How to identify the filter or RDN that imports users only from the main LDAP OU definition, excluding sub-OUs - Support and Troubleshooting

How to identify the filter or RDN that imports users only from the main LDAP OU definition, excluding sub-OUs Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When configuring a Lightweight Directory Access Protocol (LDAP) Organizational Unit (OU) Definition in ServiceNow to synchronize users from a specific OU, users located in sub-OUs (such as dismissed, inactive, or external directories) are still imported even after adding filter conditions intended to exclude them.

Symptoms .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } - LDAP scheduled load imports user records from sub-OUs that are explicitly excluded in the filter query - Users deleted from ServiceNow are re-created on the next scheduled LDAP load - LDAP filter conditions using `!(OU= )` or `distinguishedName`-based exclusions return no effect or do not reduce the result set - All users under the target OU and its child OUs are returned regardless of filter modifications

Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All currently supported releases

Cause .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } By default, LDAP searches in ServiceNow run in Subtree scope, meaning the query returns users from the specified OU and all its child OUs. Microsoft Active Directory does not support DN-based extensible matching filters (queries using the ':dn:' syntax), so filter conditions relying on that syntax — such as '!(ou:dn:=Dismissed)' — will not work against AD and will not restrict results to the parent OU only. Additionally, Business Rules cannot be used to filter records at this stage because Business Rules do not execute on import set tables. Any filter logic intended to exclude records during an LDAP import must be implemented at the Transform Map level. Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The steps below outline a supported workaround. This customization falls outside standard break-fix support; review and testing are necessary before deploying to production.

**Option 1 — Change the LDAP OU search scope to One Level **

This is the cleanest approach when your LDAP integration supports the one-level search scope setting. It instructs the LDAP server to return only direct children of the specified OU, excluding all sub-OUs without additional scripting.

1. Navigate to **System LDAP > LDAP OU Definitions**. 2. Open the relevant LDAP OU Definition record. 3. Locate the **Search Scope** field. 4. Change the value from **Subtree** to **One Level**. 5. Click **Save**. 6. Run a test using the **Browse** feature on your LDAP Server configuration to confirm that only direct members of the target OU are returned.

Note: If the **Search Scope** field is not available on your LDAP OU Definition, proceed to Option 2.

---

**Option 2 — Add an onBefore Transform Map Script to exclude sub-OU records during import**

Use this option when the One Level search scope is not available or does not meet your requirements. This script evaluates each imported record's distinguished name (DN) at import time and skips any record whose DN contains an excluded OU pattern.

1. Navigate to **System LDAP > LDAP OU Definitions**. 2. Open the relevant LDAP OU Definition record. 3. Scroll to the **Transform Map** related list and open the associated Transform Map record. 4. Locate the **Transform Map Scripts** related list (or the script field for the **onBefore** event). 5. Add the following script, replacing the OU names in the 'excludedOUs' array with the exact OU names as they appear in your Active Directory — note that these values are case-sensitive:

// Get the DN from the source record var dn = source.dn || source.distinguishedName || ''; dn = dn.toLowerCase(); // Define excluded OU patterns — update values to match your AD configuration var excludedOUs = ['ou=dismissed', 'ou=inactive', 'ou=external']; // Check if DN contains any excluded OU for (var i = 0; i 6. Save the Transform Map record. 7. Run the LDAP scheduled load against a non-production instance first to confirm users in the excluded sub-OUs are no longer imported. 8. Once validated, apply the same configuration to the production LDAP OU Definition.

Note: The 'dn' attribute must be available and populated on your LDAP node for this script to evaluate correctly. If 'dn' is not a queryable attribute in your AD configuration, work with your LDAP administrator to identify an alternative attribute that can be used to implement the exclusion logic.

Related Links .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Define LDAP organizational units Microsoft AD documentation: DN-based extensible matching filter support