Thanks to Kathleen Wilson for her input and review.

The Challenge

The SCSM Connector performs best when you limit the import to relevant data only (actual users, groups and computers you intend to use in SCSM processes).

The question is how do you achieve this level of filtering in SCSM?

The Solution

In my research for connector improvement I decided to take the process approach to resolve this challenge. The approach is as follows:

  1. Research the AD attributes available for filtering
  2. Validate the filter in Active Directory Users and Computers using Saved Queries. Following the principle of checking how big the problem is before investing in the solution
  3. Create the SCSM AD Connector with a tested filter in a test SCSM environment
  4. Create the connector in the Production SCSM environment (disabled existing connector)
  5. Delete existing unfiltered connector after confirming successful synchronization.

The attached Spreadsheet (ADAttributesSCSMFilters) contains the attributes you can use as filters.

 Syntax

Below is a Sample of filtering the connector using the attributes from Active Directory.

The Syntax for the filter is listed below:

Users and Groups

Comment: Users and Groups= group must be Mail enabled and Users= Not Disabled and Mail enabled (must have an email address)

(|( & (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (objectCategory=User) (objectClass=User) (mail=*) ) ( & (objectClass=Group) (mail=*) ))

Computers

Comment: Computers= Not Disabled

(!(UserAccountControl:1.2.840.113556.1.4.803:=2))

You must combined the User and Group filter as the wizard in SCSM does not provide you with the option to separate users from groups.

Additionally groups add no value unless they are mail enabled and, you will typically use the groups in notifications.

Benefits

The benefit of this filter is you only import users that participate in Service manager (End Users, Analysts and Managers – email is the means to communicate). Groups have no real value unless they are mail enabled. You can send notification to a mail enable group for the Assigned To analysts.

Reduced load on the connector; in a customer case we reduced the imported users and groups by 45% and saw significant improvements in how long the connector took to complete.

Users and Groups Syntax breakdown

( – > Opening filter parenthesis for the filter

|-> Or operator between the Group attribute evaluation and user evaluation

( – > Opening filter parenthesis for the user attributes

&  -> And operator to evaluate the user attribute condition

(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (objectCategory=User) (objectClass=User) (mail=*)

) – > Closing filter parenthesis for the user attributes

(– > Opening filter parenthesis for the group attributes

&And operator to evaluate the group attribute condition

(objectClass=Group) (mail=*)

) – > Closing filter parenthesis for the group attributes

) – > Closing filter parenthesis for the filter

Useful links and Background

Rob Davies:

http://blogs.technet.com/b/robdavies/archive/2012/08/02/ignoring-admin-accounts-in-your-cmdb.aspx

Dieter Gasser:

http://blog.dietergasser.com/2013/03/15/excluding-disabled-users-from-ad-connector/

Thomas Ellermann

http://blogs.technet.com/b/thomase/archive/2013/04/08/scsm-active-directory-connector-optimization.aspx

 

Note: When constructing the query it is easier to read with line breaks. You cannot have line breaks in the syntax when creating the connector. There is a simple hidden treasure to remove line breaks in the syntax. Use Notepad ++ (Edit menu -> Blank Operations ->Remove Unnecessary Blank EOL).

Improving the SCSM 2012 Active Directory connector performance with LDAP filters