- My View
If assignment group or approval group users or a cell/field (e.g. manager) is empty in AD then the sync does not pull across to SNOW. If 1 user is removed and there are remaining members then the sync seems to work okay.
Known issues to date:
Manager field not updating correctly - suspected that this issue only occurs if field is left blank.
Removing all users in assignment group does not empty the members column of assignment group in SNOW. If 1 user removed seems to remove okay in SNOW
Indicators are moving towards null values causing the issues.
Can anyone please help me in this?
Not sure what you mean by "assignment group or approval group users" in AD - are you referring to a specific AD group? Or is this a group already imported and used for approvals but is to be amended by updates in AD?
This is simply just the normal group in SNOW which is getting synced with AD, just as the users do.
1.) If a group is created in AD then in the next import in SNOW the group should get created in SNOW - working fine in SNOW.
2.) If any user is added to the group in AD then that user must get added to the same group in SNOW as well - working fine in SNOW.
3.) If all the user are been removed from the group in AD, then this should happen in SNOW also - but it is not working in SNOW as of today.
Okay, so sounds like some recent change is preventing group removals. I take it things were working fine in the past?
No Dave. The 3rd point I explained above has never worked.
E.g. Suppose there are 40 users in a group in AD. If we remove five from them then those 5 are removed from SNOW also and can be seen removed in the next import with AD. But if we try to remove all the users at once from the AD group then it doesn't works. Neither of the users gets removed from the group in SNOW.
Okay - I misinterpreted "but it is not working in SNOW as of today" to mean it used to work and now doesn't... rather than it never did. But from your last comment, it looks like some functionality is working, just not completely.
As a matter of interest - what happens if you remove 39 of the 40 users from the group... does that work? Just curious to know if it's a limitation on the amount of changes, or if an empty AD group is signifying that no work is needed (therefore the actual deletion operations are skipped)
If we remove 39 users out of 40 in AD the same happens in SNOW as well. The same 39 users gets removed from SNOW.
The issue is if we try to remove all the user or in other words, if we try to remove the last existing user from a group that users doesn't gets removed from the group in SNOW. As a result, we can say that the members section in SNOW doesn't gets emptied with respect to AD.
Please let me know for further information.
Okay... that does indeed sound like a bug.
I'd recommend raising a PRB through Hi so that it can be tested and verified.
Thank you so much for your help.
Also, just FYI the same happens with the normal user import. In AD if for a user's account a manager field is emptied then, as per the condition the same should happen in SNOW as well. The manager field in user's SNOW account must get emptied. But this also doesn't happens.
I guess servicenow is ignoring empty fields from AD.
It certainly seems to be that way.
I'm going to flag this up with a couple of our integrations people, see if they can replicate the issue to lend more test data to the problem definition.
Thanks Dave. that would be a great help to me.
Can you please an update on this?
You can use the Script for the validation while importing the data from LDAP in the transform script. and you an also try to set the value blank if that Manger info is not getting imported as it will serve your purpose.
Sorry - I had a conversation with someone at our conference, but can't remember how far the discussion went.
I'll reopen the question again, see if they can come back with more details.