Add User to AD group through Microsoft AD Sopke

Suraj Shewale1 · ‎05-19-2022

Hello Experts,

Goal : We want to Add user(for whom we requests software) to AD group through Microsoft AD spoke.

We have created successful connection between ServiceNow and AD through Microsoft AD spoke (windows credentials are validated) .We want to test whether we are able to add 'test user' when he/she requests software. The 'test group' is present in AD.

1. To achieve this do we need that 'test group' in ServiceNow? If yes, then how we should pull users, and groups from active directory to ServiceNow.

2. Is there any way to pull users or groups into ServiceNow through Microsoft AD Spoke?

3. By creating local user/group in ServiceNow, can we add the same user to AD group? (We tried this way by creating group locally in ServiceNow and then tested our flow to add user to AD group but we got error as below :

Please let us know effective way to add user to AD group if the group not present in ServiceNow. FYI, we don't have LDAP in place to sync AD with ServiceNow.

Any suggestions experts: @Chuck Tomasi , @Maik Skoddow , @Ankur Bawiskar @Ashutosh Munot

Bernd Hoffmeier · ‎05-19-2022

Basically if you have the AD Spoke available you can just use Flow Designer to add a user to the group. You do not have to have the AD group in ServiceNow to have this working.

You can use the "Add User To Group" action and if you like you can even do a lookup group before to make sure the group really exists.

Then you just need the username (samaccountname) and the group name and the flow takes care of adding the user. If you have multiple groups that are created dynamically you can either use a decision or lookup table to determine the group name (e.g. based on the selected software). This could look like:

Software: Visio -> AD Group: visio_software_install

Software: MindManager -> AD Group: mindmanager_software_install

Write this to a Flow variable that you can use then in your "Add User To Group" action.

Suraj Shewale1 · ‎05-23-2022

Hello Bernd,

Thanks for your response. When you say username (samaccountname)-> does this mean user for whom we are requesting the software?

In this case when user will request any software through catalog item, that software will belong to some group. Currently we don't have the test group created in ServiceNow. But when we map input (user_name and group_name)in Add user to group activity to add requested user to requested group dynamically there we need group and user record in ServiceNow. Please correct me if my understanding is wrong. So do we need to create that group manually/locally in ServiceNow to map it to our inputs to activity? If that group is not present in ServiceNow how we can pass our inputs(How flow will understand which user should get added to which group)?

Thanks

Bernd Hoffmeier · ‎10-16-2023

Hi Suraj,

username = samaccountname (usually User ID in ServiceNow) and yes this is the user who is requesting the software.

you do not need to have the AD Group in ServiceNow. If you synchronize them via LDAP Integration it is ok to use it otherwise you can just enter the name of the group as string or build some logic that defines the group based on the software selected. So for example if you AD groups are like "License-Excel" you could also make it dynamic if you have that data either as variable or somewhere else stored.

In this case you might use a mixture between string and values from other flow steps, e.g. "License-<Name of step 3>"

Also due to a change on SN side you might want to consider using actions from AD Spoke v2 because the old version is discontinued.

NehaKiran · ‎08-07-2023

Hello Suraj,

Is this issue resolved, If yes, could you please suggest me the steps followed to overcome this error.