My AD Connector Won’t Delete AD Deleted Items

  • Article

 

In SCSM when a Configuration Item that is discovered by a connector is deleted it should be marked as Deleted and moved to Deleted Items under the Administration wunderbar. This will only happen if all the connectors that have discovered that object determine that the object is deleted. For example, if my SCOM, SCCM, and Active Directory CI connectors all discover a computer object then all three of those connectors would have to tell SCSM that it is deleted before it would be marked as deleted and moved to the deleted items view. Sounds pretty straight forward, right?

Well… Except for the AD Connector.

Our documentation on configuring the AD connector has you define a Run As Account “that has rights to read from AD DS”. What we usually do is define a Domain User account here (most customers use the SCSM Service account) and the AD connector runs just fine. This is because a Domain User account has enough permissions to read from AD.

The issue we have is when we delete an object in AD. The object is then moved to the AD Recycle Bin which, by default, a Domain User cannot read from. The SCSM AD Connector is then never able to determine that an object has been deleted and it stays in SCSM as if nothing has changed.

What we need to do is to grant the Run As account we specified in the connector rights to read the Active Directory Recycle Bin:

https://technet.microsoft.com/en-us/library/dd392260(v=ws.10).aspx#BKMK_3

and

https://technet.microsoft.com/en-us/library/cc816824(WS.10).aspx

While logged into a Domain Controller in my lab with a Domain Admin account I run the following command to grant my Run As account (scsm-service) the rights to view the AD Recycle Bin’s contents:

dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G CONTOSO\scsm-service:LCRP

Now synchronize your AD connector and you will see that items that are in the AD Recycle Bin will be moved to Deleted Items, or in some cases, deleted entirely.

Also, don’t run your AD Connector with a Domain Admin specified as the Run As account to get around this issue. Smile