Question

Questions about Automation in Active Directory On Premise Integration

  • 2 September 2021
  • 18 replies
  • 632 views

Userlevel 1

Hi,

 

New in the FRESH SERVICES world, i have a few questions to ask the community, about Automation in Active Directory On Premise integration.

The orchestration server is well functionnal, and first tests (for example) to force a password reset is OK.

In our active directory, user (samaccountname) is built with the first letter of the lastname + firstname.
(For Jean DUPONT, SamAccountName is jdupont).

My Question is : How to create user, or a reset password’ user based on this approach ?

More generally, does it exist a knowledge base with automator example on Active Directory OnPremise ?

Thanks in advance for your help guys :)
Kevin DEVOS.


18 replies

Userlevel 4
Badge +8

Kevin,

I can share some screen shots and some information with you. I have a complex AD integration setup thru the employee onboarding module as well as azure to issue O365 licensing to the user created in AD.

 

If you start in your workflow and add the app “Microsoft Active Directory - Orch” and select create user.

 

Name: {{ticket.onboarding_request.actor_1.cf_first_name}}{{ticket.onboarding_request.actor_1.cf_last_name}}

NOTE: There is a space between the first code and the second. It would issue
John Doe” off of the onboarding ticket. You could substitute these fields for any others in Freshservice and send those to AD. The same is true for the entries defined below.
 

account_password: Enter A Password For The First Time Access IE: Ch@ng3m3!

change_password_at_logon: true
 

city: some value
 

company: some value
 

country: some value
 

department: {{ticket.onboarding_request.actor_1.cf_department_2}}
Note: Based on a field with drop downs on the on boarding form)


display_name: {{ticket.onboarding_request.actor_1.cf_first_name}} {{ticket.onboarding_request.actor_1.cf_last_name}}
 

email_address: {{ticket.onboarding_request.actor_1.cf_first_initial}}{{ticket.onboarding_request.actor_1.cf_last_name}}companyname.com
 

enabled: true

given_name: {{ticket.onboarding_request.actor_1.cf_first_name}}
 

path: OU={{ticket.onboarding_request.actor_1.cf_department_2}},OU=Departments,OU=Company Name,OU=Users,OU=City,OU=USA,DC=localdomain,DC=int

NOTE: Edit this with your OU’s and domain information


sam_account_name: {{ticket.onboarding_request.actor_1.cf_first_initial}}{{ticket.onboarding_request.actor_1.cf_last_name}}

 

surname: {{ticket.onboarding_request.actor_1.cf_last_name}}

 

type: user

 

user_principle_name: {{ticket.onboarding_request.actor_1.cf_first_initial}}{{ticket.onboarding_request.actor_1.cf_last_name}}companyname.com

 

Hit me up if you need further information. 

Userlevel 1

Thanks a lot for this information :

user_principle_name: {{ticket.onboarding_request.actor_1.cf_first_initial}}{{ticket.onboarding_request.actor_1.cf_last_name}}companyname.com

:grinning:

It would be very nice from you to share your employee inboarding process.I’m in the same case : AD OnPremise, and O365 email account.

In case if a user OU is depending on a geographic location, is there a way to specify different OU (maybe multiple CONDITION ?).

Thanks again for your very quick help.

Kevin

Userlevel 4
Badge +8

So we use the employee onboarding module in Freshservice. On the onboarding form we ask for the following fields.

 

First Name

First Initial

Middle Name

Last Name

Last Four Of The SSN

Employing Company (Drop Down List)

Date Of Joining

Employee ID

Department (Drop Down List)

Reporting Manager (List Of All Employees Pulled From AD)

 

On the department field we take the selection and add it as a variable in our orchestration workflow to automatically place the new account in the right OU back in active directory.

 

Userlevel 4
Badge +8

Here is a overview screen shot of the create user workflow. (No Details)
 

Right click image attachment below and open in new tab. :)

Userlevel 4
Badge +8

After the initial user workflow completes a second workflow executes adding the users license to office 365. 

