Active Directory

The integration of Active Directory (AD) with the ServiceDesk Plus application enables you to import user information from the Active Directory server into the ServiceDesk Plus application. It also lets you schedule user import from AD, sync deleted users from AD, and configure AD authentication.

Role Required: SDAdmin

To configure AD-related settings in non-ESM setups, go to Admin > Users > Active Directory.

Quick Links

Set local authentication password for imported users
Import users
Schedule import for users
Sync deleted users from Active Directory
Configure AD authentication
How to configure Deny-Read permission in AD to remove disabled users
Prerequisites for configuring LDAP SSL

Set local authentication password for imported users

You can set a default local authentication password for users imported through AD. Users can change this password after the first login.

You can enforce users to update the default password after their first login from Security Settings.

To set a local authentication password from the Active Directory configuration page,

Hover over the Local Authentication Password fields and click Edit.
You can choose to generate a random password for every user or set a predefined password for all users.
Click Save.

Ensure that the predefined password meets all requirements of the password policy.

Users will be notified about their password in their login emails. You can configure email notifications for users from Admin > Helpdesk Customizer > Notification Rules > Requests > Send Self-Service Login details.

The local authentication password set for AD imported users is also applicable for users imported from CSV files.

Import Users from Active Directory

You can import users from any of the domains and their subsequent organizational units (OUs) present in the Active Directory. By default, AD users are imported using LDAP protocol and port 389.

Click Import User(s) on the Active Directory configuration page. Use the following pointers to configure the Import From Active Directory window pop-up.

Field Name	Description
Domain Name*	Select the domain to import users from. If you have already provided the domain controller and login credentials for the domain in Windows Domain Scan, the Domain Controller and Login details will be auto-populated on selecting the domain.
Domain Controller*	Specify the domain controller that provides access to resources in that selected domain.
Login Name*	Enter the login name of your user account in the selected domain.
Password*	Enter the password of the above user account.
LDAP SSL	Toggle LDAP SSL option ON to enable secure communication between ServiceDesk Plus and Active Directory via port 636. Ensure your Active Directory supports SSL before enabling this field.
Select fields for import	Select the default user fields to be imported from the Active Directory. Specify the field name configured in the Active Directory beside the selected field to map them accurately. If the user already exists in ServiceDesk Plus, their default field values will be overwritten with the values present in AD. To avoid overwriting of values, unselect the relevant fields during import. If a field value is null in AD, the corresponding field will not be updated in ServiceDesk Plus.
Select UDF for import	If you have configured user additional fields in ServiceDesk Plus, you can select the UDF fields. Specify the field name configured in the Active Directory beside the selected field to map them. If you have not configured any user additional fields, use the Click here to configure link. You will be redirected to User - Additional Field page where you can configure the additional fields to be imported from Active Directory. The numeric additional fields hold up to 19 digits. If your numeric value exceeds 19 digits, then configure the value in text field.
Move associated assets	If the site associated with the user/department is changed in the Active Directory, the assets belonging to the user/department should also be moved to the new site. To update this information on every import, select Move associated assets.
Update empty values	Enable this option to import and update <empty> data from Active Directory. For example, with this option enabled, user data with the First Name : Admin changed to First Name: <empty> in Active Directory will be updated in the application. If this option is disabled, then the First Name: <empty> data will not be updated and old values will be retained.

* Indicates mandatory fields

Click Next.

In the import wizard, you can select the various OUs or enter the group names available in that domain to import users. You can also add users manually.

To select OUs, enable the OU check box. Choose the OUs from which you wish to import users by selecting the checkbox beside them.
To select AD groups, enable the Group check box. Enter the sAMAccountName of group in the text box as comma separated values.

If both OUs and groups are selected, the users present in both the OUs and groups will be imported.

You can import up to 5000 groups from the AD.

Click Import Now. If scheduled AD import is enabled, you can import the users later by selecting Save and Import in Schedule.

The imported users are listed in the users list view under Admin > Users. You can perform further actions on the imported users such as editing the details or associating workstations from the users list view.

Import results notified to SDAdmins via bell notifications:

If the user information is imported immediately, the data on how many records were added, overwritten, or failed to import will be notified.
If the import is scheduled for later, the notification will be sent after the schedule is completed.
Invalid group names will be notified along with the results of the current import and also as a banner during the subsequent import.
If the users are imported by selecting both OUs and groups, the imported users' count will be tracked separately for OUs and groups. For users present in both OU and group, the count will be added twice.
The total user count for both the selected OU and group will be notified.

For scheduled import, the user information imported depends on the type of import schedule configured under Import Schedule.

Domain failure during import will be notified to SDAdmins via bell notifications.

Schedule AD import

You can schedule Active Directory import at regular intervals to keep your user repository in sync with the Active Directory. When you schedule an AD import, data from all domains in the application is imported once every specified number of days. Users and user details from all the domains in the application are synced to ServiceDesk Plus in two ways:

Full Sync - Syncs all user data.
Delta Sync - Syncs the data of updated user details and newly added user accounts once every 30 minutes.

Delta sync will be auto-initiated when full sync is enabled. Ensure that you perform full sync once every 30 days to keep your user details completely updated.

To configure an import schedule,

Hover over Import Schedule fields and click Edit.
Enable the Schedule AD import once in every option and specify the import period.
Specify the date and time to begin the schedule.
Click Save.

User details from domains will be imported periodically as per the number of days specified after the start date and time. The differences in the data will be updated every 30 minutes. You can view the last import time and the next scheduled time in the Import Schedule section.

During delta sync, only user details that failed import will be notified to the SDAdmins via bell notification.

For a seamless AD import, ensure your Service Account has Read All Properties permission for all the OUs and users. The status of the permission can be verified under OrganizationalUnits (or) Users > Properties > Security > Advanced > Effective Access.

The criterion for User Account overwrite in Active Directory User Imports:

While performing a user import from Active Directory,

Criteria 1: ObjectGUID - If the ObjectGUID of a user account in ServiceDesk Plus matches with the user account in Active Directory, the record in ServiceDesk Plus will be overwritten.

Criteria 2: Login name and Domain - If the login name and domain of a user account in ServiceDesk Plus matches with the user account in Active Directory, the record in ServiceDesk Plus will be overwritten.

Criteria 3: Email address - If the 'Override based on EmailId' option is enabled under ESM Directory > Application Settings and if the email address of the user account in ServiceDesk Plus matches with the Active Directory user account, the record in ServiceDesk Plus will be overwritten.

Criteria 4: Login name and domain is '-' (not associated) - If a user account in ServiceDesk Plus contains only a login name with an email address without a domain association and if the login name matches with the Active Directory user account, the record in ServiceDesk Plus will be overwritten.

When a user is imported from AD, the ObjectGUID of the user is used as a unique identifier to update the user details in ServiceDesk Plus. If the 'ObjectGUID' does not match for any user in ServiceDesk Plus,

The 'loginname+domainname' of the user is used as a unique identifier to update the user details in ServiceDesk Plus.
If the 'loginname+domainname' does not match for any user in ServiceDesk, the 'email address' of the user will be used as a unique identifier.
If the email address does not match, then the 'loginname + domain=NULL' ( where loginname is Howard (example) and domain name is NULL) is used as a unique identifier to update user details.

In cases where none of the specified conditions like 'ObjectGUID' , 'loginname+domainname', 'email address','loginname + domain=NULL' are absent in ServiceDesk Plus, a new user will be added.

Sync deleted users from Active Directory  

This option lets you sync the deleted users from Active Directory into ServiceDesk Plus. Syncing of deleted users happens after a manual import.

After the sync is completed, a list of deleted users is displayed. Based on the type of user, you can remove the deleted users from the list as mentioned below:

Requesters - You can enable automatic deletion for non-technicians from the deleted users list. When a requester is deleted from the active directory, the user will be removed from ServiceDesk Plus as well.
Technicians - You can review the deleted technicians from the deleted users list and remove them manually. Automatic deletion is not available for technicians.

