Question

Questions about Automation in Active Directory On Premise Integration

  • 2 September 2021
  • 13 replies
  • 114 views

Hi,

 

New in the FRESH SERVICES world, i have a few questions to ask the community, about Automation in Active Directory On Premise integration.

The orchestration server is well functionnal, and first tests (for example) to force a password reset is OK.

In our active directory, user (samaccountname) is built with the first letter of the lastname + firstname.
(For Jean DUPONT, SamAccountName is jdupont).

My Question is : How to create user, or a reset password’ user based on this approach ?

More generally, does it exist a knowledge base with automator example on Active Directory OnPremise ?

Thanks in advance for your help guys :)
Kevin DEVOS.


13 replies

Userlevel 3

Kevin,

I can share some screen shots and some information with you. I have a complex AD integration setup thru the employee onboarding module as well as azure to issue O365 licensing to the user created in AD.

 

If you start in your workflow and add the app “Microsoft Active Directory - Orch” and select create user.

 

Name: {{ticket.onboarding_request.actor_1.cf_first_name}}{{ticket.onboarding_request.actor_1.cf_last_name}}

NOTE: There is a space between the first code and the second. It would issue
John Doe” off of the onboarding ticket. You could substitute these fields for any others in Freshservice and send those to AD. The same is true for the entries defined below.
 

account_password: Enter A Password For The First Time Access IE: Ch@ng3m3!

change_password_at_logon: true
 

city: some value
 

company: some value
 

country: some value
 

department: {{ticket.onboarding_request.actor_1.cf_department_2}}
Note: Based on a field with drop downs on the on boarding form)


display_name: {{ticket.onboarding_request.actor_1.cf_first_name}} {{ticket.onboarding_request.actor_1.cf_last_name}}
 

email_address: {{ticket.onboarding_request.actor_1.cf_first_initial}}{{ticket.onboarding_request.actor_1.cf_last_name}}companyname.com
 

enabled: true

given_name: {{ticket.onboarding_request.actor_1.cf_first_name}}
 

path: OU={{ticket.onboarding_request.actor_1.cf_department_2}},OU=Departments,OU=Company Name,OU=Users,OU=City,OU=USA,DC=localdomain,DC=int

NOTE: Edit this with your OU’s and domain information


sam_account_name: {{ticket.onboarding_request.actor_1.cf_first_initial}}{{ticket.onboarding_request.actor_1.cf_last_name}}

 

surname: {{ticket.onboarding_request.actor_1.cf_last_name}}

 

type: user

 

user_principle_name: {{ticket.onboarding_request.actor_1.cf_first_initial}}{{ticket.onboarding_request.actor_1.cf_last_name}}companyname.com

 

Hit me up if you need further information. 

Thanks a lot for this information :

user_principle_name: {{ticket.onboarding_request.actor_1.cf_first_initial}}{{ticket.onboarding_request.actor_1.cf_last_name}}companyname.com

:grinning:

It would be very nice from you to share your employee inboarding process.I’m in the same case : AD OnPremise, and O365 email account.

In case if a user OU is depending on a geographic location, is there a way to specify different OU (maybe multiple CONDITION ?).

Thanks again for your very quick help.

Kevin

Userlevel 3

So we use the employee onboarding module in Freshservice. On the onboarding form we ask for the following fields.

 

First Name

First Initial

Middle Name

Last Name

Last Four Of The SSN

Employing Company (Drop Down List)

Date Of Joining

Employee ID

Department (Drop Down List)

Reporting Manager (List Of All Employees Pulled From AD)

 

On the department field we take the selection and add it as a variable in our orchestration workflow to automatically place the new account in the right OU back in active directory.

 

Userlevel 3

Here is a overview screen shot of the create user workflow. (No Details)
 

Right click image attachment below and open in new tab. :)

Userlevel 3

After the initial user workflow completes a second workflow executes adding the users license to office 365. 

 

This is tricky because you need to wait for a “AD Sync” from on prem to the cloud. usually this is 30 min by default with MS. We don't have any wait conditions in the orch module. (I have asked for them) 

 

So I set a status and if that status is greater than an hour i execute the second workflow.  It’s dirty but works.

 

Right click image attachment below and open in new tab. :)

 

How do you deal with employees who may have greater than 20 characters in their name? My organization uses firstname_lastname as the sAMAccount format. 

Userlevel 3

How do you deal with employees who may have greater than 20 characters in their name? My organization uses firstname_lastname as the sAMAccount format. 

Are you running NT or server 2000?

 

No, but my provisioning process still has that limitation in place, and i have many accounts that have been around since AD was first implemented here. 

Thank you mmccoy, we are about to explore the onboarding automation, i have a question, how you create the mailboxes, our environment is hybrid, so we create remote mailboxes using onprem hybrid exhange server, does the onboarding workflow allow to create the remote mailbox?

Userlevel 3

Thank you mmccoy, we are about to explore the onboarding automation, i have a question, how you create the mailboxes, our environment is hybrid, so we create remote mailboxes using onprem hybrid exhange server, does the onboarding workflow allow to create the remote mailbox?

 

Not knowing your exact use case….. In theory and a lot of work :) I think you could use the powershell orch.  You could issue a “New-RemoteMailbox” command calling the exchange powershell module from your local orch server.

 

IE, setup a orch server for powershell. Setup a workflow automation and call Import-Module ExchangeOnlineManagement and then your second command would me to Connect-ExchangeOnline and finally issue commands to build the boxes.

 

Of course I haven't tested this. In the past I have found a lot of little bugs with some of the orch modules that I report and they get fixed a month or so later. It’s possible you run into something like that during this journey.

 

I tried a quick test and ended up having to encase the complete PowerShell command in quotes. That makes sense as it has a space in it and passing that space has to be defined somehow.

 "Import-Module ExchangeOnlineManagement" - This works :)

 

A second option would be to right this in a native PowerShell script and then just feed variables from your onboarding module to the script via csv.

 

 

Userlevel 3

No, but my provisioning process still has that limitation in place, and i have many accounts that have been around since AD was first implemented here. 

My gut is it will just strip off anything more than 20 characters for the same and keep up to 256 for the UPN.
 

Lets test :)

 

Because I use first initial and last name. I will create a fictitious last name that's 20 characters and a single letter for the first name.

 

for the last name “Fruitallupagusmeyers” :)  - Yep that didn’t work…. :(

 

Ok lets try to use a liquid filter. {{ticket.onboarding_request.actor_1.cf_last_name | truncate: 19 “”}}

 

SUCCESS!

 

NOTE: the “” after the truncate tells the system to not add the ellipse “...” that liquid does by default. Very important unless you want to add that into their username. :)

 

 

Thank you for prompt reply, we run enable-remotemailbox command within Exchange Shell on local hybrid server, will give it a try, thank you again

Badge +1

Kevin,

I can share some screen shots and some information with you. I have a complex AD integration setup thru the employee onboarding module as well as azure to issue O365 licensing to the user created in AD.”

I found the screenshots in the thread.  so thanks for the details.

 

Reply