Orchestrator Get Group Activity and AD Distinguished Name

 

Slightly off from my usual topics but recently I’ve been working more with Orchestrator and although what I am about to tell you is not unknown to people I didn’t find it easy to get the answers from the web so I though I should share. I got a lot of help on this one out of this TechNet thread but information elsewhere didn’t come so easily hence I’m writing this post - https://social.technet.microsoft.com/Forums/en-US/4ee8b415-9e2c-4735-9803-b55a500f5c57/get-group-activity?forum=scogeneral

In short, when using the Get Group Activity from the Microsoft Active Directory Integration Pack it seems there is a limitation on the distinguished name you can use. At the time of writing I am using the latest available integration pack from Microsoft (v7.2), I am aware that there is a community based alternative but I haven’t used that at this time.

The activity is commonly used as follows:

image

In my example I am trying to obtain all the groups from a ‘Copy from’ user and then apply those groups to a new user. So first I perform a Get User activity to obtain various pieces information about the user I will copy from. You are then obliged to use only the AD Distinguished Name field from that get user to look up which groups they belong to. Now in probably most organisations that will be fine as the Distinguished Name is likely to be something like this:

CN=Peter Egerton,CN=Users,DC=infdemo,DC=com

The Full Name field is therefore this:

image

The Full Name field directly correlates to the Distinguished Name. In this format the activity should run just fine. If you want to amend the Distinguished Name then you can simply rename the user account as above and amend the Full Name field which reflect in the Distinguished Name. You can then view this in the propertied of a user account using something like ADSI edit.

However I was working with a customer recently who had a slightly unconventional Full Name field on their user accounts:

image

You notice the change in format to include some special characters such as , and ( ). When you view the Distinguished Name in this format you will notice something different:

CN=Egerton\, Peter (IT),CN=Users,DC=infdemo,DC=com

You see the \ ? This makes sense as in a Distinguished name a comma is used as a delimiter so AD drops in a \. However a slight fail on Microsoft's part means that this fails the activity in Orchestrator. I can also confirm that it doesn't like the brackets either, I had to remove both comma and brackets in order for the activity to run. When faced with a several thousand users AD all in the same format I’m not about to go changing that.

You will see that in Orchestrator though that the activity actually runs but returns a Group Count of 0 which isn’t really helpful I’m sure you will agree.

image

It seems like many things in Orchestrator the way around this is to fall back to the Run .Net Script activity or in others words run a PowerShell script. So here’s what you can do to work around it in your .Net activity. Some credit to Alan Doran here as he came up with the lines in the TechNet thread which work perfectly. You will need to either run a remote session to a machine with the AD cmdlets or simply add them to your Orchestrator Runbook servers.

$Groups = PowerShell {

Import-Module ActiveDirectory

(Get-ADUser –Identity {PublishedDataAccountName} –Properties MemberOf | Select-Object MemberOf).MemberOf

}

You can then add the Groups variable to your activity as Published Data which seems to produce an array which can be passed through to your next activity.