System Center Service Manager:Active Directory Connector

The System Center Service Manager:Active Directory Connector is a built in System Center Service Manager:System Center Service Manager connector that enables User and Groups: Users and Groups sync from Authentication:Active Directory. This enables systems administrators to map Active Directory Users and groups to built in and custom System Center groups.

The following groups are built into System Center Service manager:

1. Activity Implementers: Can read, create, and update activities.
2. Administrators: Have full permissions, including creating, updating, and deleting configuration items and other records.
3. Advanced Operators: Can read, create, and update configuration items, but cannot delete them.
4. Change Initiators: Can create and manage change requests.
5. End Users: Typically have read-only access to self-service features and can submit requests.
6. Read-Only Operators: Have read-only access to most areas.
7. Authors: Can create and manage knowledge articles and other documentation.
8. Problem Analysts: Focus on managing problem records.
9. Workflows: Automate processes and may have broad read/write permissions depending on workflow needs.
10. Incident Resolvers: Manage incident records.
11. Change Managers: Oversee change management processes.
12. Report Users: Access and run reports (available after registering with the data warehouse).
13. Release Managers: Handle release management.
14. Service Request Analysts: Manage service requests.

You can learn more about groups via Microsoft's website: Manage Service Manager user roles and User role profiles in System Center - Service Manager if you require additional implementation instruction outside of my use case and scope.

Follow the instructions listed below to configure a working instance of the System Center Service Manager Active Directory connector:

1. Open the Service Manager console as a domain administrator. Navigate to the Administration Tab, Click Connectors, then click Create connector and select the Active Directory Connector. The Active Directory Connector Wizard should launch.
   1. On the Before You Begin tab, click Next
   2. On the General page, give your connector a name, description, and ensure the connector is enabled. In my case, I am using "Internal Active Directory Connector" as both the name and description.
   3. On the Domain or Organizational Unit page, Choose to sync the entire domain or an OU. Multiple Active Directory connectors can be used to sync only specific OUs. I cannot justify this in my environment, but you might. In my case, I am choosing to sync the entire directory. I will be managing this through Active Directory Users and Computers, anyway. Finally, choose the Run As Account. In my case, I am using the Operational Database Account which is Users and Groups:svc_servicemanager. Click Next when you are finished and there is a successful connection to Active Directory.
   4. On the Select Objects screen, I am choosing to import All computers, printers, users and user groups. Additionally, I checked "Do not write null values for properties that are not set in Active Directory". Once done, click Next.
   5. On the Schedule tab, you must choose a time when an automatic Active Directory sync is performed. I choose to sync everyday at 5:00PM so new users are synced before backups kick off. Click next once finished.
   6. On the Summary tab, review your configuration. If it is accurate, click Create.
   7. The wizard will let you know the Active Directory connector was Successfully created. Click Close.

Perform Initial Active Directory Sync

1. On the Connectors tab, under Administration, click your Active Directory connector, then in the sidebar click Sync Now. It may take a while but if you occasionally press the Refresh button, a percentage of progress should be displayed. When this process is finished, the Status should read "Finished Success".

It maybe worth noting that Authentication: Active Directory is a much more robust reference on the internal workings of Active Directory. Since group mappings are key to Service Manager, it is worth mentioning them here.

Each department has its own corresponding Active Directory group followed by a job title that is populated with user objects as well as "Member Of" nested groups. The two that are relevant to this documentation are Users and Groups:dp_it_noc and Users and Groups:dp_it_systemsadministrators. This way, everyone within a department with a certain job title receives the same amount of permission as their peers with the same title. This helps to combat security misconfigurations and configuration decay. This system is known as "Role-Based Access Control" or "RBAC". You may read more about this concept on Microsoft's article Implementing Least-Privilege Administrative Models.

The following table shows how Active Directory security groups are mapped to Active Directory department groups, which are then mapped to SCSM user roles:

This enables standard IT user accounts (example: sysadminafterdark or mandolinsara), members of Users and Groups:dp_it_noc, to have just enough permissions to process their tickets and write knowledgebase articles. When a server configuration must be changed, an administrator account (example: adminafterdark), a member of Users and Groups:dp_it_systemsadministrators must launch the Service Manager Console as an administrator to gain access to the Administration tab within the application and perform organization level changes.

This configuration was deployed into sysadminafterdark production and confirmed to be a working configuration. Further group permission tweaks may need to be made in the future and will be recorded here.