The goal of this blog is to highlight best practices for SCSM Active Directory Connector syncs. There are some things you should be aware of regarding the Active Directory Connector in order to have only the objects you require for ITSM in the CMDB, which will help make your processes more efficient.
For those new to SCSM: The Active Directory connector is a one-way connector between Service Manager and Active Directory Domain Services to import users, groups, printers and computers into the CMDB.
As a rule, you should only sync Users and Groups with AD Connector and, if managed by Active Directory, Network printers. It’s generally not best practice to sync Computer objects from AD, unless you do not use Configuration Manager for endpoint management. If you have servers without the SCCM agent, you can bring those in leveraging MS Operations Manager or Cireson Asset Management Import Connector versus AD connector.
Best practice is to filter out service accounts, admin accounts, test accounts, training accounts, and any other non-user accounts. To that end, use LDAP filters when creating Active Directory connectors. For Users and Groups, if you have them in specific OUs, be sure to target those directly rather than hit the root of the domain (if this requires multiple Connectors, so be it).
Typical Active Directory Connectors:
Always run these queries in AD first to validate the values returned. As you add new values, add them one at a time and see what is returned. If you add them all at once and something happens or is typed incorrectly, you will spend time figuring out which one is causing the issue. When the values are returned, sort by Display Name, Username, Last Name to help identify any more common naming conventions for accounts you can exclude.
Active Directory Connector LDAP Filter Syntax
Then use the following as necessary to remove unwanted user accounts:
Here is an example of the first query and the 4 examples given:
Each new query just needs to be entered between to ( ) and a finishing ) needs to be entered at the end
More Best Practices
- Consider automating a workflow that identifies and moves obsolete Active Directory objects to OUs that are not being targeted through Connector(s)
- Ensure to select the option ‘Do not write null values for properties not set in Active Directory’. Using this setting ensures the connectors do not update CI values to NULL
- When implementing multiple Active Directory connectors stagger the schedule so they don’t all run at the same time and ensure they do not run during Backup or other Maintenance Windows
- Active Directory Connector Deletion Never delete an Active Directory connector without first disabling the connector, creating a new Active Directory Connector and complete the synchronization first.