IT automation - add user to group failing as it can't find the customer

[JanS2000]

Good morning, I'm trying to add a user to a group which is managed in our on premise AD. I've checked the job queue and it looks fine, all executes okay and says run successfully but it actually fails every time as it can't find the customer. I've tried the Customer ID, Logon ID and even primary email address but none of them work. The process runs fine and the job closes as if it's all been completed but the user doesn't get added to the group and the details of the job says it failed. I must be using the wrong variable but in the Get Customer Info section, there aren't many options to choose from that relate to ID. Please could someone point me in the right direction? One thing to mention, I'd have to double check this, but our initial user import may have been from Azure AD and not our on premise AD, if so, would that have an impact on this? 

Also, while writing this and looking thoroughly at the screenshot attached, I'm wondering if I just need a new API key for the on premise AD but I'm not sure.

Any help or advice would be really appreciated, thank you.

 

 

[Graham]

@JanS2000 Let's check the version of the package first, and make sure that's up to date.

Within ITOM, if you go to Package Management -> Installed Packages, what version do you see for Active Directory User Management?

Graham

[JanS2000]

34 minutes ago, Graham said:

@JanS2000 Let's check the version of the package first, and make sure that's up to date.

Within ITOM, if you go to Package Management -> Installed Packages, what version do you see for Active Directory User Management?

Graham

Hi @Graham, thanks, it's version 21.

[JanS2000]

Should I have used the user management package instead of the group management one in the automation node? 

 

[Graham]

@JanS2000  No, the Group Management package is the one you need. That's me leading you astray by asking the wrong question! I should have asked about the Group Management package!

Assuming that's on version 14 (the latest), then it would appear that the problem is that the user you're trying to add can't found. There's two possible reasons for that: either the user doesn't exist or the package is querying the wrong directory server.

Which domain is the user you're trying to add in and which domain is the SIS server itself in?

 

[JanS2000]

Just now, Graham said:

@JanS2000  No, the Group Management package is the one you need. That's me leading you astray by asking the wrong question! I should have asked about the Group Management package!

Assuming that's on version 14 (the latest), then it would appear that the problem is that the user you're trying to add can't found. There's two possible reasons for that: either the user doesn't exist or the package is querying the wrong directory server.

Which domain is the user you're trying to add in and which domain is the SIS server itself in?

 

Yes it's version 14 @Graham. I'm testing it with myself as the user to add to the group so I definitely exist . My login and the SIS server are in the same domain.

[Graham]

@JanS2000 The package is calling the Powershell cmdlet "Get-ADUser", passing in the value of the MemberIdentify parameter as the value of the -Identity parameter to the cmdlet and it's that part which is failing.
I understand the redactions, and while I'm not asking you to "unredact" them, can you confirm that the value passed into the job is one of:

• A distinguished name
• An object GUID
• A security identifier
• A SAM account name

Edited June 14, 2023 by Graham
Corrected cmdlet parameter name

[JanS2000]

6 minutes ago, Graham said:

@JanS2000 The package is calling the Powershell cmdlet "Get-ADUser", passing in the value of the MemberIdentify parameter as the value of the -Identify parameter to the cmdlet and it's that part which is failing.

I understand the redactions, and while I'm not asking you to "unredact" them, can you confirm that the value passed into the job is one of:

• A distinguished name
• An object GUID
• A security identifier
• A SAM account name

Hi @Graham, the full error shows:

Get-ADUser: Cannot find an object with identity: 'myusername@ourdomain.gov.uk' under: 'DC=ourdomain,DC=gov,DC=uk'.

 

I can't see anything that shows all the details above. I'm not sure in all honesty what the security identifier would look like though. The SAM account name is my username, and that shows up in myusername@ourdomain.gov.uk. The only object GUID I can see is for the group.

[Steve G]

Hi @JanS2000,

Are you able to run the following in a PowerShell command line on the target machine as defined in the job, and see if both are able to return the account details as expected?
 

Get-ADUser -Identity yourusername@yourdomain.gov.uk

And

Get-ADUser -Identity yourusername

I suspect that your sAMAccountName against your AD account is just yourusername, and Get-ADUser (a Microsoft cmdlet that we're using to check if the user account exists) won't see yourusername@yourdomain.gov.uk as a valid identifier.

Cheers,

Steve

[JanS2000]

15 hours ago, Steve G said:

Hi @JanS2000,

Are you able to run the following in a PowerShell command line on the target machine as defined in the job, and see if both are able to return the account details as expected?
 

Get-ADUser -Identity yourusername@yourdomain.gov.uk

And

Get-ADUser -Identity yourusername

I suspect that your sAMAccountName against your AD account is just yourusername, and Get-ADUser (a Microsoft cmdlet that we're using to check if the user account exists) won't see yourusername@yourdomain.gov.uk as a valid identifier.

Cheers,

Steve

Hi @Steve G, yes the first one fails but the second one returns a result okay. What variable should the MemberIdentity be using? I've tried CustomerID (the BPM runs okay but the automation fails) and LoginID (both fail). There aren't any other variables I can see that would be right.

[JanS2000]

Hi, I've been looking at the keysafe settings and I don't know if this will help or confuse things.

