are not the only company to have this issue.   Anyone???

 

Thanks

Kirk

0 Helpfuls
  • 1,364 Views
4 REPLIES 4

prdelong
Kilo Guru

‎08-13-2014 03:13 PM

Set up another transform map on the table but do not use GUID as the coalesce value. Use email or SAMAccont or something else unique.



To be honest, my biggest question is why you are deleting these users from AD if you are going to rehire them down the line.


0 Helpfuls

Kirk2
Giga Contributor
In response to prdelong

‎08-14-2014 04:55 AM

Great suggestion, and I will give it a try...


Re; Deleting accounts, Once a person has left the company permanently, either they quit, contract not renewed,   retired, etc, the process is to delete their AD account.   This is where the business will come back weeks later and rehire the person back on a temp contract.


Its a pain point but thats their process and I have no control or influence in it...   I just need to find a workaround.


thanks for the help.


0 Helpfuls

Joe_Semones
Mega Contributor

‎08-13-2014 03:33 PM

We had a similar problem, with a twist.   Once a user account was deleted in AD, an account with the same samAccountName could be created for a different user.   ServiceNow dislikes having a new user using the account that has been disabled and automatically locks the account.



The best practice is to have Security stop deleting the accounts.   Just leave them disabled and avoid the grief.


0 Helpfuls

Bill_Collins
Mega Guru

‎03-09-2019 04:45 PM

If the occurrence is low, I would manually replace the ObjectGUID in SNC and let it go from there.  If it is more frequent, you can match on something else, like samaccountname and force a objectGUID replacement

0 Helpfuls