When ServiceDesk performs an Active Directory sync, some users are not brought in. These users are members of an Active Directory group that is part of an organizational unit that was specified to be synced.
ServiceDesk syncs users based on their location in an Active Directory organizational unit, not based on their Active Directory group membership.
A common misconception on how this works is that users that are not in the specified organizational unit but which are members of an Active Directory group will be synced. This is incorrect as these users are not in the specified organizational unit or domain.
This is working as designed. Active Directory (AD) syncs must be planned and configured in such a way that all users to be synced are in the specified organizational units (OU) for the sync.
The following provides an example of how ServiceDesk syncs an OU that contains users and a group.
The OU "California" has one user, John Doe, and one security group, "Human Resources".
The OU "New York" has one user, Jim Smith.
The security group "Human Resources", in the OU "California", includes both users as members.
During the ServiceDesk sync, if the OU California is selected to be synced but the OU New York is not, the following will occur:
The user John Doe is synced into ServiceDesk.
The security group name Human Resources is synced into ServiceDesk as a new group.
John Doe becomes a member of the Human Resources group in ServiceDesk.
Jim Smith is not synced because they are not part of the OU California.