Script in AD group added

aggarwaltan
Tera Contributor

‎07-09-2025 07:10 AM

 write a script in service if we create any account in service now which exist some AD groups in his organization and some other applications access required to that person having a  some AD groups for that applications so all these AD groups should be added in user profile when we create the new for that particular user . 

from the above code make the script improve if user required some application access while id creation so those applications ad groups should also be added . 

0 Helpfuls
  • 158 Views
2 REPLIES 2

dbook
Kilo Sage

‎07-09-2025 07:15 AM

Is this for On Prem AD or Azure AD (Entra)?

 

In the first instance I would look at using OOB features for this, both of the below could help but required IH Licensing. 

If On Prem you could take advantage of the Microsoft Active Directory v2 Spoke 
If Entra you could take advantage of the Microsoft Entra ID Spoke (formerly Microsoft Azure Active Directory spoke) 


0 Helpfuls

aggarwaltan
Tera Contributor

‎07-09-2025 07:28 AM

var UserAutoGroupAssignment = Class.create();
UserAutoGroupAssignment.prototype = {
    initialize: function() {},

 

    assignGroupsToUser: function(userSysId) {
        var user = new GlideRecord('sys_user');
        if (!user.get(userSysId)) {
            gs.error('User not found: ' + userSysId);
            return;
        }

 

        this.assignDepartmentBasedGroups(user);
        this.assignApplicationBasedGroups(user);
    },

 

    assignDepartmentBasedGroups: function(user) {
        if (!user.department) {
            gs.warn('User has no department defined: ' + user.name);
            return;
        }

 

        var mappingGR = new GlideRecord('u_ad_group_mapping');
        mappingGR.addQuery('u_department', user.department);
        mappingGR.query();

 

        while (mappingGR.next()) {
            if (mappingGR.u_ad_group) {
                this.addUserToADGroup(user.sys_id, mappingGR.u_ad_group.toString());
            }
        }
    },

 

    assignApplicationBasedGroups: function(user) {
        var apps = user.u_requested_applications; // multi-value reference assumed

 

        if (!apps) {
            gs.info('No application access requested for user: ' + user.name);
            return;
        }

 

        var appList = apps.split(',');

 

        for (var i = 0; i < appList.length; i++) {
            var appId = appList[i].trim();
            var appMap = new GlideRecord('u_application_ad_group_mapping');
            appMap.addQuery('u_application', appId);
            appMap.query();

 

            while (appMap.next()) {
                if (appMap.u_ad_group) {
                    this.addUserToADGroup(user.sys_id, appMap.u_ad_group.toString());
                }
            }
        }
    },

 

    addUserToADGroup: function(userSysId, groupSysId) {
        var userGroup = new GlideRecord('sys_user_grmember');
        userGroup.addQuery('user', userSysId);
        userGroup.addQuery('group', groupSysId);
        userGroup.query();

 

        if (!userGroup.hasNext()) {
            var newMembership = new GlideRecord('sys_user_grmember');
            newMembership.initialize();
            newMembership.user = userSysId;
            newMembership.group = groupSysId;
            newMembership.insert();

 

            gs.info('User ' + userSysId + ' added to AD Group: ' + groupSysId);
        } else {
            gs.info('User already in group: ' + groupSysId);
        }
    },

 

    type: 'UserAutoGroupAssignment'
};

 make changes in this script if required any thing 

0 Helpfuls