Populating ADAM Objects

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Populating ADAM Objects

    This guide covers how to manage and populate ADAM (Active Directory Application Mode) objects—specifically User Objects, UserProxy Objects, and Group Objects—in the context of integrating with ServiceNow LDAP. It explains the creation, attributes, and recommended practices for these objects to enable effective synchronization and authentication without direct domain controller connection.

    Show full answer Show less

    User Objects

    User Objects in ADAM can be created via the ADSI Edit console or AD command-line tools. The only mandatory attribute is cn (common name), which serves as the user’s short or full name. Numerous optional attributes similar to Active Directory user attributes can be set by viewing the user object properties in ADSI Edit.

    UserProxy Objects

    For ServiceNow LDAP integration, it is recommended to use UserProxy objects. These act as proxy accounts linking to actual AD user accounts, allowing ADAM to authenticate logon credentials using domain usernames and passwords. This approach avoids direct ServiceNow connections to the Domain Controller. UserProxy objects differ from User Objects by not storing passwords and containing an objectSID attribute referencing the linked AD user’s SID. While these can be created manually, automating their creation is advised for efficiency.

    Group Objects

    Groups can be created using ADSI Edit or command-line tools. ADAM groups operate similarly to Active Directory groups but can include members from both ADAM and trusted AD domains. This flexibility supports comprehensive group membership management for ServiceNow integration.

    Automating ADAM Object Creation

    Microsoft’s ADAMSync tool is recommended for synchronizing Active Directory accounts into ADAM, which is a common scenario when integrating with ServiceNow LDAP. Automation helps streamline object creation and maintenance.

    Permission Delegation

    ADAM contains built-in groups with predefined permissions located in cn=roles,dc=myCompany,dc=adam. These groups control access rights within the ADAM partition:

    • Administrators: Full control of all partition objects. Includes the setup account, sometimes inherited and not directly visible.
    • Readers: Read-only access, empty by default.
    • Users: A dynamic group including all ADAM users in the partition, similar to Active Directory.

    Higher-level permissions can be configured via groups in the configuration partition (cn=roles,cn=configuration,dc=myCompany,dc=adam) accessible through ADSI Edit.

    ADAM Objects include User Objects, UserProxy Object, and Group Objects.

    User Objects

    Users can be created using the ADAM ADSI Edit console just as we did for OU creation. Users can also be administered using AD command line tools, which is beyond the scope of this document. The only mandatory attribute for new user objects is the cn, which is a short name or the user’s full name. There are also a wide range of optional attributes similar to Active Directory user attributes. You can access the full list of attributes by selecting properties from the user object.

    UserProxy Objects

    For ServiceNow LDAP integration we recommend you use UserProxy objects in ADAM which creates a proxy account that links to the related AD user account. This allows you to have ADAM authenticate logon credentials using AD usernames and passwords from the domain without ServiceNow directly connecting to the Domain Controller. UserProxy objects are very similar to AD and ADAM User objects except that do not store passwords and has an objectSID attribute that contains the SID from the linked AD User object. This is how the proxy works. UserProxy objects are created using the ADSIEdit console or command line tools, but this can be tedious. It is recommended that you use an automated process as defined below.

    Group Objects

    Groups are created using the ADSIEdit console and AD command-line tools. Group concepts are similar to AD and are used to integrate groups and members to ServiceNow. The biggest difference is ADAM groups can contain members from ADAM or from trusted AD Domains.

    Automating ADAM Object Creation

    If you are interested in synchronizing Active Directory accounts to ADAM, we recommend you use Microsoft ADAMSync tool. This is the most common use of ADAM for ServiceNow LDAP integration.

    About Permission Delegation

    ADAM contains some built-in groups with default permissions. These groups are found in the container cn=roles,dc=myCompany,dc=adam. These are similar to domain level groups and have rights to objects in the current partition. Similar to AD Forests you can also set a higher level of permissions using the default groups in cn=roles,cn=configuration,dc=myCompany,dc=adam. You must connect to the configuration partition in ADSIEdit. The Administrators group by default includes the account specified during the setup. This member is not always visible since it’s inherited through the configuration groups. Administrators have full control of all partition objects. The Readers group does not contain any members by default and has read access to all objects in the partition. The Users group is a dynamic group just as it is in Active Directory. Transitively it includes all ADAM users created in the partition.