SCO 2012: Get Active Directory Group members using Get User Activity


First when I looked in the set of activities, i was surprised that no “Get Group Members” activity exist.

After a little playing around i discovered that “Get User” is the activity to use. And i have been using this activity since then.


It is pretty simple to setup.


1. Select a connection


2. Set a filter that searches for the group using the Indirect MemberOf filter rule:



using above method you can make a simple runbook to empty a AD group of members:



By | 2014-06-24T14:02:11+00:00 June 24th, 2014|Automation|11 Comments

About the Author:

Jakob Gottlieb Svendsen

Twitter: @JakobGSvendsen

Jakob Gottlieb Svendsen is a Microsoft Cloud and Data Center Management MVP (, Working as Global Lead Developer, Senior Consultant and Trainer at CTGlobal, where he is one of the driving forces in keeping CTGlobal a System Center Gold Partner and member of the System Center Alliance.

Since he started at Coretech in 2007, he has focused on Scripting and Development, primarily developing tools, extensions and scripts for the System Center Suite. His main area is Automation (including OMS/Azure Automation, Service Management Automation, PowerShell and Orchestrator). Another area is Windows Azure Pack / Azure Stack, where he does implementation, development, workshops and presentations. He is a world-wide renowned voice in the Automation field.

He is passionately devoted to the community, to which he contributes by being a moderator at TechNet and sharing his knowledge at

  • Co-founder: PowerShell User Group Denmark
  • Speaker at MMS 2016, Minneapolis (
  • SCU Europe 2014, 2015, 2016 (
  • Microsoft TechEd North America 2014, Houston
  • NIC 2012,2013,2014,2015, Oslo (
  • Microsoft CampusDays 2011, 2013, Copenhagen
  • Microsoft TechDays 2015, Sweden (
  • Microsoft Partner Event: New in SC2012 SP1
  • User group meetings (PSUG.DK , SCUG.DK/BE/NO, AZMUG + more)
  • Microsoft Certified Trainer.
  • Microsoft Scripting Guys Forum Moderator

Main working areas:

  • Automation (Azure Automation, SMA, SCO)
  • Windows Azure Pack / Azure Stack
  • System CenterVisual Studio Team Services / Team Foundation Server
  • Development:C#.Net, VB.NET, VBScript, PowerShell, Service Manager, OpsMgr, ConfigMgr
  • Orchestrator
  • Windows Azure Pack / Azure Stack


  • Azure Automation
  • Service Management Automation
  • System Center Orchestrator
  • PowerShell, VBScript, C#.Net, VB.Net
  • Windows Azure Pack / Azure Stack Development Workshops


  1. Oskar Landman June 24, 2014 at 14:43 - Reply

    Would though recommend using PowerShell, since this is way faster then using the activities especially when you are querying for multiple objects against a big environment.

    • Jakob Gottlieb Svendsen
      Jakob Gottlieb Svendsen June 24, 2014 at 15:28 - Reply

      Yes.. it might be faster if you want to code PowerShell. (a lot is).
      so yes good recommendation.

      the only problem is that the Active directory Module does not work in SCO2012R2 when using Windows Server 2012 R2…. (PS module requries PS4.0 and SCO runs 2.0)

      which is kind of a big problem atm in PowerShell execution in SCO. 🙁

      Best Regards

      • Patrick June 25, 2014 at 8:03 - Reply

        But you can start PS4.0 in PS2.0.

        • Jakob Gottlieb Svendsen
          Jakob Gottlieb Svendsen June 25, 2014 at 9:38 - Reply

          suer you can, but you will have limitations on all ways you can do that. either commandline max length, quote/special char problems when doing commandline or serialization problems when doing PS remoting. unless you have a good suggestion that works always? 🙂

          and most of my customers select orchestrator because of the graphical interface, not to code powershell. 🙂

  2. Sam September 2, 2014 at 17:29 - Reply

    Does anyone know how to setup the runbook to return the members of a group in the SCSM self service portal? I would like to create a self service offering the SCSM portal using AD group membership for an application owner to see who has access to an application and be able to select the users that should be removed and add new users to the group in the same request. Is this possible with SCO and SCSM?

    • Jakob Gottlieb Svendsen
      Jakob Gottlieb Svendsen September 3, 2014 at 9:19 - Reply

      Hey sam.

      unfortunately that relationship is not in SCSM out-of-the-box.
      you will have to create your own connector in SCO or PowerShell (would recommend powershell for this, since there is a lot of items to handle).
      we have had a lot of customers asking for this specific feature, and have therefore made a custom connector for them.

  3. Robert December 10, 2014 at 16:24 - Reply

    I do not see how this runbook is getting the user object. The Get user step in the runbook is only showing the filter for the group, but how is it getting the actual user to connect to?

  4. Keith_Ch September 17, 2015 at 0:43 - Reply

    I’m having a strange problem I have this set up the same way you do, I’m actually pulling a Group’s Object from SCSM, and using the distinguished name to filter it using Indirect Member (Tried Memberof as well), but my user query always returns zero results. When I just try a the user Query on it’s own, it works and pulls all my users from AD. Any ideas why it pulls nothing? I went into ADSI edit and double checked the Distinguished Name is correct… it’s pretty simple, I don’t know what else to change? I also tried adding a filter for a couple other things, like Last Name, and it seems to pull multiple objects no problem.

  5. Keith_Ch September 17, 2015 at 0:53 - Reply

    I just noticed the description is “Distinguished names of groups that this user is an indirect member of”, note “names”, is this plural? I don’t need to list ALL the groups someone is in, do I?

  6. jack May 26, 2016 at 12:21 - Reply

    …and if you have multiples users?
    i need to put multiple users in a specific group.

  7. Eric September 28, 2018 at 21:35 - Reply

    I hope you are still monitoring this thread….
    I was able to get the users that are a member of the groups. When I try to pass that on to the next Activity which is Removing User from Group I receive an error. “The distinguished name ” is not valid. Distinguished Names must comply to RFC2253 and Active Directory Naming rules….” Would you kindly assist?

Leave A Comment