ServiceDesk

Our sync profile is configured to synchronize users as well as groups between AD and ServiceDesk.  When the sync profile runs, users who have been deleted from AD are deactivated in ServiceDesk, however, the associated groups don't get updated, i.e. it doesn't remove a user from any ServiceDesk groups even though they've been removed from those respective groups in AD.  Then our automation rules try to send messages to the nonexistant users.  Is the sync process supposed to work this way?  Am I missing a configuration step?

As far as I know, there's no way in the automation rules to say "send email to affected user as long as the user account is active".  The disabled user accounts persist in the interest of data retention.  Otherwise, if you had a 5-year helpdesk technician quit the company, and that person's user account was deleted in ServiceDesk, all the reference links to that user would be broken and the historical tickets and reports would no longer work as expected.  

However, you may be able to skirt this issue by sending to a workflow in the automation rules instead of sending an email.

In the workflow to which you're sending the process, you would:

• Get the ticket info using the SessionID that's passed in
• Get the user info to which an email is being sent, and do a quick check on the AccountActive field
• If the account is active, send an email (it should be easy enough to recreate the template; you have a lot more control over the email and variable format this way as well)
• If the account is deactivated, skip the email and end the process

Here's a video about the process in case you're unfamiliar with it.

https://www-secure.symantec.com/connect/videos/servicedesk-customization-send-incident-workflow-ruleset-action

Another way to do this is to set up a scheduled monitor workflow that runs daily.  The project would sort through the user accounts and add any deactivated users to a specific group meant to hold only deactivated users.  Then, you could continue to use your automation rules are you already are, with this condition in place:

Both ideas do essentially the same thing; we're just checking to see if the user is active before attempting to send an email.  Neither option is an easy fix like a nice checkbox toggle would be, but perhaps someone else can add a much easier idea or solution that I haven't considered.

I guess my question is more around the sync process.  If someone is removed from a group in AD, it doesn't sync with ServiceDesk.  So they remain in the ServiceDesk groups, which are associated with service queues.  I have to manually remove them from the groups.  Is this by design, or is it a bug?  Or am I just doing something wrong.  Thank you.

Ah, gotcha.  I didn't get that the AD group was being modified in your example above.  Check this setting:

If "Sync Only Users" is enabled, turn it off.  Then run a reset sync on your AD sync profile and check the group.

The "Sync Only Users" is already turned off.  What's the difference between a reset sync and update sync?  I normally do update - shouldn't that get the changes?  The reset sounds a bit drastic.  It warns that users may get disconnected so I'd rather not do it.  The update sync does pick up users that are added to a group in AD, but not those who have been removed.

You need to have a reset sync configured to run on a schedule after-hours or during a maintenance window.  I'm not sure the comprehensive list of differences between a reset and update, but i know that group membership doesn't always update without a reset sync.  In other words, a reset sync should happen sometime.

If you take a look at the sync status during or after a sync of both types, you can see that updates basically process changes made to the account.  Resets seem to clear the cache, so to speak, and load everything out and back in.  So it's a fresh sync versus a delta sync.