Thanks to Kathleen Wilson for her input and review.
The SCSM Connector performs best when you limit the import to relevant data only (actual users, groups and computers you intend to use in SCSM processes).
The question is how do you achieve this level of filtering in SCSM?
In my research for connector improvement I decided to take the process approach to resolve this challenge. The approach is as follows:
- Research the AD attributes available for filtering
- Validate the filter in Active Directory Users and Computers using Saved Queries. Following the principle of checking how big the problem is before investing in the solution
- Create the SCSM AD Connector with a tested filter in a test SCSM environment
- Create the connector in the Production SCSM environment (disabled existing connector)
- Delete existing unfiltered connector after confirming successful synchronization.
The attached Spreadsheet (ADAttributesSCSMFilters) contains the attributes you can use as filters.
Below is a Sample of filtering the connector using the attributes from Active Directory.
The Syntax for the filter is listed below:
Users and Groups
Comment: Users and Groups= group must be Mail enabled and Users= Not Disabled and Mail enabled (must have an email address)
(|( & (!(UserAccountControl:1.2.840.113518.104.22.1683:=2)) (objectCategory=User) (objectClass=User) (mail=*) ) ( & (objectClass=Group) (mail=*) ))
Comment: Computers= Not Disabled
You must combined the User and Group filter as the wizard in SCSM does not provide you with the option to separate users from groups.
Additionally groups add no value unless they are mail enabled and, you will typically use the groups in notifications.
The benefit of this filter is you only import users that participate in Service manager (End Users, Analysts and Managers – email is the means to communicate). Groups have no real value unless they are mail enabled. You can send notification to a mail enable group for the Assigned To analysts.
Reduced load on the connector; in a customer case we reduced the imported users and groups by 45% and saw significant improvements in how long the connector took to complete.
Users and Groups Syntax breakdown
( - > Opening filter parenthesis for the filter
| -> Or operator between the Group attribute evaluation and user evaluation
( – > Opening filter parenthesis for the user attributes
& -> And operator to evaluate the user attribute condition
(!(UserAccountControl:1.2.840.113522.214.171.1243:=2)) (objectCategory=User) (objectClass=User) (mail=*)
) - > Closing filter parenthesis for the user attributes
(- > Opening filter parenthesis for the group attributes
& – And operator to evaluate the group attribute condition
) - > Closing filter parenthesis for the group attributes
) - > Closing filter parenthesis for the filter