JanS2000 Posted June 14, 2023 Share Posted June 14, 2023 Good morning, I'm trying to add a user to a group which is managed in our on premise AD. I've checked the job queue and it looks fine, all executes okay and says run successfully but it actually fails every time as it can't find the customer. I've tried the Customer ID, Logon ID and even primary email address but none of them work. The process runs fine and the job closes as if it's all been completed but the user doesn't get added to the group and the details of the job says it failed. I must be using the wrong variable but in the Get Customer Info section, there aren't many options to choose from that relate to ID. Please could someone point me in the right direction? One thing to mention, I'd have to double check this, but our initial user import may have been from Azure AD and not our on premise AD, if so, would that have an impact on this? Also, while writing this and looking thoroughly at the screenshot attached, I'm wondering if I just need a new API key for the on premise AD but I'm not sure. Any help or advice would be really appreciated, thank you. Link to comment Share on other sites More sharing options...
Graham Posted June 14, 2023 Share Posted June 14, 2023 @JanS2000 Let's check the version of the package first, and make sure that's up to date. Within ITOM, if you go to Package Management -> Installed Packages, what version do you see for Active Directory User Management? Graham 1 Link to comment Share on other sites More sharing options...
JanS2000 Posted June 14, 2023 Author Share Posted June 14, 2023 34 minutes ago, Graham said: @JanS2000 Let's check the version of the package first, and make sure that's up to date. Within ITOM, if you go to Package Management -> Installed Packages, what version do you see for Active Directory User Management? Graham Hi @Graham, thanks, it's version 21. Link to comment Share on other sites More sharing options...
JanS2000 Posted June 14, 2023 Author Share Posted June 14, 2023 Should I have used the user management package instead of the group management one in the automation node? Link to comment Share on other sites More sharing options...
Graham Posted June 14, 2023 Share Posted June 14, 2023 @JanS2000 No, the Group Management package is the one you need. That's me leading you astray by asking the wrong question! I should have asked about the Group Management package! Assuming that's on version 14 (the latest), then it would appear that the problem is that the user you're trying to add can't found. There's two possible reasons for that: either the user doesn't exist or the package is querying the wrong directory server. Which domain is the user you're trying to add in and which domain is the SIS server itself in? Link to comment Share on other sites More sharing options...
JanS2000 Posted June 14, 2023 Author Share Posted June 14, 2023 Just now, Graham said: @JanS2000 No, the Group Management package is the one you need. That's me leading you astray by asking the wrong question! I should have asked about the Group Management package! Assuming that's on version 14 (the latest), then it would appear that the problem is that the user you're trying to add can't found. There's two possible reasons for that: either the user doesn't exist or the package is querying the wrong directory server. Which domain is the user you're trying to add in and which domain is the SIS server itself in? Yes it's version 14 @Graham. I'm testing it with myself as the user to add to the group so I definitely exist . My login and the SIS server are in the same domain. Link to comment Share on other sites More sharing options...
Graham Posted June 14, 2023 Share Posted June 14, 2023 (edited) @JanS2000 The package is calling the Powershell cmdlet "Get-ADUser", passing in the value of the MemberIdentify parameter as the value of the -Identity parameter to the cmdlet and it's that part which is failing. I understand the redactions, and while I'm not asking you to "unredact" them, can you confirm that the value passed into the job is one of: A distinguished name An object GUID A security identifier A SAM account name Edited June 14, 2023 by Graham Corrected cmdlet parameter name Link to comment Share on other sites More sharing options...
JanS2000 Posted June 14, 2023 Author Share Posted June 14, 2023 6 minutes ago, Graham said: @JanS2000 The package is calling the Powershell cmdlet "Get-ADUser", passing in the value of the MemberIdentify parameter as the value of the -Identify parameter to the cmdlet and it's that part which is failing. I understand the redactions, and while I'm not asking you to "unredact" them, can you confirm that the value passed into the job is one of: A distinguished name An object GUID A security identifier A SAM account name Hi @Graham, the full error shows: Get-ADUser: Cannot find an object with identity: 'myusername@ourdomain.gov.uk' under: 'DC=ourdomain,DC=gov,DC=uk'. I can't see anything that shows all the details above. I'm not sure in all honesty what the security identifier would look like though. The SAM account name is my username, and that shows up in myusername@ourdomain.gov.uk. The only object GUID I can see is for the group. Link to comment Share on other sites More sharing options...
