To add/remove users into an Active Directory group
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-13-2015 02:07 AM
Hi All,
I have started doing a POC on Orchestration with Active Directory.
My knowledge on Orchestration is very limited to wiki information that i have gone through and also naive knowledge on Active Directory configuration or enabling with orchestration.
I would like to start my POC with the following activity or task for AD Orchestration:-
1) Automating adding or removing member/s into an Active directory group from a service catalog.
What are the pre-requisites that i should have before starting the actual configuration on the workflow. Some that i have learnt from other threads are
1) Dedicated mid-server for Orchestration
2) Mid Server services on our windows mid server running on service account
3) We have windows 2008 R2
4) I read somewhere that to run Powershell activities from Mid-server for AD commands we will need AD CMDLET's running on mid-server.
Please let me know if there any other checks or pre-requisites required.
1) What should be the hostname in Run Powershell activity (Mid-server or AD) ?
2) What credentials should i use (mid-server or AD) ? I read we have to pass some -cred in powershell commands as well. How to achieve this ?
Thanks,
Ishan
- Labels:
-
Scripting and Coding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-13-2015 06:15 AM
Sounds like you have a pretty good idea of what's involved, but you can also check out the wiki.
Orchestration - ServiceNow Wiki
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-13-2015 07:55 AM
Ishan,
To start with, we created a service account in Active Directory that had permissions to create and update accounts/groups. This service account is used to run the MID server service on the MID server. In ServiceNow, on the Configuration Parameters related list on the MID server record, set mid.powershell.use_credentials to false. Then you will not have to pass credentials through your PowerShell code. The MID server will automatically use the service account credentials. This works very well when your security team shudders at the idea of passing any kind of credentials.
The hostname field on the Run PowerShell activity should be the IP address of your MID server. In my workflows, I setup a Run Script activity at the beginning and run this code:
//Identify MID server
var midName = gs.getProperty('mid.server.rba_default');
var midIP = new GlideRecord('ecc_agent');
midIP.get('name',midName);
workflow.scratchpad.resolved_ip = midIP.ip_address;
This will identify the default MID server in your Orchestration setup properties, query the MID server record, return the IP address and save in on the scratchpad.
Set the hostname field on the Run Powershell activity to:
${workflow.scratchpad.resolved_ip}
Hope this helps get you started.
Regards,
Chad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-16-2015 03:35 AM
Hi chadlockwood,
Thanks for your reply !
I have a $ account for our Mid Server (running on our .NET domain, mind we have three domains .Net, .Biz and .INT) and tried running the Run Powershell activity with simple query group membership information and it gave me desired results. I didnt use AD service account but it still worked. May be my $account is also having rights on AD, i guess so.
Now i also have a Service Account created in our QA env of AD(which is in QA domain) with all permissions required to create/update accounts/groups.
Regarding mid.powershell.use_credentials which you have mentioned, i have query that "how shall i manage multiple domains as described in above para, do i need to have mid server installed on each of these domains (like three mid server ?) or can i use one mid server(which is on .Net domain) and leverage to use for other domains as well ?
I have already setup the default mid server on the orchestration properties and i have used that IP on my Run Powershell activity and that worked fine.
So basically i have started with desired result but i am just curious that i am going in the right direction considering having multiple domains ?
Thanks,
Ishan Parikh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-16-2015 07:24 AM
To add to my above questions
1) Do we also need the mid server to be installed on each AD server for each Domain (.NET, .INT and .BIZ) ?
I am little confused with multiple domains architecture with servicenow mid server.
Thanks,
Ishan Parikh
