Populating ADAM Objects

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Populating ADAM Objects

    This document explains how to manage and populate ADAM (Active Directory Application Mode) objects, including User, UserProxy, and Group objects, particularly for ServiceNow LDAP integration. It highlights the process and best practices for creating these objects and managing permissions within ADAM to support secure and efficient integration with ServiceNow.

    Show full answer Show less

    User Objects

    User objects in ADAM can be created using the ADSI Edit console or AD command-line tools. The only required attribute for a new user is cn (common name), which serves as the user’s short name or full name. Many optional attributes, similar to those in Active Directory, can also be set to customize user details.

    UserProxy Objects

    ServiceNow recommends using UserProxy objects in ADAM for LDAP integration. These proxy accounts link to related Active Directory user accounts and enable ADAM to authenticate logon credentials without ServiceNow connecting directly to the Domain Controller. UserProxy objects do not store passwords but include the objectSID attribute referencing the linked AD user. Creating UserProxy objects manually is possible but tedious; an automated process is preferred.

    Group Objects

    Groups are created using ADSI Edit or AD command-line tools and function similarly to Active Directory groups. ADAM groups can include members from both ADAM and trusted Active Directory domains. These groups facilitate integrating group memberships into ServiceNow.

    Automating ADAM Object Creation

    For synchronizing Active Directory accounts to ADAM, the Microsoft ADAMSync tool is recommended. This tool automates object creation and is the most common approach when integrating ADAM with ServiceNow LDAP.

    Permission Delegation

    ADAM includes built-in groups with default permissions located under cn=roles,dc=myCompany,dc=adam. These groups control access within the partition:

    • Administrators: Have full control over all partition objects; includes the setup account (membership may be inherited and not immediately visible).
    • Readers: Have read-only access to all objects; contains no members by default.
    • Users: A dynamic group that includes all ADAM users in the partition, similar to Active Directory.

    Higher-level permissions can be configured at the configuration partition cn=roles,cn=configuration,dc=myCompany,dc=adam via ADSI Edit.

    Practical Implications for ServiceNow Customers

    By leveraging UserProxy objects, automated synchronization via ADAMSync, and properly configured groups and permissions, ServiceNow customers can securely integrate user and group information from AD and ADAM without direct Domain Controller connections. This setup improves security and simplifies user management within ServiceNow LDAP integrations.

    ADAM Objects include User Objects, UserProxy Object, and Group Objects.

    User Objects

    Users can be created using the ADAM ADSI Edit console just as we did for OU creation. Users can also be administered using AD command line tools, which is beyond the scope of this document. The only mandatory attribute for new user objects is the cn, which is a short name or the user’s full name. There are also a wide range of optional attributes similar to Active Directory user attributes. You can access the full list of attributes by selecting properties from the user object.

    UserProxy Objects

    For ServiceNow LDAP integration we recommend you use UserProxy objects in ADAM which creates a proxy account that links to the related AD user account. This allows you to have ADAM authenticate logon credentials using AD usernames and passwords from the domain without ServiceNow directly connecting to the Domain Controller. UserProxy objects are very similar to AD and ADAM User objects except that do not store passwords and has an objectSID attribute that contains the SID from the linked AD User object. This is how the proxy works. UserProxy objects are created using the ADSIEdit console or command line tools, but this can be tedious. It is recommended that you use an automated process as defined below.

    Group Objects

    Groups are created using the ADSIEdit console and AD command-line tools. Group concepts are similar to AD and are used to integrate groups and members to ServiceNow. The biggest difference is ADAM groups can contain members from ADAM or from trusted AD Domains.

    Automating ADAM Object Creation

    If you are interested in synchronizing Active Directory accounts to ADAM, we recommend you use Microsoft ADAMSync tool. This is the most common use of ADAM for ServiceNow LDAP integration.

    About Permission Delegation

    ADAM contains some built-in groups with default permissions. These groups are found in the container cn=roles,dc=myCompany,dc=adam. These are similar to domain level groups and have rights to objects in the current partition. Similar to AD Forests you can also set a higher level of permissions using the default groups in cn=roles,cn=configuration,dc=myCompany,dc=adam. You must connect to the configuration partition in ADSIEdit. The Administrators group by default includes the account specified during the setup. This member is not always visible since it’s inherited through the configuration groups. Administrators have full control of all partition objects. The Readers group does not contain any members by default and has read access to all objects in the partition. The Users group is a dynamic group just as it is in Active Directory. Transitively it includes all ADAM users created in the partition.