Active Directory IP "Get User"

Sep 23, 2014 at 3:59 PM
Hi,

I'm trying to use our PSE system to update attributes within active directory. In theory this is simple enough. We export a CSV file, read a line, etc. The trouble I'm having is that we cannot use user names or distinguished names to identify the user. We need to be able to pull our user using their employeeID. Is there a way of using the employeeID attribute to get the required user and update a field within AD?

From what I've tried so far, we cannot do this using the standard Get User activity, nor any from the IP I've downloaded here. Any help you can give me would be appreciated.

Thanks
Sep 23, 2014 at 4:25 PM

Hey Johawn,

You can use the ‘get object distinguished name’ and choose LDAP Search Filter as the object type then put a LDAP query into the object name field

Ex:

Domain: Your Domain

Object Name: (employeeID=’Data from CSV’)

Object Class: LDAP Search Filter

For more information on LDAP search filters see

http://technet.microsoft.com/en-us/library/aa996205(v=EXCHG.65).aspx

MVPLogo

Ryan andorfer

IT Consultant I

System Center Cloud and Datacenter

General Mills, Inc.

763-445-9680
[email removed]

opalis.wordpress.com

scorch.codeplex.com

Marked as answer by Johawn on 9/23/2014 at 12:46 PM
Sep 23, 2014 at 6:09 PM
Edited Sep 23, 2014 at 6:18 PM
Thanks randorfer, that's very helpful!

So, my understanding at this point is that if I add a "Set object property value" activity next, I should be able to subscribe to the object LDAP path from the previous step in order to use the output of the previous step?

So, I've done this, and first hit a "must enter a valid LDAP." So I added LDAP:// to the beginning, and am now hitting "Unknown error (0x80005000)."

I've also tried an Update User instead of Set Object Property Value, and in this instance I get a "The user " was not found," so it looks like it's not capturing the DN from the previous step.

Below I've put the configuration of the activities I'm using to test. If you can spot somewhere I've gone obviously wrong (I'll admit to being fairly new to SCORch, really only using it to provision accounts before), then please flag it up.

Really appreciate your help here!

Read Line
File: [PATH TO FILE]
File encoding: Auto

Line numbers: 3

Get Object DistinguishedName
Domain name: [DOMAIN NAME]
Object name: (employeeID=[Field({Line text from "Read Line"}',',',1)])
Object Class: LDAP Search Filter

Set Object Property Value
Object LDAP Path: LDAP://{Object_LDAP_Path from "Get Object DistinguishedName"}
Property Name: Company
Property Value: Test
Sep 23, 2014 at 6:20 PM

Try running it in the test console and see if you are getting valid outputs from the ‘get object DistinguishedName’ object. The LDAP Query I sent may not have been valid for what you are doing.

-Ryan

Sep 23, 2014 at 6:48 PM
Edited Sep 23, 2014 at 6:55 PM
Have done so, though it doesn't tell me much. The Get Object DistinguishedName comes out as successful and moves onto the next step. Other than run time information, all it tells me is:

Activity ID - {113F591A-6EBC-461B-B1CC-63492EEADE4A}
Activity name - Get Object DistinguishedName
Activity Process ID - 4152
Activity status - success
Activity type - Get Object DistinguishedName
Runbook name - New Runbook
Runbook Process ID - 4152
Runbook Server Name - SCOR-01

If I deliberately change the LDAP query to something I know is wrong, it still comes back successful, too.

Going on to the Set Object Property Value step, the output is:
Unknown error (0x80005000)

Exception: COMException
Target site: DirectoryEntry.Bind

Stack trace:
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at Active_Directory.setObjectPropertyValue.setSinglePropertyValue(DirectoryEntry objRootDSE, String strAttrName, String propertyValue) in c:\Projects\TFS\scorch\Active Directory\Integration Pack\Activities\SetObjectPropertyValue.cs:line 233
at Active_Directory.setObjectPropertyValue.<setPropertyValue>d__0.MoveNext() in c:\Projects\TFS\scorch\Active Directory\Integration Pack\Activities\SetObjectPropertyValue.cs:line 52
at Microsoft.SystemCenter.Orchestrator.Integration.Framework.Core.FilterSet.Filter(IEnumerable values)
at Microsoft.SystemCenter.Orchestrator.Integration.Framework.Core.FilteredResponse.PublishRange(IEnumerable values)
at Active_Directory.setObjectPropertyValue.Execute(IActivityRequest request, IActivityResponse response) in c:\Projects\TFS\scorch\Active Directory\Integration Pack\Activities\SetObjectPropertyValue.cs:line 43

Activity ID - {C85B2D55-8952-4BBD-8523-46863CF81261}
Activity Name - Set Object Property Value
Activity Process ID - 2152
Activity Status - Failed
Activity Type - Set Object Property Value
Runbook name - New Runbook
Runbook Process ID - 2152
Runbook Server name - SCOR-01


Thanks
Sep 23, 2014 at 7:02 PM
Right that's saying that out talked to ad correctly but found no results, the ldap query probably isn't correct, check the MSDN article for how to test it

Sent from my Windows Phone

Sep 23, 2014 at 8:45 PM
It turned out to be an issue with the service account. When Orchestrator was set up for us, for some reason, the password was set to expire on our Runbook account. Once we fixed that, the LDAP query worked fine and we got the results we wanted. Really appreciate your help with this, Ryan.