One of the big advantages of using Service Manager as your Configuration Manager Database (CMDB) is the connector framework. By using the connector framework you are able to establish out-of-the box connections to your infrastructure – Active Directory – and System Center components like Configuration Manager-, Operations Manager and Virtual Machine Manager. Hereby you can easily gather and centrally store all relevant information into a single place which forms the basis for your IT Service Management (ITSM) processes.
One of the major challenges of a CMDB is to keep the – information contains – up to date and accurate. Also herein the connector framework have an important role to (automatically) update Configuration Items (CI) from different sources (connector framework).
A while ago Travis Wright (who else…) wrote a blog post regarding the behavior of what happens with CI’s in the CMDB when deleted from Active Directory and what permissions are required by the run-as account that is used for the AD connector.
In this post I’ll walkthrough how to configure and set proper rights for the run-as account used by the AD connector.
1. Log on with a user account that is a member of the Domain Admins group on Windows Server 2008 or higher Domain Controller or Windows 8.x including Active Directory Tools installed.
2. Open a command prompt (CMD) with elevated Administrative rights
3. At the command prompt, type a command that is similar to the following example:
dsacls “CN=Deleted Objects,DC=buildingclouds,DC=lan” /takeownership
o When you type this command, use the name of the deleted objects container for your domain.
o Each domain in the forest will have its own deleted objects container.
4. To grant a security principal permission to view the objects in the deleted objects container, type a command that is similar to the following example:
dsacls “CN=Deleted Objects,DC=buildingclouds,DC=lan” /g buildingclouds\svc_sm_ca_ad:LCRP
Note: In this example, the user “buildingclouds\svc_sm_ca_ad” has been granted List Contents and Read Property permissions on the deleted objects container in the “BUILDINGCLOUDS” domain. These permissions let this user view the contents of the deleted objects container, but do not let this user make any changes to objects in the container. These permissions are equivalent to the default permissions that are granted to the Administrators group. By default, only the System account has permission to modify objects in the deleted objects container.
To validate the process of deleting CI’s from CMDB is working as described I deleted some AD objects.
After syncing the Active Directory connector I found two objects in the Deleted Items pane which correspondents with the deletion action earlier in AD.
Where AD User-, Group- and Printers objects are listed in the Deleted Items, AD Computer objects are deleted directly from Service Manager CMDB. It is important to understand though that this process does not remove the user from the data warehouse. The user object and its relationships to other objects remains in the data warehouse for long term storage and reporting purposes.
By default the run-as account AD user account with least Administrative Rights has not granted List Contents and Read Property permissions on the deleted objects container, which is required in order to keep your CMDB accurate.