 

This is tricky because you need to wait for a “AD Sync” from on prem to the cloud. usually this is 30 min by default with MS. We don't have any wait conditions in the orch module. (I have asked for them) 

 

So I set a status and if that status is greater than an hour i execute the second workflow.  It’s dirty but works.

 

Right click image attachment below and open in new tab. :)

 

How do you deal with employees who may have greater than 20 characters in their name? My organization uses firstname_lastname as the sAMAccount format. 

Userlevel 4
Badge +8

How do you deal with employees who may have greater than 20 characters in their name? My organization uses firstname_lastname as the sAMAccount format. 

Are you running NT or server 2000?

 

No, but my provisioning process still has that limitation in place, and i have many accounts that have been around since AD was first implemented here. 

Thank you mmccoy, we are about to explore the onboarding automation, i have a question, how you create the mailboxes, our environment is hybrid, so we create remote mailboxes using onprem hybrid exhange server, does the onboarding workflow allow to create the remote mailbox?

Userlevel 4
Badge +8

Thank you mmccoy, we are about to explore the onboarding automation, i have a question, how you create the mailboxes, our environment is hybrid, so we create remote mailboxes using onprem hybrid exhange server, does the onboarding workflow allow to create the remote mailbox?

 

Not knowing your exact use case….. In theory and a lot of work :) I think you could use the powershell orch.  You could issue a “New-RemoteMailbox” command calling the exchange powershell module from your local orch server.

 

IE, setup a orch server for powershell. Setup a workflow automation and call Import-Module ExchangeOnlineManagement and then your second command would me to Connect-ExchangeOnline and finally issue commands to build the boxes.

 

Of course I haven't tested this. In the past I have found a lot of little bugs with some of the orch modules that I report and they get fixed a month or so later. It’s possible you run into something like that during this journey.

 

I tried a quick test and ended up having to encase the complete PowerShell command in quotes. That makes sense as it has a space in it and passing that space has to be defined somehow.

 "Import-Module ExchangeOnlineManagement" - This works :)

 

A second option would be to right this in a native PowerShell script and then just feed variables from your onboarding module to the script via csv.

 

 

Userlevel 4
Badge +8

No, but my provisioning process still has that limitation in place, and i have many accounts that have been around since AD was first implemented here. 

My gut is it will just strip off anything more than 20 characters for the same and keep up to 256 for the UPN.
 

Lets test :)

 

Because I use first initial and last name. I will create a fictitious last name that's 20 characters and a single letter for the first name.

 

for the last name “Fruitallupagusmeyers” :)  - Yep that didn’t work…. :(

 

Ok lets try to use a liquid filter. {{ticket.onboarding_request.actor_1.cf_last_name | truncate: 19 “”}}

 

SUCCESS!

 

NOTE: the “” after the truncate tells the system to not add the ellipse “...” that liquid does by default. Very important unless you want to add that into their username. :)

 

 

Thank you for prompt reply, we run enable-remotemailbox command within Exchange Shell on local hybrid server, will give it a try, thank you again

Userlevel 1
Badge +1

Kevin,

I can share some screen shots and some information with you. I have a complex AD integration setup thru the employee onboarding module as well as azure to issue O365 licensing to the user created in AD.”

I found the screenshots in the thread.  so thanks for the details.

 

Userlevel 2
Badge +1

Thank you mmccoy, we are about to explore the onboarding automation, i have a question, how you create the mailboxes, our environment is hybrid, so we create remote mailboxes using onprem hybrid exhange server, does the onboarding workflow allow to create the remote mailbox?

 

Hi @Madina 

Any update if you’ve successfully implemented this? Im currently exploring this right now :)

Userlevel 3
Badge +3

Thank you mmccoy, we are about to explore the onboarding automation, i have a question, how you create the mailboxes, our environment is hybrid, so we create remote mailboxes using onprem hybrid exhange server, does the onboarding workflow allow to create the remote mailbox?

 

Hi @Madina 

Any update if you’ve successfully implemented this? Im currently exploring this right now :)

Hi guys - I have just been through this and have got it working. let me know if you are still stuck

Thank you mmccoy, we are about to explore the onboarding automation, i have a question, how you create the mailboxes, our environment is hybrid, so we create remote mailboxes using onprem hybrid exhange server, does the onboarding workflow allow to create the remote mailbox?

 

Hi @Madina 

Any update if you’ve successfully implemented this? Im currently exploring this right now :)

Hi guys - I have just been through this and have got it working. let me know if you are still stuck

@mythumbsclick , how did you get this to work?  I’m just now starting to work on this for automating our onboarding tasks.  Would love to get more details.

Userlevel 7
Badge +12

Wow, love all the hands in helping solve this business problem. @kdevos We also use first letter of first name and full last name as the SamAccountName for AD. And we also have had issues with that approach as you can imagine the possibilities of people with the SamAccountName of “JSmith”. This has proven difficult from an automation standpoint but I believe our solution is going to be using Expression Builder to basically loop through the names, making sure we create an AD user with the correct sequential SamAccountName.

Glad to see some many solutions for AD On-Prem and Orchestration Center. Take care!

Userlevel 3
Badge +3

@marqueza - I will summarise what we did so you can get a picture. Happy to provide more detail if required.

(Brace yourself, Its quite hacky)

  • Setup a service account that the orchestration app Powershell is configured with.
  • Service account has WINRM permissions on the Orchestration server (and the DC server via built in Remote Management Users)
  • Via GP deny interactive logins to domain for extra security
  • On the orchestration server, Allow the service account to write to the application event log using (SDDL) string - Link (pushed via GP). This was a learning Curve!
  • Next create folder on the orchestration server with NTFS permissions that the service account can write to
  • Have the following script that will Enable-RemoteMailbox
$User = "domain\TEST.USER"
$UserRemoteRoutingAddress = "TEST.USER@testdomain.mail.onmicrosoft.com"

$credential = Import-CliXml -Path "E:\somepath\Freshservice\encryptedcreds.xml"
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://azexch/powershell/ -Credential $credential

Import-PSSession $Session
Enable-RemoteMailbox $User -RemoteRoutingAddress $UserRemoteRoutingAddress
  • Setup a GMSA
  • Use PSEXEC to run powershell as GMSA and create the credential xml file referenced in the above powershell script. The cred file HAS to be created by the GMSA.
  • Next create a scheduled task run by the GMSA on the orchestration server that is triggered on an event number of your choosing. Example:
    • Log: Application
    • Source: Freshservice Orchestration
    • Event ID: 3001
  • The action of the above task is: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File "E:\SomePath\Enable Remote Mailbox Automation.ps1"
  • Now in The work flow in Freshservice create an App action in the onboarding new user flow
  • App - Powershell Orch
  • Payload:
#Path of enable remote mailbox script
$file = "E:\SomePath\Enable Remote Mailbox Automation.ps1"

#read content of script
$content = Get-Content -Path $file

#rewrite the first line of the script with Freshservice placeholder contents for firstname and surname
$content[0] = '$User = "Domain\{{ticket.onboarding_request.actor_1.cf_employee_name}}.{{ticket.onboarding_request.actor_1.cf_employee_surname}}"'

#rewrite the second line of the script with Freshservice placeholder contents
$content[1] = '$UserRemoteRoutingAddress = "{{ticket.onboarding_request.actor_1.cf_employee_name}}.{{ticket.onboarding_request.actor_1.cf_employee_surname}}@testdomain.mail.onmicrosoft.com"'

#write the changes back
$content | Set-Content -Path $file

#trigger the event log that will in turn trigger the scheduled task that will then run the Enable Remote mailbox script using the GMSA account (and credentials file)
Write-EventLog -LogName "Application" -Source "Freshservice Orchestration" -EventID 3001 -EntryType Information -Message "Freshservice ran a Enable-RemoteMailbox work flow for new user {{ticket.onboarding_request.actor_1.cf_employee_name}}.{{ticket.onboarding_request.actor_1.cf_employee_surname}}." -Category 1 -RawData 10,20

I think that just about covers it. It works well for us albeit a bit long winded but its the only decent way we could figure out how to do this and keep everything secure. I avoided storing secure credentials in the work flow for example.

Reply