How to Handle Servicenow AD Group Sync when groups are inactivated or removed from AD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2025 11:17 PM
I am trying to setup a ServiceNow AD sync using LDAP configuration and import set table ldap_group_import.
How to handle the scenarios when groups are removed from AD? How do i remove those groups from ServiecNow?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2025 12:59 AM
I have seen this handled in 4 different ways, over the years. It depends on if you are updating the inactive/removed groups from AD or not. And then for both, there are 2 ways of handling it: manually or automated.
If you don't get any trigger from AD on inactivation/removal of a group, you need some check on that. Are they updated daily/weekly/monthly? Then you can check the timestamp of the latest sync and if a group is not included, you can assume that it is no longer active in AD.
If you do get that trigger, you map that action to the group record.
In both scenarios you can automate it (remove/inactivate if AD says remove/inactivate), or have a manual task created for the system admin to check if the group isn't used anywhere (it would become a mess if the group granting the ITIL role gets removed).
Personally, I preferred a hybrid solution: when a group is 'marked' as no longer in AD, do a check if any users/roles are added to it and if it has a type (ITIL/approval/etc). If not, remove it, because it's no longer use. If so, create a task for the system admin, to check the impact.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark