Orchestration - Active Directory Group membership management - Add user to group across domains

NOTE: MY POSTINGS REFLECT MY OWN VIEWS AND DO NOT NECESSARILY REPRESENT THE VIEWS OF MY EMPLOYER

ServiceNow OOB offers very powerful capabilities to orchestrate Active Directory related tasks.

One of the heavily and widely used AD activity is "Adding user to group" for group membership management.

ServiceNow AD orchestration has "MID server script Files" module under which one can find all sort of mid server scripts responsible for performing different kind of orchestration activities.

Below is the code snippet of "AddUserToADGroup.ps1" powershell script file which is responsible for adding the AD user to AD group. 

import-module "$executingScriptDirectory\AD\ActiveDirectory"

#ActiveDirectory is the powershell module containing all the AD related functions

if (test-path env:\SNC_groupname) {
  $groupname = $env:SNC_groupname;
  $username = $env:SNC_username;
};

SNCLog-ParameterInfo @("Running AddUserToADGroup", $groupname, $username)

addADUserAccountToGroup -domainController $computer -username $username -groupname $groupname -useCred $useCred -credential $cred
#Here, it provides the parameter -domainController which takes only single domain as an input
#Assumption here is that both group and user objects belongs to the same domain
#This line of code calls the function "addADUserAccountToGroup" stored in ActiveDirectory module

This works really good, however, it lacks the functionality of adding AD user object from one domain to AD group object from the other domain. In short, cross domain group membership functionality is missing here

This problem is solved by adding the extra parameter to accept one more domain controller. Original parameter can be used for either storing the group domain controller ID and newly added can be used for storing the user domain controller ID or vice versa. 

import-module "$executingScriptDirectory\AD\ActiveDirectoryCustom" 
# Added the custom function addADUserAccountToGroupCrossDomain to cutom AD module
# custom function addADUserAccountToGroupCrossDomain could have been added to OOB AD module ActiveDirectory, however, that would caused the upgrade issue
# in case of changes in later releas

if (test-path env:\SNC_groupname) {
  $groupname = $env:SNC_groupname;
  $username = $env:SNC_username;
};

SNCLog-ParameterInfo @("Running AddUserToADGroup", $groupname, $username)

#addADUserAccountToGroupCrossDomain is the custom function created with additonal parameter "userdomaincustom"
addADUserAccountToGroupCrossDomain -userdomaincustom $userdomaincustom -domainController $computer -username $username -groupname $groupname -useCred $useCred -credential $cred

Below is the snippet of custom module with our custom function addADUserAccountToGroupCrossDomain. Once this function is added, one needs to restart the MID Server in order to push the MID Server Script file to directory under which all the script modules are maintained, in this case it is "$executingScriptDirectory\AD" 

function addADUserAccountToGroup {
	param([string]$domainController, [string]$username, [string]$groupname, [boolean]$useCred, [System.Management.Automation.PSCredential]$credential)

	SNCLog-ParameterInfo @("Running addADUserAccountToGroup", $domainController, $username, $groupname)

	$userObject = getADObject -domainController $domainController -type "User" -objectName $username -useCred $useCred -credential $credential
	$groupObject = getADObject -domainController $domainController -type "Group" -objectName $groupname -useCred $useCred -credential $credential

	$groupObject.add("LDAP://"+$userObject.distinguishedName);
	if (-not $?) {
		SNCLog-DebugInfo "`tFailed to add $username account to $groupname group, $error"
	}
}


######################
 #  Add AD user account to Group Custom
 #  This is the custom function added inside the ActiveDirectory script module
 ######################>
function addADUserAccountToGroupCrossDomain {
    param([string]$userdomaincustom , [string]$domainController , [string]$username, [string]$groupname, [boolean]$useCred, [System.Management.Automation.PSCredential]$credential)

    SNCLog-ParameterInfo @("Running addADUserAccountToGroup", $userdomaincustom, $domainController, $username, $groupname)
	
    $userObject = getADObject -domainController $userdomaincustom -type "User" -objectName $username -useCred $useCred -credential $credential
    $groupObject = getADObject -domainController $domainController -type "Group" -objectName $groupname -useCred $useCred -credential $credential
    
    $groupObject.add("LDAP://"+$userObject.distinguishedName);

    if (-not $?) {
	    SNCLog-DebugInfo "`tCould not get required info, $error"
	}
}

Once all these changes are done, one can create the custom activity under Orchestration module and can call this update mid server file. With all these changes, adding user to cross domain group account can be achieved 🙂