4 Replies Latest reply on Jul 19, 2017 11:20 AM by DeWetTheHitmanBarry

    Creation of AD account from HEATSM

    wbentz Rookie

      Has anyone created a Powershell script to run in the workflow of a new hire SR and create the account in Active Directory?  Or even using the API?  Just throwing some scenarios around to automate the new hire creation process and wondering what anyone has experimented with.  We are using HEAT 2016.2.

        • 1. Re: Creation of AD account from HEATSM
          florian1 Expert

          I haven't done this yet as our AD accounts are automatically created in another system but this shouldn't be too difficult.

          First of all, you have to collect all the neccessary data in the request offering:
          - FirstName
          - LastName
          - Department
          - Employee OU
          - [...]

           

          Create a remote host connection to run the script on:

           

          Create your Powershell script with Params:

          #region Params
          Param
          (
           [Parameter(Mandatory=$true)]
           [ValidateNotNullOrEmpty()]
           $firstName = "Florian",
          [Parameter(Mandatory=$true)]
           [ValidateNotNullOrEmpty()]
           $lastName = "Deutsch",
          [Parameter(Mandatory=$true)]
           [ValidateNotNullOrEmpty()]
           $department = "IT",
          [Parameter(Mandatory=$true)]
           [ValidateNotNullOrEmpty()]
           $OU = "OU=IT,DC=internal,DC=contoso,DC=com"
          )
          # [...]
          #endregion
          #region userCreation
          # Search for appropriate samAccountName
          [bool]$accountExists=$true
          Do{
           For([int]$i=1;$i -le $firstName.Length;$i++){
           $samAccountName=$($firstName.Substring(0,$i)+$lastName).ToLower()
           $adUser = Try{Get-ADUser $samAccountName} Catch{$null}
           If (!($adUser)){
           Write-Host "Determined `"$samAccountName`" as samAccountName."
           $accountExists = $false
           break;
           }
           }
          }
          While ($accountExists)
          Try{ 
           Write-Host "Creating $samAccountName..."
           New-ADUser -Name:$samAccountName -GivenName:$firstName -Surname:$lastName -Path:$OU -WhatIf
           }
          Catch {Write-Host $_}
          #endregion
          

           

          Create a "Run Program" QuickAction:

          Parse your ServiceReq parameters as Powershell parameters.

          Parsing multiple parameters looks a bit strange but it works fine for me like this.

          Use this in "Arguments":

          "D:\Scripts\AD-CreateAccount.ps1 -FirstName:'"$(GetSRPValue(RecId, "txt_FirstName"))"' -LastName:'"$(GetSRPValue(RecId, "txt_LastName"))"' -Department:'"$(GetSRPValue(RecId, "pl_Department"))"'"
          

          Use "Run Program" in your Offering Workflow and refer to the QuickAction you just created:

           

          There are still some points missing you might want to consider:
          - generate a random password (+ChangePasswordAtLogon)
          - add Group memberships (by default they will only be a domain user)
          - store the return value in HEAT so you know which SR created an account
          - create exchange mailbox
          - provision mobile device(s)
          - [...]

           

          Cheers

          Florian

          • 2. Re: Creation of AD account from HEATSM
            DeWetTheHitmanBarry Rookie

            Hi Florian,

             

            Thanks for your post, was very useful!

             

            We are looking to do the same as what Wbentz was requesting for as well.

             

            Have you perhaps done something similar by using Orchestrator as the middleware tool for automation in creating AD accounts or creating / updating AD groups.

            For example Software Request via service catalogue and then after approvals are met it kicks something similar to check / add user to AD group ( software ) which then gets deployed via sccm or any other application deployment software.

             

            I believe this could achieved similar to your above recommendation via powershell script or by leveraging the Orchestrator application which would sit between HEAT / AD.

             

            Any suggestions or feedback on this?

             

            We are currently running HEAT 2016.2 on premise

            • 3. Re: Creation of AD account from HEATSM
              florian1 Expert

              I haven't done this yet but we are planning to use Azure Automation with Hybrid Runbooks or Service Management Automation (SMA) instead of Orchestrator soon.

               

              Here's what I will do:

              1) create my runbook(s) as needed (sample SMA AD runbooks)
              2) create a Powershell script similar to the one I already provided.
              But instead of directly contacting Active Directory, use PowerShell to leverage the Orchestrator Web Service and invoke your Runbook (HowTo)
              3) Create a Quick Action and execute the Powershell Script from 2).
              Cheers
              Florian
              • 4. Re: Creation of AD account from HEATSM
                DeWetTheHitmanBarry Rookie

                That's very similar to what I had in my mind except using Orchestrator and not leveraging the Azure platform.

                 

                Those sample Runbooks are very good by the way, has all the core info to get started.

                 

                By using the SMA / Orchestrator approach instead of triggering a Powershell script which directly hits AD, it provides alot more options to " close " the loop

                and then send notifications once the application is installed via the 3rd party app i.e. sccm etc as opposed to just dropping the user in an AD group.

                 

                Regards,

                Riyaaz