The goal of this blog is to highlight best practices for SCSM Active Directory Connector syncs. There are some things you should be aware of regarding the AD Connector in order to have only the objects you require for ITSM in the CMDB, which will help make your processes more efficient.

For those new to SCSM: The AD connector is a one-way connector between Service Manager and AD Domain Services to import users, groups, printers and computers into the CMDB.

As a rule, you should only sync Users and Groups with AD Connector and, if managed by Active Directory, Network printers. It’s generally not best practice to sync Computer objects from AD, unless you do not use Configuration Manager for endpoint management. If you have servers without the SCCM agent, you can bring those in leveraging MS Operations Manager or Cireson Asset Management Import Connector versus AD connector.

Best practice is to filter out service accounts, admin accounts, test accounts, training accounts, and any other non-user accounts. To that end, use LDAP filters when creating AD connectors. For Users and Groups, if you have them in specific OUs, be sure to target those directly rather than hit the root of the domain (if this requires multiple Connectors, so be it).

Typical AD Connectors:

AD Connectors

Always run these queries in AD first to validate the values returned. As you add new values, add them one at a time and see what is returned. If you add them all at once and something happens or is typed incorrectly, you will spend time figuring out which one is causing the issue. When the values are returned, sort by Display Name, Username, Last Name to help identify any more common naming conventions for accounts you can exclude.

 

AD Connector LDAP Filter Syntax

Start with:

Possible additions:

Then use the following as necessary to remove unwanted user accounts:

Examples

Here is an example of the first query and the 4 examples given:
Each new query just needs to be entered between to ( ) and a finishing ) needs to be entered at the end

(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!sAMAccountName=*_admin)(!sn=Test)(!DisplayName=SQL*)(!sAMAccountName=*_service))

 

More Best Practices
  • Consider automating a workflow that identifies and moves obsolete Active Directory objects to OUs that are not being targeted through Connector(s)
  • Ensure to select the option ‘Do not write null values for properties not set in Active Directory’. Using this setting ensures the connectors do not update CI values to NULL
  • When implementing multiple AD connectors stagger the schedule so they don’t all run at the same time and ensure they do not run during Backup or other Maintenance Windows
  • AD Connector Deletion Never delete an AD connector without first disabling the connector, creating a new AD Connector and complete the synchronization first.