Ignoring admin accounts in your CMDB
A lot of folks give their IT staff 2 AD accounts – a regular user account and an admin account. Rather than giving them a single day-to-day account with Zeus privileges, they can use the admin account as and when they want it. Sounds awesome to me.
This can be a bit of a pain, when that user goes to log a Work Item in Service Manager. When you have to select the User in a form, you’ll get two accounts. This can be a pain, as some items may be logged against my admin account, others against my regular account.
This is happening because most people configure the AD Connector to import all users & groups. This means, all of the user accounts & groups from the domain will be imported into Service Manager as Configuration Items.
When we’re picking a user in a form in Service Manager, we’re simply querying the Service Manager database for users – hence I’ll see my admin and regular account.
We can fix this by using the LDAP query rules in the Active Directory connector. Using this, we can choose to ignore the administrative accounts.
In this example, in my organisation, I chose to give all admin accounts an account name which ends with “ _adm”. The users first name & last name is normal, just the logon name ends with this identifier.
Therefore, I want to tell my AD Connector: “Import all Computers, Printers, Groups and Users, but ignore Users which end with _adm”.
To do this, when I setup the AD Connector, I select “Provide LDAP query filters for computers, printers, or user groups (advanced)”.
Here’s the LDAP queries I’ve used:
- Import all Computers: (objectCategory=computer)
- Import all Printers: (objectCategory=printQueue)
- Import all Groups, but only users which don’t end in _adm: (|(objectcategory=group)(&(objectCategory=person)(objectClass=user)(!sAMAccountName=*_adm)))
Now, my admin accounts will not be listed as Configuration Items in Service Manager. Therefore, when I look for a user in a form, I’ll be sure to be assigning it to the correct account.
UPDATE: What if I’ve already got the AD Connector setup?
Since this post, I’ve been asked how to implement this if you’ve already got an AD connector which is importing everything. You just want to delete the Admin accounts.
This is really simple to implement:
- Leave your current AD Connector in place
- Create the New AD Connector, based on the example above
- Wait for the new AD Connector to Sync successfully
- Delete the original connector
At this point, the Configuration Items which you don’t want imported will be deleted. Please do test this first – you want that LDAP rule to work for you, before you start deleting things!