Orchestration Active Directory Activities

From ServiceNow Wiki
Home > Deliver > IT Operations Management > Orchestration > Orchestration Activities > Orchestration Active Directory Activities
Jump to: navigation, search
Discovery
Orchestration
Related Topics
Get the Book
Knowledge.gif Discovery
Knowledge.gif Data Collected by Discovery
Knowledge.gif Orchestration for VMWare

1 Overview

Orchestration activities perform automated tasks when added to a workflow. For instructions on using activities to construct a workflow, see Using Workflow Activities.

The Active Directory activities enable an administrator to create, delete, and manage objects in Windows Active Directory, such as users, groups, and computers with a ServiceNow Orchestration workflow. For example, you can reset a password automatically from a user request. You can manage any user account in Active Directory with these activities, whether or not it was created by a ServiceNow Orchestration workflow.

Domain controllers are identified by the IP address of the host machine. To use the hostname of the domain controller, add the Resolve DNS Name activity to resolve the hostname into an IP, and then pass the IP into the Active Directory activity.

Your ServiceNow instance must have access to a MID Server configured to use PowerShell to run these activities.

Note
Note: All Active Directory activities pass through error messages returned from Active Directory. To view these error messages, point to the failed activity in the workflow canvas or select the Workflow Log tab in a Workflow Context record.


For the list of all Orchestration activities, see Orchestration Activities.

2 Change AD User Password

The Change AD User Password activity changes the password for an active directory user account. This activity requires the user's current password to run, unlike the Reset AD User Password activity. The Change AD User Password activity is available starting with the Eureka release.

2.1 Results

  • Success: the password was successfully reset.
  • Failure: an error occurred while attempting to change the password. Additional details may be available in the workflow log.
  • Policy Failure: the new password does not comply with the organization's Active Directory requirements.
  • Incorrect old password: the user entered an incorrect value for the old password. This result is available starting with the Fuji release.

2.2 Input Variables

Field Description
Domain controller IP address of the domain controller machine.
User The sAMAccountName of the Active Directory user account.
Old password The user's current password.
New password The new password to assign this user.

3 Create AD Object

The Create AD Object activity creates an object in Windows Active Directory. This activity fails if it finds an existing object with matching input variables.

Prior to the Dublin release this activity was called Create AD User Account and could only create user objects in Active Directory. The Create AD User Account activity no longer appears in the activity menu, but existing Create AD User Account activities on saved workflows still work.

3.1 Input Variables

Field Description
Domain controller IP address of the domain controller machine.
Type The object type to create: user, group, or computer.
OU The organizational unit to which this object belongs.
Object name The sAMAccountName of the Active Directory object. Object name is also used for the name attribute in Active Directory. This behavior is available in ActiveDirectory.psm1. Whatever is passed as the Object name becomes both the samAccountName and the name of the new user in Active Directory.
Object data A JSON object containing Active Directory property names and their corresponding values. For example:
{ 
  "givenName" : "John",
  "SN" : "Doe",
  "title" : "Sr. Account Specialist",
  "allowLogin" : true
}

This example sets the first name (givenName), last name (SN), and title on the Active Directory user account and allows that user to log in (allowLogin). This field allows expression evaluation via the ${} variable substitution syntax.

4 Disable AD User Account

The Disable AD User Account activity disables a Windows Active Directory user account, making it inactive.

4.1 Input Variables

Field Description
Domain controller IP address of the domain controller machine.
Username The sAMAccountName of the Active Directory user account.

5 Enable AD User Account

The Enable AD User Account activity enables a Windows Active Directory user account, making it active.

5.1 Input Variables

Field Description
Domain controller IP address of the domain controller machine.
User The sAMAccountName of the Active Directory user account.

6 Is AD Account Locked

The Is AD Account Locked activity determines if an Active Directory user account is locked. An account may be locked automatically if a user enters an incorrect password more times than allowed by the Active Directory security policy. You can unlock an account using the Unlock AD User Account activity. The Is AD Account Locked activity is available starting with the Eureka release.

6.1 Results

  • Locked: the account is locked.
  • Unlocked: the account is unlocked.
  • Failure: an error occurred while processing the query. Additional details may be available in the workflow log.

6.2 Input Variables

Field Description
Domain controller IP address of the domain controller machine.
User The sAMAccountName of the Active Directory user account.

7 Query AD

The Query AD activity retrieves entries from the Windows Active Directory based on an LDAP search filter and stores the results as a JSON string in the workflow scratchpad.

7.1 Results

  • Success: the query completed as expected.
  • Failure: an error occurred while processing the query. Additional details may be available in the workflow log.

7.2 Scratchpad Entries

Variable Description
queryAD A JSON array of Active Directory objects that the query returns.

7.3 Input Variables

Field Description
Domain controller IP address of the domain controller machine.
Properties A comma-separated list of Active Directory properties to return. For example, givenName,SN,title. If this field is blank, then all properties are returned.
Search filter An LDAP filter string that defines the search parameters. Use any valid LDAP filtering criteria. For example, to find user accounts matching the ServiceNow input record, use:
(samaccountname=${workflow.inputs.u_user.user_name})

8 Remove AD Object

The Remove AD Object activity deletes an object from Windows Active Directory.

Prior to the Dublin Release this activity was called Remove AD User Account and could only remove user objects in Active Directory. The Remove AD User Account activity no longer appears in the activity menu, but existing Remove AD User Account activities on saved workflows still work.

8.1 Input Variables

Field Description
Domain controller IP address of the domain controller machine.
Type The object type to remove: user, group, or computer.
Object name The sAMAccountName of the Active Directory object.

9 Reset AD User Password

The Reset AD User Password activity resets the password of a user account in Windows Active Directory. If the new password violates any Active Directory password requirements, such as length or character combinations, the reset activity fails and returns the appropriate error message. This error appears in the ECC Queue and when you point to the activity in the workflow editor.

9.1 Results

  • Success: the password was successfully reset.
  • Failure: an error occurred while attempting to reset the password. Additional details may be available in the workflow log.
  • Policy Failure: the new password does not comply with the organization's Active Directory requirements.

9.2 Input Variables

Field Description
Domain controller IP address of the domain controller machine.
Username The sAMAccountName of the Active Directory user account.
Password The new password for the user. This password must comply with the organization's Active Directory requirements.
Force user to change password on login Makes this password temporary by forcing the user to change it at the next login.
Unlock Unlock the account if the account is locked (starting with the Eureka release).

10 Unlock AD Account

The Unlock AD Account activity unlocks a locked Active Directory user account. You can use the Is AD Account Locked activity to determine if an account is locked. The Unlock AD Account activity is available starting with the Eureka release.

10.1 Results

  • Success: the account was successfully unlocked.
  • Failure: an error occurred while attempting to unlock the account. Additional details may be available in the workflow log.

10.2 Input Variables

Field Description
Domain controller IP address of the domain controller machine.
User The sAMAccountName of the Active Directory user account.

11 Update AD Object

The Update AD Object activity updates an object in Windows Active Directory. The activity fails if it cannot find an existing account with matching object name and data. The activity only replaces existing values with new values. It cannot add new values to AD records such as adding a new group member to an AD group. For complex AD operations, use the Run PowerShell activity instead.

Prior to the Dublin Release, this activity was called Update AD User Account and could update only user objects in Active Directory. Additionally, the Update AD User Account activity could add only string values. The Update AD User Account activity no longer appears in the activity menu, but existing Update AD User Account activities on saved workflows still work.

11.1 Input Variables

Field Description
Domain controller IP address of the domain controller machine.
Type The object type to update: user, group, or computer.
Object name The sAMAccountName of the Active Directory object.
Object data A JSON object containing Active Directory properties and their values. For example, to set the first name, last name, and title of a user, clear the user's manager, and set the VIP flag to true, the Object Data specifies:
{ "givenName" : "John", "SN" : "Doe", "title" : "Sr. Account Specialist", "manager" : null, "msTSAllowLogon" : false }

12 Enhancements

12.1 Fuji

12.2 Eureka

Was this article helpful?
Yes, I found what I needed
No, I need more assistance