Change User's AD Location - Orchestration

Rudi2 · ‎09-18-2017

Hi Guys

There's a lot of questions about this and not a good enough example.

All I want to do is to use the AD activities on the workflow to change a user to a different OU in AD.

Will Update ADObject activity work for this and what AD Field do I need to change or do I need to add a move-ADObject activity?

Regards

Rudi2 · ‎09-21-2017

Okay, we got it sorted and I hope it helps for everyone else who's also not so much familiar with Powershell!!

With the move function we use the following command:

Move-ADObject -Identity $userdn -TargetPath $path

$userdn // We are pulling the user's dn from ldap as well, no need for the objectGUID

$path // The dn of the OU you want to move the user to.

The worst part for this to work at customer sites is just getting access, so make sure the Mid server's got a jacked up credential, we also ticked the "use MID Service Account"

Regards

View solution in original post

suzipearson · ‎10-10-2017

thanks so much for sharing Rudi , really appreciate it.

Its for new user accounts , so I guess they wouldn't be in service now to get their DN

But will try the json decode you posted.

I am finding the whole thing so frustrating to say the least and the way we were sold it (it should work out of the box) and I keep getting asked by my managers when can we roll it out ! ...moan over for today

jacobpeterson · ‎06-18-2018

Hello,

I'm hoping you can help us with this. I feel like we are so close but keep getting an Access Denied issue. We are able to run all of the standard Orchestration Powershell script like Deactivating a user, Enabling, Update, etc.. I've created the Move activity just as you described it and we keep getting an error:

"errorMessages": "Failed to access target system. Please check credentials and firewall settings on the target system to ensure accessibility: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

We had our AD team grant FULL access to the account we are trying to accomplish this with but still getting the same error.

Really hope you can help!

Thank you!

mev · ‎06-20-2018

Looks like firewall issue. Network or security team may need to open up a port for you to access that.

sidkak · ‎04-03-2019

I have go the same error but with the same credential used in the test inputs I am able to run all the other activities. Also with the same credential I am able to execute the command from my MID Server to the Domain Controller. Not sure why this is happening.

IF the saem user is able to execute the powershell then why service now is not able to use it only in this activity?

sidkak · ‎04-03-2019

I am able to execute the command from the Mid server to the AD Server using the credential used in SNOW it works as expected

PS C:\Users\Exx-srv-snowacc> Move-ADObject -Identity "CN=Z4082405,OU=Users,OU=HQP,DC=<DC>,DC=COM" -TargetPath "OU=Disabled Users,DC=<DC>,DC=COM"

However when I run the same thing with test inputs from SNOW I get the below error. Any clues on why this might be.

errorMessages": "Failed to access target system. Please check credentials and firewall settings on the target system to ensure accessibility: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))\n\nStack Trace: at System.Management.ThreadDispatch.Start()\nat System.Management.ManagementScope.Initialize()\nat System.Management.ManagementObjectSearcher.Initialize()\nat System.Management.ManagementObjectSearcher.Get()\nat Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing()\nat System.Management.Automation.Cmdlet.DoBeginProcessing()\nat System.Management.Automation.CommandProcessorBase

Were you able to solve this issue?