To configure syncing of deleted users,

Hover over the Sync Deleted User(s) from Active Directory check box and click Edit.
Choose your deletion method - automatic or manual. Note that even if you select automatic deletion, deleted technicians will not be removed automatically.
You can schedule syncing of deleted users periodically by enabling Schedule delete sync once in every option.
Specify the sync periodicity.
Enter the date and time to begin the syncing of deleted users
Click Save.

After the syncing of deleted users is scheduled, you can view the last imported time and the upcoming schedule time in the Sync Deleted Users section.

If manual delete is enabled, the link to the deleted users list will be displayed as a note on the top of the Active Directory configuration page. Use the links in the note to access and verify the deleted users before removing the deleted users from ServiceDesk Plus.

If sync is disabled for deleted users, the deleted user details from AD will not be synced with ServiceDesk Plus during manual or scheduled import.

Deleted user details will be notified to the SDAdmins through bell notification.

Active Directory Authentication

You can authenticate users login to ServiceDesk Plus via Active Directory. AD-based authentication can be configured in two ways:

Login using AD Credentials:

Facilitate login for users into ServiceDesk Plus using the login name and password of their system.

Hover over Active Directory Authentication fields and click Edit.
Select Enable Active Directory Authentication checkbox.
Click Save.

In the Login screen, the users can specify their system/AD login credentials and select the Domain to log into ServiceDesk Plus. They can also bypass AD authentication during login by selecting Local Authentication from the Domain drop-down and specifying their local authentication credentials.

If a user account is not imported before configuring AD Authentication, the user will be added to ServiceDesk Plus via dynamic user addition if proper login details are entered during authentication. Click here to learn how to enable dynamic addition of users.

If LDAP SSL is enabled for a domain in AD import page, AD authentication will also occur through LDAP SSL.

Allow Single-Sign On (SSO) using AD Credentials:

SSO allows users to instantly access ServiceDesk Plus without providing any login credentials. During login, users are automatically authenticated via an Identity Provider(IdP). You can enable SSO for AD users from SAML by configuring ADFS as the IdP. To learn more, click here.

You can also configure other identity providers such as Okta or OneLogin to enable SSO.

Ensure that the AD users are imported to the IdP before configuring SSO.

ServiceDesk Plus uses Kerberos in port 88 to authenticate protected users groups in AD. Follow one of the pointers below to authenticate AD for protected user groups:

Create a record in your DNS to map your fully qualified domain name (FQDN) of the AD server

[or]

Map the IP address with the corresponding FQDN in the etchosts file in your setup.

How to configure Deny-Read permission in AD to remove disabled users

For security reasons, customers want to remove ServiceDesk Plus users who have been disabled in AD. These users, despite having no domain access, continue to have access through non-AD authentication mechanisms. Currently, we do not have a process to delete these users in one shot, but we can suggest a workaround, as follows:

Step 1: Move the disabled users to a separate OU.

Step 2: Make sure this OU is not selected for import in ServiceDesk Plus/Asset Explorer

Step 3: Configure Deny-read permissions on the OU.

Step 4: Import users to verify the configuration

Let us now look at step 3 in detail.

Organizational units (OUs) in AD enable you to logically group objects such as user accounts, service accounts, or computer accounts. These accounts assigned access permissions to manage the objects in the OUs.

In this document, we will look at how you can configure a full-deny permission for an OU, after you have moved the disabled users into that OU.

Permissions configured for an OU are inherited by its child objects. However, if the child objects are assigned with explicit permissions, the inherited permissions will be overridden. Therefore, the full-deny permission, if applied to the parent OU, may not work for the child objects. In such cases, we may need to remove the explicit permissions.

In AD, the order of priority is as follows:

Let's now see how to configure the Deny-Read permission for an OU so that the disabled users in the OU can be deleted during the Deleted Users Sync or not imported during the AD user import.

