question Remove existing users from LDAP import and still have them work as local users in SysAdmin forum

Remove existing users from LDAP import and still have them work as local users

Brent Cox — Fri, 20 Dec 2024 14:49:58 GMT

I have 175 users that are currently being imported from AD and authenticating based on that account. I need to make sure those users are switched over to local SNOW accounts so they can still access the instances even when their AD accounts are deactivated. If I simply remove them from the LDAP import, can their accounts continue to exist as 'local accounts'? Would it retain their last AD password as a local password? Thanks!

Re: Remove existing users from LDAP import and still have them work as local users

JenniferRah — Fri, 20 Dec 2024 15:59:15 GMT

I believe best practice for this would be to create separate local accounts for them. For example, in our instances, admin accounts are created as local accounts and not synched to AD, but our normal user accounts are synched.

If you truly need to have the accounts exist in AD but not be synched, maybe you could move them to a different OU? Or alter your search criteria in your LDAP filter?

Re: Remove existing users from LDAP import and still have them work as local users

Brent Cox — Fri, 20 Dec 2024 16:42:35 GMT

Well the problem is these accounts in AD are going to be deactivated entirely. We are still having to support these users for 6 months though, so I need to find the best way to still make sure they have access to SNOW. I was just hoping to eliminate creating 175 additional local accounts if it was possible.

Re: Remove existing users from LDAP import and still have them work as local users

JenniferRah — Fri, 20 Dec 2024 17:04:07 GMT

They are going to deactivate the accounts before the users' access needs to be removed?

I guess if they moved them into a different OU (that you aren't synching) and then deactivated them, that might work. However, if their AD account is deactivated and you use SSO, I'm guessing they won't be able to login, so creating a local account might be needed.

But that presents a whole other load of issues... the sys_ids of the accounts will be different, so anything previously assigned to them or any roles they had would have to be re-constructed. Ew. That's a tough one.

Maybe you could ask your management if their AD accounts could be left activated but their access to other systems could be removed by removing them from AD groups (or however you do it there) so that they could still have access to ServiceNow?

Re: Remove existing users from LDAP import and still have them work as local users

Brent Cox — Fri, 20 Dec 2024 17:10:40 GMT

Yep, it's quite the unique situation. Basically this one site was sold off but we still need to support them for 6 months. They are creating their own AD (but not right away) and they won't let us keep the accounts active. I unfortunately think the only solution is to create local accounts and deal with the new sys ids. LUCKILY 95% of the users are just end users that don't need specific roles, but still.