Orchestration - Add user to AD Group getting Authentication Errors

garyopela · ‎10-09-2014

Hey guys, I've set up orchestration to add a user to a group in AD but am getting weird errors.

I have verified the following:

1) I am using the correct DC

2) The group and the account both exist which I'm using

3) The service-account under which my mid server service is running has sufficient rights to add the user I'm testing with to the group I'm testing with. (I used ADUC and was able to manually add the account to the group

Yet, even trying two different ways, I still get the same error.

The first way I tried was using a Run - Powershell activity:

Add-ADGroupMember -Identity "group SAM Name" -Members "user SAM Name"

The second way was using what Chris posted:

ServiceNOW RBA (Orchestration) — Add an Active Directory user to an AD group — workflow activity. | ...

Unfortunately, the error I'm getting is:

Authentication failure with the local MID server service credential.

Failed to access target system. Please check credentials and firewall settings on the target system to ensure accessibility: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Any suggestions are appreciated. I'm not sure why I'm getting access denied. The account has the proper authority, I even logged in as that account and was able to update AD. I can still query AD, just not Update. For instance, If I put in a check to see if an account is locked or not, that works.

garyopela · ‎10-15-2014

Holy cow that worked.

Okay, i'll try to update my blog on how to get all this to work when I get time. Thanks for all the help guys, it is much easier now that we have powershell version2!!!

View solution in original post

Kreg Steppe · ‎10-09-2014

What hostname are you using? Sometimes if you put another AD server in there it may kick it out as not having permissions because you are trying to run PowerShell on another host. Try putting the mid server hostname in the Hostname field on the Activity, if you are not already.

garyopela · ‎10-13-2014

Oh, I was putting my domain controller as the hostname. I didn't think that was wanting my Mid-Server.

ewilliams · ‎10-09-2014

Did you provide the -Credential $Cred option when doing Add-ADGroupMember? If you do not pass in the credentials it will run the command as same user the MID server is running as.

Here is an example from a similar workflow I recently did:

Add-ADGroupMember -Identity "${workflow.scratchpad.ADGroup}" -Members "${workflow.scratchpad.distinguishedName}" -Credential $Cred

For more information on the $Cred credential object here is a Wiki article: Orchestration PowerShell Activities - ServiceNow Wiki

You will need to make sure the credential for the user that has the proper AD permissions is on your Credentials table.

You can also hardcode in a credential for testing by creating your own credential object and passing that in using the -Credential flag. You will need to encode the password when you create the object. Here is a link describing how to create your own credential object: http://blogs.msdn.com/b/koteshb/archive/2010/02/13/powershell-creating-a-pscredential-object.aspx This is useful for testing a specific credential to make sure it is working if you want to confirm a specific credential has the necessary permissions.

garyopela · ‎10-13-2014

The service-account under which my mid-server process is running is the account that has the credentials to write to AD. Also I tried setting up a credential specifically for this, but neither helped.