First when I looked in the set of activities, i was surprised that no “Get Group Members” activity exist.
After a little playing around i discovered that “Get User” is the activity to use. And i have been using this activity since then.
It is pretty simple to setup.
1. Select a connection
2. Set a filter that searches for the group using the Indirect MemberOf filter rule:
using above method you can make a simple runbook to empty a AD group of members:
Twitter: @JakobGSvendsen
Jakob Gottlieb Svendsen is a Microsoft Cloud and Data Center Management MVP (http://mvp.microsoft.com/en-us/default.aspx), Working as Global Lead Developer, Senior Consultant and Trainer at CTGlobal, where he is one of the driving forces in keeping CTGlobal a System Center Gold Partner and member of the System Center Alliance.
Since he started at Coretech in 2007, he has focused on Scripting and Development, primarily developing tools, extensions and scripts for the System Center Suite. His main area is Automation (including OMS/Azure Automation, Service Management Automation, PowerShell and Orchestrator). Another area is Windows Azure Pack / Azure Stack, where he does implementation, development, workshops and presentations. He is a world-wide renowned voice in the Automation field.
He is passionately devoted to the community, to which he contributes by being a moderator at TechNet and sharing his knowledge at https://blog.ctglobalservices.com/jgs
Main working areas:
Training:
Der er lukket for kommentarer.
Would though recommend using PowerShell, since this is way faster then using the activities especially when you are querying for multiple objects against a big environment.
Yes.. it might be faster if you want to code PowerShell. (a lot is).
so yes good recommendation.
the only problem is that the Active directory Module does not work in SCO2012R2 when using Windows Server 2012 R2…. (PS module requries PS4.0 and SCO runs 2.0)
which is kind of a big problem atm in PowerShell execution in SCO. 🙁
Best Regards
Jakob
But you can start PS4.0 in PS2.0.
suer you can, but you will have limitations on all ways you can do that. either commandline max length, quote/special char problems when doing commandline or serialization problems when doing PS remoting. unless you have a good suggestion that works always? 🙂
and most of my customers select orchestrator because of the graphical interface, not to code powershell. 🙂
Does anyone know how to setup the runbook to return the members of a group in the SCSM self service portal? I would like to create a self service offering the SCSM portal using AD group membership for an application owner to see who has access to an application and be able to select the users that should be removed and add new users to the group in the same request. Is this possible with SCO and SCSM?
Hey sam.
unfortunately that relationship is not in SCSM out-of-the-box.
you will have to create your own connector in SCO or PowerShell (would recommend powershell for this, since there is a lot of items to handle).
we have had a lot of customers asking for this specific feature, and have therefore made a custom connector for them.
I do not see how this runbook is getting the user object. The Get user step in the runbook is only showing the filter for the group, but how is it getting the actual user to connect to?
I’m having a strange problem I have this set up the same way you do, I’m actually pulling a Group’s Object from SCSM, and using the distinguished name to filter it using Indirect Member (Tried Memberof as well), but my user query always returns zero results. When I just try a the user Query on it’s own, it works and pulls all my users from AD. Any ideas why it pulls nothing? I went into ADSI edit and double checked the Distinguished Name is correct… it’s pretty simple, I don’t know what else to change? I also tried adding a filter for a couple other things, like Last Name, and it seems to pull multiple objects no problem.
I just noticed the description is “Distinguished names of groups that this user is an indirect member of”, note “names”, is this plural? I don’t need to list ALL the groups someone is in, do I?
…and if you have multiples users?
i need to put multiple users in a specific group.
I hope you are still monitoring this thread….
I was able to get the users that are a member of the groups. When I try to pass that on to the next Activity which is Removing User from Group I receive an error. “The distinguished name ” is not valid. Distinguished Names must comply to RFC2253 and Active Directory Naming rules….” Would you kindly assist?