SCSM Active Directory Connector optimization

Often customers setup Active Directory connectors to import all objects from the root of the Domain. This means that all users (enabled and disabled), groups and computer objects are imported.

First thing to consider about the AD Connector is to determine whether we need all objects in the CMDB.

Lets start with the computers: If you're also using the Configuration Manager connector, there really isn't a need for the AD connector to import all computers, as it only means SCSM needs to import, merge and maintain two sources. All relevant information about the computers are delivered by the SCCM connector. I therefore often recommend my customers not to import computers via the AD Connector. There could of course be examples where the AD connector needs to import computers from AD.

Next up are the AD Groups: Groups are often not used in SCSM as they don't contain membership and often WIs are assigned to support groups and then to individual user accounts. What I recommend my customer is not to import all AD groups and only import the relevant ones, if any.

Last and final are the User accounts: The AD connector imports all users in a domain, regardless enabled or disabled. Also if the customer has contacts in AD that are created as Domain users, these are imported as well. If is therefore very important to consider which OUs to import and also whether or not to import both Enabled and Disabled users.

What I typically do, depending on the customers OU structure, is create separate AD connectors to avoid populating the CMDB with unneeded data.

Note: Create a different run as account for each connector. This will create a separate Monitoringhost.exe process on the workflow management server for each connector when it runs. This makes it easier to see which connector is currently running and how much memory/CPU it is consuming. It also makes it easier to isolate that one process from other workflows/connectors so that it can be terminated without affecting other workflows/connectors running.

When configuring a connector to only import user accounts that are enabled, you need to use LDAP filters that were introduced in SCSM2012.

Create the Connector and at the Select Objects option, select 'Users or User Groups' and insert the following LDAP query:

(&(ObjectCategory=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Note: Unless needed for a purpose, always select the option ‘Do not write null values for properties not set in Active Directory’. Using this setting ensures the connectors do not update the same attributes, despite being null.

This will only import the User accounts that are Enabled.

When looking in the CMDB with SQL Management studio, you can identify which user is imported with what AD Connector.

Select * from LFXSTG.AD_User Where

Username = '<Username>'

This will return the source of the specific user, in this example 3 different connectors - (before the cleanup of duplicate connectors)

If you then run the SQL Query:

Select * from LFX.Datasource

You will get a list of connectors where the Datasource ID equals the LFX_SourceID from the previus query.

Setting up the connectors to only import relevant data, helps you keep an optimized and relevant CMDB.

Remember that Service Manager is not a laundrymat, dirty data doesn't get cleaned when imported :-)