Consider the following OU structure for this example:

First to restrict the service account from accessing the Disabled Users OU, right-click the OU and select Properties. Then, go to the Security tab, as shown:

Right-click OU > Properties > Security. Then, select the Full control > Deny check box.

Service account refers to the account configured in ServiceDesk Plus to import users from Active Directory.

If the service account is not listed, click Add to include the account to the account list, as shown below:

Now, the permission will be inherited by the users under the Disabled Users OU, but not its child OUs, Departments or Finance.

For the permissions set for the Disabled Users OU to be automatically inherited by Design and Finance and their user objects, click the Advanced button.

Then, go to Permissions and check the permissions for the service account of Disabled Users.

On the displayed window, you can change the permission type and its scope.

By default, the permission scope is restricted only to the object. Click the Applies to drop-down and select This Object and All Descendant Objects for the permissions to be inherited by the Child OUs and their user objects as well.

You can verify this configuration under the security settings of the specific Child OUs. The following screen shot shows that the configuration has been set for the Design OU:

The time taken to inherit the permissions can vary depending on the number of child OUs under a parent OU.

Now let's see if the deny-read permission will delete the disabled users.

First let's import the users under the Finance and Design OUs. While entering the login name for manual user import, enter the correct login name and DO NOT press enter at the end of the login name.

The Design OU contains user Lisa Arm and Finance OU contains user Howard Stern as shown below:

After the import, we receive the following results:

That is, of the two users, alisa and howard, one of them has been imported. The configuration to delete disabled users has worked successfully for Design OU user, Lisa Arm, but failed with Finance OU user, Howard Stern. The reason why Howard Stern was imported was due to the explicit permissions on the Finance OU.

Now, to remove the explicit permissions, go to Finance > Properties > Security.

Then, find the explicit permissions (authenticated users, in this case) and remove, as shown below:

Note that the users will be deleted only during the next scheduled Deleted Users Sync.

Prerequisites for configuring LDAP SSL

By default, LDAP communications between client and server applications are not encrypted. This leaves the communication between the LDAP client and server computers vulnerable to network monitoring jump devices/software. ServiceDesk Plus employs LDAP SSL to secure the communication between the AD server and ServiceDesk Plus server.

Follow the prerequisites mentioned below to configure LDAP SSL for your AD server:

Ensure the server FQDN (Fully Qualified Domain Name) is accessible from client. Else, add the host entry in the host file in the client machine.
The Active Directory Certificate Services must be installed to use LDAP SSL certificate as explained in this documentation.
Enable your AD server to support LDAP over SSL. Click here to learn how.
The LDAPS certificate imported to AD server in the previous step must be fetched and imported it to the client machine (ServiceDesk Plus server) in Personal folder as explained below:
- Click Start, type mmc, and then click OK.
- Click File and then click Add/Remove Snap-in.
- Click Certificates and then click Add.
- In Certificates snap-in select Computer account and then click Next.
- On the Certificate Store page, right-click Personal > Import certificate, import the LDAP certificate from the copied folder, and provide the password set while creating the certificate.
Import Root CA certificate in Trusted Root Certificate Authority to allow your client machine to trust the imported LDAP certificate. This is vital since imported LDAP certificates will not be trusted due to cross domains, by default.
- Access the CA web console: https://<CA Server>/certsrv and provide Administrator credentials. If the URL is not accessible, install Certificate Enrollment Web Service as explained in this guide.
- In the console, click Download a CA certificate, certificate chain, or CRL.
- On next page click Download CA certificate and save the certificate.
- Import the downloaded CA certificate to the Trusted Root Certificate Authority as explained in the below steps,
  - Click Start, type mmc, and then click OK.
  - Click File and then click Add/Remove Snap-in.
  - Click Certificates and then click Add.
  - In Certificates snap-in select Computer account and then click Next.
  - On the Certificate Store page, right-click Trusted Root Certificate Authority and import the above certificate