Microsoft Active Directory and ITAM Integration

Last modified on 2022/11/30 17:03

IntegrationIntroduction

You can integrate third-party systems with Service Manager in many ways. The method you select will depend on business requirements, architectural and security constraints as well as the characteristics specific to each third-party application or service.

This document describes an integration process that has already been implemented in a customer context. 

To find out more about this integration (e.g. scripts to be used), please do not hesitate to contact your EasyVista contact, or your service provider and integrator.

Overview of the integration

Microsoft Active Directory (AD) is the directory service provider that supports LDAP for Windows operating systems. It lists all elements in the administered network such as user accounts, servers, workstations, shared folders or printers.

  • Its primary objective is to provide centralized identification and authentication services to a network of machines using the Windows operating system. 
  • It is used by administrators to attribute and apply strategies, distribute software and install critical upgrades.
  • It enables users to locate shared resources easily and administrators to monitor usage thanks to functionalities that store information, distribute, duplicate, partition and secure access. 

This integration describes the functionality for storing information using the following attributes related to the network of workstations:

  • OS name: operatingSystem attribute
  • OS version: operatingSystemVersion attribute
  • OS service pack: operatingSystemServicePack attribute

The Service Desk requires this information to qualify incidents and determine the procedure applicable.

Operating principle

          Microsoft Active Directory Process.png

The standard integration process is made up of 2 phases:

  • Run a preimport task using the smoBackOfficeClient tool to:
    • Extract and store data from the Microsoft Active Directory database in Service Manager work tables.
    • Run various processing to normalize and standardize data.
    • Store all data in the final Service Manager tables.
  • Integrate data in the final Service Manager tables using Employee/Equipment integration models.

Notes

  • An account with read access must be defined to enable Service Manager to connect to an Active Directory domain controller.
  • To set up Microsoft Active Directory in a standard integration process, you need to add several tables to the EVO_BACKOFFICE database.
  • Importing employees:
    • An employee is imported only if the following information is specified: company (Company), last name (sn), first name (givenName) and login (sAMAaccountName).
    • Departments missing from Service Manager will automatically be imported.
    • The unique ID used for the import is the user login.
    • Two integration models are used for importing information on employees and their managers.
  • Importing equipment:
    • Equipment missing from Service Manager will not be imported.
    • The unique ID used for the import is the workstation's network identifier.
    • Four integration models are implemented. One for importing information on equipment and three for importing the attributes, i.e. operatingSystem, operatingSystemVersion and operatingSystemServicePack attributes.

     Open url.png  See How to choose the best tool for automating integration.

Procedure

How to perform integration using Microsoft Active Directory

1. Run scripts to create tables in the EVO_BACKOFFICE database.

2. Define the preimport processing for extracting data from the Microsoft Active Directory database.

3. Integrate the data extracted. Open url.png See the procedure.

  • Integration models for importing employees:
    • LDAP employees: Insertion & Update option and the Employee connector
    • LDAP employees - Managers: Only Update option and the Employee connector
  • Integration models for importing equipment:
    • LDAP equipment: Only Update option and the Equipment connector
    • Attributes - OS name: Insertion & Update option and the Attributes connector (equipment, contracts, licenses)
    • Attributes - OS service pack: Insertion & Update option and the Attributes connector (equipment, contracts, licenses)
    • Attributes - OS version: Insertion & Update option and the Attributes connector (equipment, contracts, licenses)

How to convert a Timestamp value to a Date value

Some Microsoft AD fields are stored as Timestamp values. This is based on the number of seconds elapsed since midnight January 1, 1601 UTC): LastLogon, LastLogonTimestamp, accountExpires, LastPwdSet.
Use the AD_DATE_CONVERT function to convert them to the standard Date format.

example  Convert the accountExpires value (Arrival date):

SELECT [EVO_BACKOFFICE].[EZV_ADMIN].Ad_date_convert(accountexpires)
FROM   e_ad_temp
UPDATE [EVO_BACKOFFICE].[EZV_ADMIN].[e_ad_ok]
SET    accountexpires =
       [EVO_BACKOFFICE].[EZV_ADMIN].Ad_date_convert(accountexpires)

Mapping Microsoft Active Directory attributes and Service Manager fields

Employees

Microsoft Active Directory Service Manager
sAMAcountName Login
displayName Full Name
Company / Division / Department Entity

(Note: Concatenation of 3 fields)

description Note
extensionAttribute5 Available Field 1 (contract type)
telephoneNumber Phone
facsimileTelephoneNumber Fax
Mobile Mobile
homePhone Available Field 2 (Internal phone)
otherHomePhone Available Field 3 (Other phone)
lastLogonTimestamp Available Field 6 (last connection)

(Note: DD/MM/YY hh:mm:ss format)

whenCreated Arrival Date

(Note: DD/MM/YY hh:mm:ss format)

Title Job
Manager Manager: Login
proxyAddresses Available Field 4 (Fax ID)
extensionAttribute7 Available Field 5 (Manager region)
Mail Email
canonicalName Location Code
sn N/A

(Note: Used to check if the account is valid)

givenName N/A

(Note: Used to check if the account is valid)

UserAccountControl.AccountDisable Departure Date

(Note: Specified if the employee is to be archived in Service Manager. In this case, the value is the current date. If there is no end date, then it is 01/01/2099.)

distinguishedName N/A

(Note: pecified if the employee is to be archived in Service Manager. In this case, the value is the current date.)

accountExpires Date of account deactivation

(Note: DD/MM/YY hh:mm:ss format)

Initials Title

Equipment

Microsoft Active Directory Service Manager
Name Network Identifier
distinguishedName N/A
canonicalName Location Code
Description Note
operatingSystem OS Name (attribute value)
operatingSystemVersion OS Version (attribute value)
operatingSystemServicePack OS Service Pack OS (attribute value)
Tags:
Powered by XWiki © EasyVista 2022