Orchestration - Add user to AD Group getting Authentication Errors

garyopela · ‎10-09-2014

Hey guys, I've set up orchestration to add a user to a group in AD but am getting weird errors.

I have verified the following:

1) I am using the correct DC

2) The group and the account both exist which I'm using

3) The service-account under which my mid server service is running has sufficient rights to add the user I'm testing with to the group I'm testing with. (I used ADUC and was able to manually add the account to the group

Yet, even trying two different ways, I still get the same error.

The first way I tried was using a Run - Powershell activity:

Add-ADGroupMember -Identity "group SAM Name" -Members "user SAM Name"

The second way was using what Chris posted:

ServiceNOW RBA (Orchestration) — Add an Active Directory user to an AD group — workflow activity. | ...

Unfortunately, the error I'm getting is:

Authentication failure with the local MID server service credential.

Failed to access target system. Please check credentials and firewall settings on the target system to ensure accessibility: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Any suggestions are appreciated. I'm not sure why I'm getting access denied. The account has the proper authority, I even logged in as that account and was able to update AD. I can still query AD, just not Update. For instance, If I put in a check to see if an account is locked or not, that works.

garyopela · ‎10-15-2014

Holy cow that worked.

Okay, i'll try to update my blog on how to get all this to work when I get time. Thanks for all the help guys, it is much easier now that we have powershell version2!!!

View solution in original post

dugarj · ‎02-24-2017

Thanks Gary!Will try this and let you know

nk_dubey1 · ‎08-14-2015

Hi Gary,

How did you solve this problem. I am trying to add/remove a user to/from a group. I am getting same authentication error.

Regards,

ND

JimCheffer · ‎08-20-2015

Hello ND,

We are using a PowerShell script to add or remove user from group. It works for several requests we have developed. Key piece is the confirm and credential parms.

Run Powershell

Hostname ${workflow.scratchpad.domain}

Command

Import-Module ActiveDirectory

$GrpDL = '${workflow.scratchpad.groupname}'

$DLMem = '${workflow.scratchpad.username}'

Get-AdGroup -identity $GrpDL | Add-ADGroupMember -Members $DLMem -Confirm:$false -credential $cred

Jim

nk_dubey1 · ‎08-20-2015

Hi Jim,

Thanks for the response. I did almost same and getting Access Denied issue. AD Admin is trying to give me access to execute the script. Meanwhile I have couple of questions:

(1) I have added Credentials provided initially for this setup into Credential table. I am expecting the powershell script to pick username/password from the credential table. I hope I am correct or, I need to add -credential "Orch_user" at the end of the command. Currently I am not using this, expecting system to try all user credential table.

(2) Could you please tell me how the username and groupname this script will accept. Is it going to take normal display name or need some other name. Could you please provide me one example for username and group name.

Regards,

N.Dubey

JimCheffer · ‎08-20-2015

ND,

Some of this Orchestration is like magic to me but will explain how I see it working.

We setup Orchestration > Credentials called Orchestration Prod AD. This credential has the User Name and password that is used to update Active Directory. This user is same user that is used for LDAP. All users come in via LDAP. Our mod server is defined here as well. Yes you must add -Cred but the user is not needed.

In the workflow(s)

workflow.scratchpad.domain is the AD IP address "99.99.99.999";

workflow.scratchpad.username is the sys_user field name. Example "JPC"

workflow.scratchpad.groupname is the AD group. Example "group_vpn".

Both JPC and group_vpn must be in active directory.

Jim