How to Set Secondary Owner to AD Group in Active Directory through ServiceNow Flow
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 hours ago
We’re implementing an automation in ServiceNow to create Active Directory groups and assign ownership. Our goal is to set both the primary owner (“managed by”) and the secondary owner(s) at the time of group creation.
- What works: Creating the AD group and setting the primary owner via the AD Spoke action (Create Group) works as expected.
- What’s blocked: Setting the secondary owner(s) requires using Active Roles Server (ARS) cmdlets. We are invoking the following through a ServiceNow Flow → PowerShell action:
Connect-QADService -Service $computer -Proxy -Credential $cred -ErrorAction Stop
Set-QADGroup $GroupName -SecondaryOwner @{append=@($SecondaryUser)} -SecondaryOwnersCanUpdateMembershipList $true
Issue observed:
Set-QADGroup fails with:
Cannot resolve directory object for the given identity: (secondaryUser)
From our troubleshooting, it appears the command cannot resolve or read the directory object for the supplied secondary owner or Group identity.
Request:
- Has anyone successfully implemented setting secondary owners for AD groups via ARS from ServiceNow?
- Are there recommended practices for identity formats (e.g., DN vs. sAMAccountName vs. UPN) and required ARS permissions/virtual attributes?
- Any guidance on required service account permissions, policy settings, or directory visibility to allow Set-QADGroup to resolve the secondary owner object?
We would appreciate any suggestions or examples to help us move forward.
#ITSM
0 REPLIES 0
