Who started the runbook from the orchestration console? Use this runbook!

I have had this question again and again and again… and again…

Unfortunately the orchestration console does not show which user did trigger the runbook.

But this does not mean that it is not logged, you can actually use it as a filter in the console:



The user SID is in the “CreatedBy” field, but if you check the database, only the SID is saved.

So you will have to use the user objectSID in the filter, if you want to filter the jobs.


But this makes it possible for us to get the user info from the SID.

By using a clever SQL query, we can use the runbook process ID and runbook name to get the correct job. (since this is what we have available in the runbook)


The runbook:



  1. Receive runbook name and process ID
  2. Query the database for the user SID
  3. Use powershell to get samaccountname from sid (only current domain is supported. No active directory module needed)
  4. Return Sam Account Name
  5. If the sid is S-1-5-500, it has been triggered from the Runbook Designer and the runbook returns a string and not the sam account name

Testing / Using the runbook:


Please notice that the link out of the “invoke Runbook” activity will exclude if the result is the system sid and will not send an email

Download from TechNet Gallery:



This is only intended as a proof of concept, runbook might not be ready for production.

By | 2013-11-04T18:56:40+00:00 November 4th, 2013|Automation|3 Comments

About the Author:

Jakob Gottlieb Svendsen

Twitter: @JakobGSvendsen

Jakob Gottlieb Svendsen is a Microsoft Cloud and Data Center Management MVP (http://mvp.microsoft.com/en-us/default.aspx), Working as Global Lead Developer, Senior Consultant and Trainer at CTGlobal, where he is one of the driving forces in keeping CTGlobal a System Center Gold Partner and member of the System Center Alliance.

Since he started at Coretech in 2007, he has focused on Scripting and Development, primarily developing tools, extensions and scripts for the System Center Suite. His main area is Automation (including OMS/Azure Automation, Service Management Automation, PowerShell and Orchestrator). Another area is Windows Azure Pack / Azure Stack, where he does implementation, development, workshops and presentations. He is a world-wide renowned voice in the Automation field.

He is passionately devoted to the community, to which he contributes by being a moderator at TechNet and sharing his knowledge at https://blog.ctglobalservices.com/jgs

  • Co-founder: PowerShell User Group Denmark
  • Speaker at MMS 2016, Minneapolis (www.mmsmoa.com)
  • SCU Europe 2014, 2015, 2016 (www.systemcenteruniverse.ch)
  • Microsoft TechEd North America 2014, Houston
  • NIC 2012,2013,2014,2015, Oslo (www.nic.com)
  • Microsoft CampusDays 2011, 2013, Copenhagen
  • Microsoft TechDays 2015, Sweden (www.techdays.se)
  • Microsoft Partner Event: New in SC2012 SP1
  • User group meetings (PSUG.DK , SCUG.DK/BE/NO, AZMUG + more)
  • Microsoft Certified Trainer.
  • Microsoft Scripting Guys Forum Moderator

Main working areas:

  • Automation (Azure Automation, SMA, SCO)
  • Windows Azure Pack / Azure Stack
  • System CenterVisual Studio Team Services / Team Foundation Server
  • Development:C#.Net, VB.NET, VBScript, PowerShell, Service Manager, OpsMgr, ConfigMgr
  • Orchestrator
  • Windows Azure Pack / Azure Stack


  • Azure Automation
  • Service Management Automation
  • System Center Orchestrator
  • PowerShell, VBScript, C#.Net, VB.Net
  • Windows Azure Pack / Azure Stack Development Workshops


  1. Anders Bengtsson November 5, 2013 at 8:43 - Reply

    Great info. More info around logging and auditing look at
    Auditing in Orchestrator http://contoso.se/blog/?p=2980

  2. Burt Simpson June 10, 2015 at 21:25 - Reply

    I have been using Jakob’s runbook for a while and it works great. One thing though is it can only be invoked by the top level runbook. Invoking from nested runbooks, only returns the system account, S-1-5-500.

    Substituting the SQL query below will allow the runbook to be called from nested runbooks as it follows the ParentID entry up the chain to find the top level runbook.

    Thanks, Jakob, for the original and I hope this helps others.


    –Start of SQL query
    @CreatedByJobsTemp nvarchar(50)
    ,@RunbookIdJobsTemp uniqueidentifier
    ,@ParentIdJobsTemp uniqueidentifier
    ,@IdJobsTemp uniqueidentifier
    ,@ProcessIDInstanceTemp int

    @CreatedByJobsTemp = Jobs.CreatedBy
    ,@RunbookIdJobsTemp = Jobs.RunbookId
    ,@ParentIdJobsTemp = Jobs.ParentId
    ,@IdJobsTemp = Jobs.Id
    ,@ProcessIDInstanceTemp = Instance.ProcessID
    [Microsoft.SystemCenter.Orchestrator.Runtime].[Jobs] as Jobs with (nolock)
    inner join
    [POLICIES] as Runbooks with (nolock)
    on Jobs.RunbookId = Runbooks.UniqueID
    inner join
    [POLICYINSTANCES] as Instance with (nolock)
    on Instance.JobId = Jobs.Id
    Jobs.Status = ‘Running’
    and Runbooks.Name = ‘d.T.~Ed/{941F35C3-B853-463B-8C55-CC15F600F64A}.{484FE830-C6EA-44EE-85DF-B050364FBCE6}d.T.~Ed/’
    and Instance.ProcessID = ‘d.T.~Ed/{941F35C3-B853-463B-8C55-CC15F600F64A}.{9D8A22DF-4B23-4DF5-8857-D502E8D9DE32}d.T.~Ed/’

    (select @ParentIdJobsTemp) is not null
    declare @ParentIdJobsTest uniqueidentifier

    select @ParentIdJobsTest = @ParentIdJobsTemp

    @CreatedByJobsTemp = Jobs.CreatedBy
    ,@RunbookIdJobsTemp = Jobs.RunbookId
    ,@ParentIdJobsTemp = Jobs.ParentId
    ,@IdJobsTemp = Jobs.Id
    ,@ProcessIDInstanceTemp = Instance.ProcessID
    [Microsoft.SystemCenter.Orchestrator.Runtime].[Jobs] as Jobs with (nolock)
    inner join
    [POLICIES] as Runbooks with (nolock)
    on Jobs.RunbookId = Runbooks.UniqueID
    inner join
    [POLICYINSTANCES] as instance with (nolock)
    on Instance.JobId = Jobs.Id
    Jobs.Id = @ParentIdJobsTest


    –End of SQL query

  3. Stefan Horz May 19, 2017 at 22:31 - Reply

    the Published Data “Sam Account Name” from the “Get Sam Account name from SID” Activity cannot be used in further activities like e.g. “Get User”.
    It works when changing the Script:

    $objSID = New-Object System.Security.Principal.SecurityIdentifier(“d.T.~Ed/{C1603DA1-B977-423B-8F1E-3EEDCBF2E5FE}.Full-lined.T.~Ed/”)
    $objUser = $objSID.Translate( [System.Security.Principal.NTAccount])


Leave A Comment