What Happens to a User in the CMDB When it is Deleted in Active Directory (AD)?

I’ve had this question so many times lately that I’ve just got to write a blog post about it! 

This is the scenario…

  1. Create an AD connector
  2. Import users (or really any other kind of object – computer, printer, group) via that connector
  3. The user account is deleted in Active Directory

What happens to the user in the CMDB?

To answer that question we must understand the CMDB delete logic for configuration items.  When a CI is “deleted” by a user in the console or even programmatically using something like SMLets (unless you use the –Force switch parameter) the CI is not actually deleted from the database.  The ObjectStatus property changes to ‘Pending Delete’.  This means that it will no longer show up in the Users view in the Configuration Items workspace because that view is configured to only show items which are ObjectStatus Not Equal to Pending Delete.  The user object will still show up in the user picker control on forms and will still show up in an object picker dialog.  Any objects which have a relationship to that user will still show that relationship.

Most importantly though it will show up in the Deleted Items view in the Administration workspace.  From here the administrator can click the Remove Item task to permanently delete the user from the database.  At that point, the user will no longer show up in the object picker dialog or in the user picker control.  Any previously existing relationships from other objects to the now deleted user will also be removed from the database.  The history of all property value changes and relationship adds/removes will also be deleted from the CMDB.  At this point not even the SDK will return this object.  It actually still exists in the database but a flag is not set on it so that it is essentially deleted.  It will be finally dropped from the database by a nightly grooming routine in the database.

It is important to understand though that this process does not remove the user from the data warehouse.  The user object and its relationships to other objects remains in the data warehouse for long term storage and reporting purposes.

Now that we understand the logic for deleting CIs it is easy to understand what the AD connector does.  If the run as account that is used for the AD connector has List Object rights on the Deleted Items container in Active Directory, it can detect that the object has been deleted in Active Directory.  When it determines this the ObjectStatus property will be set to Pending Delete.  From there an administrator can go to the Deleted Items view and permanently delete the user object by clicking ‘Remove Items’.