Using Orchestration to add users to Security Groups

garyopela · ‎10-16-2014

So we are working on rolling out our software request portion of our catalog. We use Configuration Manager to manage the software packages. We use Active Directory Security groups to manage who all can install which software, and we have a self-service website where they can actually install the software once they are allowed access to that software title.

So, with all that out of the way, we needed to manage the users' ability to request the software, for a manager to approve it, and then for the user to be granted access. What better way than to use the Service Catalog! So, my awesome co-worker, Steve Hill Created the catalog section, where a user can go in and request the software.

So I worked on the orchestration piece, which is far from complete, but is functional so I wanted to post here on how to do it. So, basically after the RITM workflow gathers the appropriate approval, it would then call an Orchestration Run PowerShell activity to add the user to the group. Now, there is a little setup work to do that. You will need the sAMAccountName of the User (pretty much the user id from AD) and of the group. You will need to have Orchestration set up with AD credentials. You will need to have selected a default Mid-Server for orchestration activities. You will need to have set that mid-server's windows service to run as a user which has the ability to modify Active Directory.

Oh yeah, and one last thing, you need to turn on the active-directory PowerShell parts on your windows mid-server (has to be a windows mid-server). This is the part which I was missing, so I will show you how to do it:

First, go to Start -> Control Panel -> Programs and Features. On the left side, click 'Turn Windows features on or off" You will need to have administrator rights on your windows mid-server to do this. Next, the Server Manager box should pop up. On the left side, click on the 'Features' to expand it, then click, on the right-hand side, Add Features. Next, scroll down to "Remote Server Administration Tools" and expand it. Expand next the 'Role Administration Tools'. Lastly, expand the "AD DS and AD LDS Tools" Finally, you want to make sure to place a checkbox beside the "Active Directory module for Windows PowerShell" then click Install. This will enable your Run PowerShell activity to import the Active-Directory module.

So, now that your server is set up to be able to use ActiveDirectory module in PowerShell, we need to create the workflow item to actually do the lifting.

So, open your workflow, add in a Run Powershell activity. It should look similar to this:

Open the Run Powershell activity. Set the Hostname to the hostname of your mid-server (not to the domain controller). Then for the command, you will have the following:

Import-Module ActiveDirectory
Add-ADGroupMember -Identity "<enter your group name here>" -Members "<enter the user sAMAccountName here>"

Now, of course, this is hardcoded, you would of course want to pass the group and user as variables, but that's simple enough.

You can now test your script out, and you should see that the user (the second parameter) is added to the group (the first parameter).

I hope this helps you guys out. It's pretty simple with PowerShell v2. Before v2, it was quite a few lines of code to make this happen.

icreate · ‎11-05-2015

garyopela Thanks for this simple and straightforward post !

I would just like to confirm or ask few queries here. My client has recently bought Orchestration licenses and we are starting to enable AD as the pilot to see the orchestration. We are targeting few of our manual activities done on AD by our resolvers team as first phase.

Adding members/users to a particular AD group (not just security but any AD group available in AD) :- I believe the same approach should be applied to make that happen which you have described here ? Please correct me if i am wrong.

Another query that i have is that we have different domains for AD like .NET, .BIZ, .INT, is there any thing special that we need to address domains or should we handle that via powershell script ? or any filters ? Please suggest any approach if you have for that

Next what i heard from one of the AD guys is that they have like 12 servers to support AD (meaning 12 IPs), how to manage to mid server communicating with all or like a load balancers, because he mentioned that if one of them goes down AD starts working from the other, but as far as i know we will have static IP right ? how should we manage that via orchestration ? Any clue ?

Appreciate any response !

Thanks,

Ishan

garyopela · ‎11-11-2015

Adding members/users to a particular AD group (not just security but any AD group available in AD) :- I believe the same approach should be applied to make that happen which you have described here ? Please correct me if i am wrong. Yes

Another query that i have is that we have different domains for AD like .NET, .BIZ, .INT, is there any thing special that we need to address domains or should we handle that via powershell script ? or any filters ? Please suggest any approach if you have for that Not sure on this one. I have never messed with AD in those other domains but assume it would be the same.

I'm not sure how to tell it to try and use several mid servers but if you attempt to add the users to the group fails

I suppose you could then have more blocks to try different servers until one worked.

Brian Lancaster · ‎03-29-2016

Hello Gary,

What did you put in for the sensor script? The Run Powershell seems to go down the fail path for the sensor script. Also we have all three mid server services running on the same server. It should pick the correct one based on the environment that I am in correct?