Steve G Posted June 14, 2023 Share Posted June 14, 2023 Hi @JanS2000, Are you able to run the following in a PowerShell command line on the target machine as defined in the job, and see if both are able to return the account details as expected? Get-ADUser -Identity yourusername@yourdomain.gov.uk And Get-ADUser -Identity yourusername I suspect that your sAMAccountName against your AD account is just yourusername, and Get-ADUser (a Microsoft cmdlet that we're using to check if the user account exists) won't see yourusername@yourdomain.gov.uk as a valid identifier. Cheers, Steve Link to comment Share on other sites More sharing options...
JanS2000 Posted June 15, 2023 Author Share Posted June 15, 2023 15 hours ago, Steve G said: Hi @JanS2000, Are you able to run the following in a PowerShell command line on the target machine as defined in the job, and see if both are able to return the account details as expected? Get-ADUser -Identity yourusername@yourdomain.gov.uk And Get-ADUser -Identity yourusername I suspect that your sAMAccountName against your AD account is just yourusername, and Get-ADUser (a Microsoft cmdlet that we're using to check if the user account exists) won't see yourusername@yourdomain.gov.uk as a valid identifier. Cheers, Steve Hi @Steve G, yes the first one fails but the second one returns a result okay. What variable should the MemberIdentity be using? I've tried CustomerID (the BPM runs okay but the automation fails) and LoginID (both fail). There aren't any other variables I can see that would be right. Link to comment Share on other sites More sharing options...
JanS2000 Posted June 15, 2023 Author Share Posted June 15, 2023 Hi, I've been looking at the keysafe settings and I don't know if this will help or confuse things. For this particular IT automation node, I used the Azure Automation type. I've read a bit more and found there's a different type for AD user admin, so I've set that up now but had to use my credentials (I've got the relevant rights, or should have anyway). This will need changing I know but I can't get hold of anyone just now to input the admin password for me, so I'm just using mine while testing. Should I change the node in the BPM to the userpass type and if so, which variable I should use for the user ID? Here's the node in the process which shows which node type precedes it, in case that's any help in figuring this out. Thanks again for your help with this, I really appreciate it. Link to comment Share on other sites More sharing options...
Steve G Posted June 15, 2023 Share Posted June 15, 2023 5 hours ago, JanS2000 said: What variable should the MemberIdentity be using? It depends what you have stored in your user records to be honest, and in which fields. That automation requires one of the following to be able to identify the user in your on-premise Active Directory domain: A distinguished name An object GUID A security identifier A SAM account name If you don't have one of those stored against your Hornbill user records, then you could always extract the sAMAccountName portion on your user, using the String Utilities in the workflow. So you could first search for the location of the @ character in your user ID (you would use the current variable instead of steveg@mydomain.co.uk): Then use the Result output of that node as the To input of a Substring node, with 0 as the From input, and your User ID variable as the Input Text, as so: So in my example autotask, below: Outputs as so: Hope this helps, Steve 1 Link to comment Share on other sites More sharing options...
JanS2000 Posted June 15, 2023 Author Share Posted June 15, 2023 2 minutes ago, Steve G said: It depends what you have stored in your user records to be honest, and in which fields. That automation requires one of the following to be able to identify the user in your on-premise Active Directory domain: A distinguished name An object GUID A security identifier A SAM account name If you don't have one of those stored against your Hornbill user records, then you could always extract the sAMAccountName portion on your user, using the String Utilities in the workflow. So you could first search for the location of the @ character in your user ID (you would use the current variable instead of steveg@mydomain.co.uk Then use the Result output of that node as the To input of a Substring node, with 0 as the From input, and your User ID variable as the Input Text, as so: So in my example autotask, below: Outputs as so: Hope this helps, Steve Thanks @Steve G, I shall give that a try. The info required isn't in our Hornbill user records so this will probably be where I'm going wrong. Thank you, I shall try your suggestion. 1 Link to comment Share on other sites More sharing options...
