We have had many customers demanding that disabled Active Directory user accounts are not imported into the SCSM CMDB through the Active Directory Connector. This can be achieved pretty easily with the introduction of LDAP filters in SCSM 2012. This post demonstrates how you can establish such a connector.
In my current test environment, I have an AD Connector set up to import all users and groups without any LDAP filter. With this setup, all users (and groups) from AD will be imported, also disabled accounts. As an example, see the imported Guest account in the below screenshot:
So let us delete this AD Connector and create a new one. The important configuration is found in the wizard step Select objects. Choose the option Provide LDAP query filters for computers, printers, users, or user groups (advanced), and then click the checkbox next to Users or User Groups. Enter the following LDAP filter in the textbox:
Click Test Queries to validate the query.
Now, complete the wizard, save the connector and wait for it to finish synchronizing. Now, let us check the CMDB again:
The Guest account is no longer here. Cool! 🙂
The field where the information about disabled accounts is stored in Active Directory is named userAccountControl. This is a bitmask property, hence the LDAP query we entered in the connector configuration is using bitwise filters. You can read more about bitwise filters here.
but it is not syncing my printers and computers. Can you tell me how to add computers and printers
try ticking the checkbox and use “(cn=*)” as the LDAP filter criteria (without quotation marks).
Thank you Boss, that helped. Can you guide me to a good article which would help me with more ldap queries? like sync with particular OU only or users in particular departments.
This would be a good starting point: http://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx
This is helpful. However, what I’m seeing is accounts returned by searches that no longer exist in AD; removed user accounts. How can we purge these accounts?
The AD Connector is not remove accounts which no longer exist in AD. You have to take care of this yourself (with a custom script/workflow/runbook)