Change User's AD Location - Orchestration

Rudi2 · ‎09-18-2017

Hi Guys

There's a lot of questions about this and not a good enough example.

All I want to do is to use the AD activities on the workflow to change a user to a different OU in AD.

Will Update ADObject activity work for this and what AD Field do I need to change or do I need to add a move-ADObject activity?

Regards

Rudi2 · ‎09-21-2017

Okay, we got it sorted and I hope it helps for everyone else who's also not so much familiar with Powershell!!

With the move function we use the following command:

Move-ADObject -Identity $userdn -TargetPath $path

$userdn // We are pulling the user's dn from ldap as well, no need for the objectGUID

$path // The dn of the OU you want to move the user to.

The worst part for this to work at customer sites is just getting access, so make sure the Mid server's got a jacked up credential, we also ticked the "use MID Service Account"

Regards

View solution in original post

mev · ‎06-20-2018

Hey there. Thank you for your post. Can you please share what you filled in for your outputs?

Thanks!

Rudi2 · ‎07-17-2018

Hi, sorry for replying now. is this what you were looking for? I think we left this OOB

Regards

sinanbulut · ‎05-31-2019

Hi Rudi_Cro,

I followed the path you mentioned above, but I encountered an error. I think credential error. With the same credential, the user is created and updated. What do you think can be the problem?

Failed to access target system. Please check credentials and firewall settings on the target system to ensure accessibility: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Stack Trace: at System.Management.ThreadDispatch.Start()
at System.Management.ManagementScope.Initialize()
at System.Management.ManagementObjectSearcher.Initialize()
at System.Management.ManagementObjectSearcher.Get()
at Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing()
at System.Management.Automation.Cmdlet.DoBeginProcessing()
at System.Management.Automation.CommandProcessorBase.DoBegin()
Authentication failure with the local MID server service credential

sidkak · ‎04-03-2019

Hi William Busby,

I followed the below URL to create the Move AD Account Activity

https://community.servicenow.com/community?id=community_question&sys_id=97b9c7e5db5cdbc01dcaf3231f96...

I am able to execute the command from the Mid server to the AD Server using the credential used in SNOW it works as expected

PS C:\Users\Exx-srv-snowacc> Move-ADObject -Identity "CN=Z4082405,OU=Users,OU=HQP,DC=<DC>,DC=COM" -TargetPath "OU=Disabled Users,DC=<DC>,DC=COM"

However when I run the same thing with test inputs from SNOW I get the below error. Any clues on why this might be.

errorMessages": "Failed to access target system. Please check credentials and firewall settings on the target system to ensure accessibility: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))\n\nStack Trace: at System.Management.ThreadDispatch.Start()\nat System.Management.ManagementScope.Initialize()\nat System.Management.ManagementObjectSearcher.Initialize()\nat System.Management.ManagementObjectSearcher.Get()\nat Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing()\nat System.Management.Automation.Cmdlet.DoBeginProcessing()\nat System.Management.Automation.CommandProcessorBase

Adam Rasmussen · ‎08-20-2019

Hopefully you have already solved your issue Sidkak. However, if you haven't and for others who may find this thread... Check the ECC queue and review the output statement carefully.

I've found that when I see this message an extra "DC=<DC>,DC=com" is getting appended to the target.

E.g. "CN=redacted,OU=Users,OU=SomeOU,DC=<DC>,DC=com,DC=<DC>,DC=com"

I wrote a script check in the worfklow to check for the presence of an initial setting of DC=, etc. and remove it and this problem went away for us.