AD Group additions and removals
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2025 11:19 AM
We currently have several Requests that require users to be added to a Security Group to gain access to an application whether it be installing the application or providing login permissions via SSO. Our endusers Request access through our SSP and only need to select the application or the application and role. We have a decision table determines the appropriate security group they should be added to and a task is generated for someone to manually add the user. We would like to automate this using our midserver and a powershell script. We have a script created but are trying to determine the best approach for pulling the Application name and security group for a give task. The developer that created the script indicated it would be to complicated to try and pull the security from the decision table. They are able to pull the application from the task as there is a variable present that lists the application. For testing purposes are putting the security group name in the additional comments at submission to test the script. In a real world our users would not know the security group name. One thing they proposed was for use to create a new variable at the task level that would pull the security group for the given application from the decision table into this field for their script to read. I'm trying to see if there is a recommended approach when using a powershell script vs the AD spoke.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2025 01:40 PM - edited 05-08-2025 01:41 PM
You're on the right track with automation, and your goal is common in many ServiceNow environments where request fulfillment involves Active Directory group membership. Since you're choosing to automate this via MID Server + PowerShell, instead of the AD Spoke, here is Recommandation from me:
Do populate u_ad_group_name from the decision table — it's the cleanest approach.
Avoid relying on additional_comments or user input for AD group names.
Store user_id and group_name as distinct task fields.
Make PowerShell dumb — just execute based on clean inputs.