JanS2000 Posted June 27, 2023 Author Share Posted June 27, 2023 Hi, sorry for the delay in coming back about this, I've just come back from leave so picked up on this again. I've replicated the steps suggested by @Steve G (thank you!) and although the process doesn't fail, and the auto task appears to work okay on the face of it, the automation job still fails to add me to the group - the auto task hasn't stripped out the bit from @ in the Customer ID. I can't find anything that says User ID, this variable doesn't come up. I noticed on the screenshot of the auto task Steve created, that it says "set output process parameters" on the end node, but mine doesn't have anything like that. I can't figure out what I'm missing or where I'm going wrong. I've watched the WIKI video demo of creating an auto task so I think this bit is fine, just not sure if I've got the right variable in for the customer ID. The process fails every time if I choose Logon ID but it seems to work with Customer ID, but it just doesn't find me to add me as a member. If anyone can help point me in the right direction with this, I'd be very grateful, or would I be better off logging it with support, so someone can login to our instance and check what I've done? Link to comment Share on other sites More sharing options...
Steve G Posted June 27, 2023 Share Posted June 27, 2023 Hi @JanS2000, Apologies, it appears I missed a step out - you need to define the output parameters against the autotask before they will appear in the End node. Clicking on this button here will allow you to add parameters to your autotasks: Cheers, Steve 1 Link to comment Share on other sites More sharing options...
JanS2000 Posted June 28, 2023 Author Share Posted June 28, 2023 Thanks for all your help @Steve G, I really appreciate it. I've added the output parameters and it all looks to work according to the status bar, but the job still fails. The execution log shows it's still looking for the username@domain.com. I've run out of my monthly allowance now (we only have use of the preview version) so I can't do any more testing until that resets. I'll check over what I've put in and make sure I've got the right strings etc. in the meantime and will come back here to let you know how I get on, when I can do another test. If I click onto the refresh button on the failed job, it lets me take the @domain.com out and that look like it might have worked, but my group ID wasn't right after all that, so still not 100% sure if it would have, but obviously that's not really going to help as the service desk who deal with these requests, wouldn't be able to go in to do this manually every time. Link to comment Share on other sites More sharing options...
JanS2000 Posted July 4, 2023 Author Share Posted July 4, 2023 On 6/28/2023 at 9:06 AM, JanS2000 said: Thanks for all your help @Steve G, I really appreciate it. I've added the output parameters and it all looks to work according to the status bar, but the job still fails. The execution log shows it's still looking for the username@domain.com. I've run out of my monthly allowance now (we only have use of the preview version) so I can't do any more testing until that resets. I'll check over what I've put in and make sure I've got the right strings etc. in the meantime and will come back here to let you know how I get on, when I can do another test. If I click onto the refresh button on the failed job, it lets me take the @domain.com out and that look like it might have worked, but my group ID wasn't right after all that, so still not 100% sure if it would have, but obviously that's not really going to help as the service desk who deal with these requests, wouldn't be able to go in to do this manually every time. Hi, I've rerun one of the failed jobs after manually removing @ourdomainnme from the MemberIdentity field shown above and it's added me to the group now so everything else must be okay, it's just this bit that I'm still stuck on Link to comment Share on other sites More sharing options...
JanS2000 Posted July 18, 2023 Author Share Posted July 18, 2023 Hi, I wondered if it would be best if I logged this with support. As things are now the service can't be used so I'm tempted to scrap the automation altogether and just have a human task to add people to the group. It would have been great to get this working though, as I think it would really help with some of our frequent requests. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now