How to Set Secondary Owner to AD Group in Active Directory through ServiceNow Flow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago - last edited 2 hours ago
We’re implementing an automation in ServiceNow to create Active Directory groups and assign ownership. Our goal is to set both the primary owner (“managed by”) and the secondary owner(s) at the time of group creation.
- What works: Creating the AD group and setting the primary owner via the AD Spoke action (Create Group) works as expected.
- What’s blocked: Setting the secondary owner(s) requires using Active Roles Server (ARS) cmdlets. We are invoking the following through a ServiceNow Flow → PowerShell action:
Issue observed:
Set-QADGroup fails with:
Cannot resolve directory object for the given identity: (secondaryUser)
From our troubleshooting, it appears the command cannot resolve or read the directory object for the supplied secondary owner or Group identity.
Request:
- Has anyone successfully implemented setting secondary owners for AD groups via ARS from ServiceNow?
- Are there recommended practices for identity formats (e.g., DN vs. sAMAccountName vs. UPN) and required ARS permissions/virtual attributes?
- Any guidance on required service account permissions, policy settings, or directory visibility to allow Set-QADGroup to resolve the secondary owner object?
We would appreciate any suggestions or examples to help us move forward.
#ITSM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
an hour ago
It seems that the issue could be the specific to the permissions needed to modify existing user .
For reading a user (e.g., with a Get User action) is a very different permission level than the ability to create a new object (user) in a specific OU.
So check with your AD team they might be help you with permission.
