Servicenow and AD credential issue

devarakondahk · ‎04-17-2025

Let me give you a brief overview of what I’ve done so far, so you can help me identify where I might be going wrong.

I created a PDI, and later, my team provided me with a Windows server where I also received login access using my credentials. I used these credentials to log in to the server and installed a MID Server. During installation, I provided a ServiceNow user with the mid_server role.

During the setup, it prompted me to create a service account, which I did on the MID Server installation wizard. I then selected that service account, continued with the setup, and completed the installation successfully.

After that, I configured Active Directory on the same server and promoted it to a Domain Controller. I can now see the Active Directory Users and Computers tool as well as PowerShell available.

Here’s where I’m facing an issue:

I created a custom action in which I selected a PowerShell step. When it asked for credentials, I created a Windows credential and provided the username and password I originally used to log in to the server. However, the credential test fails every time.

Could you please help me understand:

How can I get my credentials to work so that I can successfully perform PowerShell operations on AD?
Is there anything else I might be missing in the configuration for this to work end-to-end?

Thanks in advance for your help!

J Siva · ‎04-20-2025

@devarakondahk

Create a new service account in Active Directory (AD) and grant it local admin access to your MID server host. Also ensure it has the necessary permissions to make modifications in Active Directory.
A single service account with both accesses.

View solution in original post

J Siva · ‎04-18-2025

Hi @devarakondahk

Instead of using your credentials, create a new service account and grant that with all the necessary roles.

Then try to run the AD powershell cmdlets manually using (passing) the new service account credentials.

Sample script:

Import-Module ActiveDirectory
$credential = Get-Credential -Message "Enter your Active Directory credentials"

try {
  # Get the AD group
  $groupName = Read-Host "Enter the AD group name"
  $group = Get-ADGroup -Identity $groupName -Properties * -Credential $credential

  # Output the group details
  $group
} catch {
  # Handle errors
  Write-Error "Failed to retrieve group: $($Error[0].Message)"
}

Use the new service account credentials and see.

Regards,

Siva

devarakondahk · ‎04-18-2025

Hi @J Siva

Thanks for the response.

I have a quick clarification regarding the credentials required for executing PowerShell operations on Active Directory. I’m a bit confused about which credentials you’re referring to. Should I request my team member — who provided me with the credentials to log in to the Windows server — to create a new set of credentials for this purpose? Or are you referring to a user account that I should create within the AD environment and use that.

Also, is there any official documentation that outlines what roles or permissions are required for the credentials in order to perform PowerShell operations on Active Directory?

J Siva · ‎04-18-2025

Don't use your credentials which you used to login. Instead create one new service account and grant local admin access to the service account on your mid server host.

Reg AD roles, this might vary based on the client. So you should check with your AD team on this.

Recently I setup this in my AD & PDI environment.

I created new user account in AD with full access, then I used that in windows credentials. It worked.

Regards,

Siva

devarakondahk · ‎04-20-2025

@J Siva

You mentioned two things:

"Create a new service account and grant local admin access to the service account on your MID Server host."
"you created a new user account in AD with full access, then used that in Windows credentials. It worked."

So I just wanted to clarify—are you saying that we need one credential at the server level and another in AD? Or, if we create a credential at the server level, will it automatically reflect in AD as well?