The Orchestrator Integration Pack for Active Directory - A quick test drive
I had some free time this evening so I spent a little time building a runbook to test the new Integration Pack for Active Directory (documented on Technet here). I set about to write a little bitty runbook to: take a few input parameters, create a new user account, and add that user to a group. I found this to be pretty easy to accomplish and would like to share the experience here.
The input parameters for my runbook are: User common name, First Name, Last Name, and Group Name.
This is a good time to use some Orchestrator variables to store common data like : DomainDNSName, NewUsersOU, etc.
The AD Integration Pack is a new feature for Orchestrator and has a base set of activities to enable managing AD objects, mostly limited to Computers, Users, and Groups. The activities are shown here:
Install and configure the Integration Pack
you can download the IP (Release Candidate) by following the link shown above. After using the Deployment Manager to deploy the IP you’ll need to edit the settings for your AD Integration Pack in Runbook Designer:
Build the Runbook
My test runbook is shown graphically in the figure below. A short description of each step:
- Initialize Data – takes the input params as mentioned above
- Generate Random – using the Generate Random Text activity (this can include lowercase, uppercase, numbers and symbols)
- Create User – minimally you must include the CommonName, Password, and Parent Distinguished Name (OU location for new user)
- [if we get an error from Create User we call an error handler and quit]
- Get Group – I found this one tricky at first. You have to enter the Properties which control the LDAP search, and one or more Filters to describe the Group object being searched for. I used the Common Name for my group filter.
- (Now at this point the tricky part. I found that Get Group returns a Success value even if it doesn’t find anything. So my subsequent Link criteria used “Distinguished Name does not contain CN=” if the group was not found. This took some trial and error to find the workable solution. It would be nice if Get Group returned a “Number of Objects Found” value to the databus but apparently it does not.
- If group already exists, I add the user to the Group
- If the group does not exist, create the Group and then add the users
- Enable the user account (because AD creates user accounts in disabled state by default)
The runbook looks like this:
Additional details on the Get Group activity:
Determine if Get Group found nothing:
Summary
The AD Integration Pack provides some easy to use automation steps which make a nice addition to Orchestrator. With a modicum of knowledge you can quickly put it to use in your workflows for onboarding / offboarding / provisioning etc.
The runbook is attached to this posting. I did not export the Variables but they are shown here: