Add User to Group (AD Orchestration Activity) - Not working

mev · ‎06-01-2018

Hi Everyone,

I'm having an issue adding multiple group memberships to a users AD account via the OOTB Orchestration activity "Add User to Group" for Active Directory. Here is the failure message in the workflow:

In the workflow above, you can see there are 2 previous activities. The first script compiles the list of group memberships into an array, and then a workflow scratchpad (Script below). The second script documents the output into the description field of the RITM so that I can check manually to see what groups are being captured once the request is submitted in the catalog. As you can see in above failure note, there are 12 groups that should have been applied. So I'm capturing the data I want, just not able to apply or format it correctly in the OOTB AD activity.

Here is the script I'm using to build the array:

//Query for AD Role
var title = current.variables.u_title.sys_id;
var ADrole = "";

var grTitle = new GlideRecord('u_working_title');
grTitle.addQuery('sys_id',title);
grTitle.query();
if(grTitle.next()){
	ADrole = grTitle.u_active_directory_role;
}

//Declare array for groups
var group = [];

//Get AD group(s) and add to above array
var adGroup = new GlideRecord('u_m2m_active_direc_active_direc');
adGroup.addQuery('u_active_directory_roles',ADrole);
adGroup.query();
while (adGroup.next()){
	group.push(adGroup.u_active_directory_group.u_name.toString());
}
gs.log(group);
workflow.scratchpad.group = group;

And here is the "Add User to Group" activity:

Also, I don't believe the mid-server or domain controller are the issue. I'm able to successfully utilize other AD activities (AD Query, AD update, etc.). I've also verified the admin account has the necessary access to add groups by manually authenticating into AD and adding groups, etc..

Any ideas on what I'm doing wrong above? I've checked product documentation and other community posts. I see other folks are using custom power-shell activities, but I'd like to use this OOTB activity pack if possible.

Thanks,

Patrick

Roger Poore · ‎06-01-2018

Have you tried the same process but with one group?

The error message indicates that your AD query is one big string. At least that's my take on it.

You're querying samaccountname. Are you sure that what you have listed in the search filter isn't the display name?

Never used Orchestration but I did stay at a Holiday Inn Express once.

mev · ‎06-01-2018

LOL. Good to know!

I have tried using one group, by calling out the first object in the array inside the Orchestration activity.

For example, in the Group Name field: ${workflow.scratchpad.group[0]}

This applied the first of the 12 groups from the array to the user's AD account successfully. That's how i know it's something with my code, etc., and not an issue with credentials or mid-server. I'm thinking along the same line as you right now. It's just one big string. Just not sure what I need to do to make this work. I've tried using .split(), and other functions with no success.

Thanks,

Patrick

Roger Poore · ‎06-01-2018

Maybe you need to do something like below.

... (|(samaccountname='this group')(samaccountname="this other group")) and so on and so forth

from: https://stackoverflow.com/questions/19536519/ldap-search-filter-multiple-groups-squid?utm_medium=org...

mev · ‎06-04-2018

I found the answers I needed here:

https://community.servicenow.com/community?id=community_question&sys_id=0b3f3a69db58dbc01dcaf3231f96197e&view_source=searchResult

I had to add an if condition/counter activity after the 'add user to group' activity, then loop it back to continue running for each object in the array. I also had to include the counter scratchpad in the 'add user to group' activity.

Ex: Group Name = ${workflow.scratchpad.group[workflow.scratchpad.counter]}