For this particular IT automation node, I used the Azure Automation type. I've read a bit more and found there's a different type for AD user admin, so I've set that up now but had to use my credentials (I've got the relevant rights, or should have anyway). This will need changing I know but I can't get hold of anyone just now to input the admin password for me, so I'm just using mine while testing.

Should I change the node in the BPM to the userpass type and if so, which variable I should use for the user ID? 

 

Here's the node in the process which shows which node type precedes it, in case that's any help in figuring this out. Thanks again for your help with this, I really appreciate it.

 

[Steve G]

5 hours ago, JanS2000 said:

What variable should the MemberIdentity be using?

It depends what you have stored in your user records to be honest, and in which fields. That automation requires one of the following to be able to identify the user in your on-premise Active Directory domain:

• A distinguished name
• An object GUID
• A security identifier
• A SAM account name

If you don't have one of those stored against your Hornbill user records, then you could always extract the sAMAccountName portion on your user, using the String Utilities in the workflow. So you could first search for the location of the @  character in your user ID (you would use the current variable instead of steveg@mydomain.co.uk):

Then use the Result output of that node as the To input of a Substring node, with 0 as the From input, and your User ID variable as the Input Text, as so:

So in my example autotask, below:

Outputs as so:

 

Hope this helps,

Steve

 

[JanS2000]

2 minutes ago, Steve G said:

It depends what you have stored in your user records to be honest, and in which fields. That automation requires one of the following to be able to identify the user in your on-premise Active Directory domain:

• A distinguished name
• An object GUID
• A security identifier
• A SAM account name

If you don't have one of those stored against your Hornbill user records, then you could always extract the sAMAccountName portion on your user, using the String Utilities in the workflow. So you could first search for the location of the @  character in your user ID (you would use the current variable instead of steveg@mydomain.co.uk

Then use the Result output of that node as the To input of a Substring node, with 0 as the From input, and your User ID variable as the Input Text, as so:

So in my example autotask, below:

Outputs as so:

 

Hope this helps,

Steve

 

Thanks @Steve G, I shall give that a try. The info required isn't in our Hornbill user records so this will probably be where I'm going wrong. Thank you, I shall try your suggestion.

 

[JanS2000]

Hi, sorry for the delay in coming back about this, I've just come back from leave so picked up on this again. I've replicated the steps suggested by @Steve G (thank you!) and although the process doesn't fail, and the auto task appears to work okay on the face of it, the automation job still fails to add me to the group - the auto task hasn't stripped out the bit from @ in the Customer ID. I can't find anything that says User ID, this variable doesn't come up. 

I noticed on the screenshot of the auto task Steve created, that it says "set output process parameters" on the end node, but mine doesn't have anything like that. I can't figure out what I'm missing or where I'm going wrong. I've watched the WIKI video demo of creating an auto task so I think this bit is fine, just not sure if I've got the right variable in for the customer ID. The process fails every time if I choose Logon ID but it seems to work with Customer ID, but it just doesn't find me to add me as a member.

If anyone can help point me in the right direction with this, I'd be very grateful, or would I be better off logging it with support, so someone can login to our instance and check what I've done?

[Steve G]

Hi @JanS2000,

Apologies, it appears I missed a step out - you need to define the output parameters against the autotask before they will appear in the End node. Clicking on this button here will allow you to add parameters to your autotasks:

Cheers,

Steve

[JanS2000]

Thanks for all your help @Steve G, I really appreciate it.

I've added the output parameters and it all looks to work according to the status bar, but the job still fails. The execution log shows it's still looking for the username@domain.com. I've run out of my monthly allowance now (we only have use of the preview version) so I can't do any more testing until that resets. I'll check over what I've put in and make sure I've got the right strings etc. in the meantime and will come back here to let you know how I get on, when I can do another test.

If I click onto the refresh button on the failed job, it lets me take the @domain.com out and that look like it might have worked, but my group ID wasn't right after all that, so still not 100% sure if it would have, but obviously that's not really going to help as the service desk who deal with these requests, wouldn't be able to go in to do this manually every time. 

[JanS2000]

On 6/28/2023 at 9:06 AM, JanS2000 said:

Thanks for all your help @Steve G, I really appreciate it.

I've added the output parameters and it all looks to work according to the status bar, but the job still fails. The execution log shows it's still looking for the username@domain.com. I've run out of my monthly allowance now (we only have use of the preview version) so I can't do any more testing until that resets. I'll check over what I've put in and make sure I've got the right strings etc. in the meantime and will come back here to let you know how I get on, when I can do another test.

If I click onto the refresh button on the failed job, it lets me take the @domain.com out and that look like it might have worked, but my group ID wasn't right after all that, so still not 100% sure if it would have, but obviously that's not really going to help as the service desk who deal with these requests, wouldn't be able to go in to do this manually every time. 

Hi, I've rerun one of the failed jobs after manually removing @ourdomainnme from the MemberIdentity field shown above and it's added me to the group now so everything else must be okay, it's just this bit that I'm still stuck on

[JanS2000]

Hi, I wondered if it would be best if I logged this with support. As things are now the service can't be used so I'm tempted to scrap the automation altogether and just have a human task to add people to the group. It would have been great to get this working though, as I think it would really help with some of our frequent requests.