Improving the SCSM 2012 Active Directory connector performance with LDAP filters

Apr 14 2014

Thanks to Kathleen Wilson for her input and review.

The Challenge

The SCSM Connector performs best when you limit the import to relevant data only (actual users, groups and computers you intend to use in SCSM processes).

The question is how do you achieve this level of filtering in SCSM?

The Solution

In my research for connector improvement I decided to take the process approach to resolve this challenge. The approach is as follows:

  1. Research the AD attributes available for filtering
  2. Validate the filter in Active Directory Users and Computers using Saved Queries. Following the principle of checking how big the problem is before investing in the solution
  3. Create the SCSM AD Connector with a tested filter in a test SCSM environment
  4. Create the connector in the Production SCSM environment (disabled existing connector)
  5. Delete existing unfiltered connector after confirming successful synchronization.

The attached Spreadsheet (ADAttributesSCSMFilters) contains the attributes you can use as filters.


Below is a Sample of filtering the connector using the attributes from Active Directory.

The Syntax for the filter is listed below:

Users and Groups

Comment: Users and Groups= group must be Mail enabled and Users= Not Disabled and Mail enabled (must have an email address)

(|( & (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (objectCategory=User) (objectClass=User) (mail=*) ) ( & (objectClass=Group) (mail=*) ))


Comment: Computers= Not Disabled


You must combined the User and Group filter as the wizard in SCSM does not provide you with the option to separate users from groups.

Additionally groups add no value unless they are mail enabled and, you will typically use the groups in notifications.


The benefit of this filter is you only import users that participate in Service manager (End Users, Analysts and Managers – email is the means to communicate). Groups have no real value unless they are mail enabled. You can send notification to a mail enable group for the Assigned To analysts.

Reduced load on the connector; in a customer case we reduced the imported users and groups by 45% and saw significant improvements in how long the connector took to complete.

Users and Groups Syntax breakdown

( - > Opening filter parenthesis for the filter

| -> Or operator between the Group attribute evaluation and user evaluation

( – > Opening filter parenthesis for the user attributes

&  -> And operator to evaluate the user attribute condition

(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (objectCategory=User) (objectClass=User) (mail=*)

) - > Closing filter parenthesis for the user attributes

(- > Opening filter parenthesis for the group attributes

&And operator to evaluate the group attribute condition

(objectClass=Group) (mail=*)

) - > Closing filter parenthesis for the group attributes

) - > Closing filter parenthesis for the filter

Useful links and Background

Continue Reading »

No responses yet

On the Cloud Tour with the MVPs

Nov 09 2013

I have been invited to join a team of MVPs to present at a number of road show events in November 2013. The session I will be delivering is the System Center Integrated track. The first session will be at the Microsoft Head Office in Reading.  You can find out more about this event here

I will be at the following UK venues Reading, Cardiff, Birmingham, Hemel Hampstead and London.

  • System Center Integrated Track: Showing how System Center can work together with Integration and Processes

    The journey starts from the business end user service catalog design, to the configuration of Service Manager Self Service Portal catalog components, and ends with automatically servicing requests from the portal. Standardize real world business processes, personalize Service Manager and automate with SCO 2012.The new world of the cloud changes the way IT is consumed. Start the end user’s journey to the private cloud today.

No responses yet

Get your System Center recipes here

Sep 20 2013

It has been a while since my last blog post. Has it?

I have been in the authoring kitchen, cooking up the System Center Service Manager and Orchestrator recipes. Recipes ready for you are available here:

System Center 2012 Service Manager Cookbook

System Center 2012 Orchestrator Cookbook

As the lead author and content designer, I have one guiding principle, “take you the reader from “Zero to I need more”. Use these books as an aid to your journey and remember the System Center destination is dynamic (all roads eventually lead you to the cloud)

No responses yet

Summit13 London May 9th SCCM Private Cloud and Self-service

May 03 2013

Speakers: Samuel Erskine Syliance IT Services and Steve Beaumont  Trustmarque

Click here for details at the Trustmarque event site


No responses yet

New SCSM 2012 Recipes from Top of Europe

Oct 27 2012

A book with practical tips and task steps brought to you from the European crew:

Visit the Packt Publishing site for great deals on the book and other titles and also on Amazon:  System Center 2012 Service Manager Cookbook




No responses yet

Creating a User Classification Field Using the Authoring Tool

Jul 20 2012

No responses yet

Removing the Sample Incident Management Configuration – Support Tiers 1, 2, 3

Jul 20 2012

No responses yet

SCSM Console Cumulative updates management using SCCM 2007

Dec 10 2011

SCSM cumulative updates often require all management consoles to be updated once the infrastructure servers are updated. If you have a large amount of consoles this can be tedious.

See my previous post for infrastructure upgrade steps:

Continue Reading »

No responses yet

Upgrading SCSM 2010 SP1 to CU3

Dec 10 2011

· Disable all connectors on the SCSM management server (CMDB)

· Create an Encryption key backup for all Management servers

· Backup all SCSM databases and the SSRS databases

· Backup all management packs

· Backup all DLLs for the custom MPs (e.g. Exchange connector)

· Install CU on DW

· Install CU on SCSM CMDB server and all secondary management servers

· Enable all Connectors

· Install CU on all consoles in use

· Install the Authoring Tool update on all systems with the Authoring tool installed on

Continue Reading »

One response so far

SCSM Framework To Real Work Part IV-> AV Exclusions

Jun 22 2011

An area often overlooked during deployment of infrastructure applications is, exclusions from real-time scanning engines.

Below is the list of files and directories recommended for exclusion for SCSM (based on Forefront Protection)

Service Manager 2010 Files and Folders
%ProgramFiles%\Microsoft System Center\Service Manager 2010\Health Service State\*

Service Manager 2010 Processes
%programfiles%\Microsoft System Center\Service Manager 2010\HealthService.exe
%programfiles%\Microsoft System Center\Service Manager 2010\Microsoft.Mom.ConfigServiceHost.exe
%programfiles%\Microsoft System Center\Service Manager 2010\MonitoringHost.exe
%programfiles%\Microsoft System Center\Service Manager 2010\Microsoft.Mom.Sdk.ServiceHost.exe

2 responses so far

Older posts »