To add/remove users into an Active Directory group

icreate · ‎11-13-2015

Hi All,

I have started doing a POC on Orchestration with Active Directory.

My knowledge on Orchestration is very limited to wiki information that i have gone through and also naive knowledge on Active Directory configuration or enabling with orchestration.

I would like to start my POC with the following activity or task for AD Orchestration:-

1) Automating adding or removing member/s into an Active directory group from a service catalog.

What are the pre-requisites that i should have before starting the actual configuration on the workflow. Some that i have learnt from other threads are

1) Dedicated mid-server for Orchestration

2) Mid Server services on our windows mid server running on service account

3) We have windows 2008 R2

4) I read somewhere that to run Powershell activities from Mid-server for AD commands we will need AD CMDLET's running on mid-server.

Please let me know if there any other checks or pre-requisites required.

1) What should be the hostname in Run Powershell activity (Mid-server or AD) ?

2) What credentials should i use (mid-server or AD) ? I read we have to pass some -cred in powershell commands as well. How to achieve this ?

Thanks,
Ishan

chadlockwood · ‎11-17-2015

Not at all. We all start somewhere.

I believe you will need to set your service account as a local admin on your MID server before it will be allowed to run the MID server service.

On your MID server, open Services.

Scroll down the list until you find your ServiceNow MID Server service.

Double-click the service to open the Properties dialog.

Click the Log On tab.

Select This account and enter the AD credentials that have rights.

Click OK to apply the change.

Right-click the ServiceNow MID server service and select Restart.

At this point it will either restart successfully, or fail. If it fails, and you haven't already made the service account a local admin on the server, do that now and try restarting the service again.

Once the MID Server service is running with your service account credentials, try running your workflow again.

Regards,

Chad

icreate · ‎11-17-2015

Hi chadlockwood

Thanks i will try the above steps once i am in office again tomorrow. My remote is not working somehow. I will update you on that.

But i suspect that we have Domains federated as to give the DC service account access on my mid server as an local admin service i believe it is required ?

I will check with AD guy that can i use the same service account of that DC on my mid server as a local admin, if federation permits.

Any thoughts you have on this area ?

Thanks,

Ishan Parikh

phoenix516 · ‎04-25-2022

There seems to be a limitation on the integration hub where it is expecting the MID to be in the desired domain.

######################
 #  Add AD user account to Group
 #
 ######################>
function addADUserAccountToGroup {
	param([string]$domainController, [string]$username, [string]$groupname, [boolean]$useCred, [System.Management.Automation.PSCredential]$credential)

	SNCLog-ParameterInfo @("Running addADUserAccountToGroup", $domainController, $username, $groupname)

	$userObject = getADObject -domainController $domainController -type "User" -objectName $username -useCred $useCred -credential $credential
	$groupObject = getADObject -domainController $domainController -type "Group" -objectName $groupname -useCred $useCred -credential $credential

	$groupObject.add("LDAP://"+$userObject.distinguishedName);
	if (-not $?) {
		SNCLog-DebugInfo "`tFailed to add $username account to $groupname group, $error"
	}
}

The Domain controller is configured at the spoke's connection. It looks like it expects the MID's domain an the destination domain to be the same or have a trust. Sadly this is not always the case.