Dealing with VIP users is a common practice within Service Management. This old blogpost explains a very good approach to mark VIP users in SCSM as VIP users. We simply extend the User class with an extra boolean property (true/false) and we then expose that property on the Incident right under the Affected User. That way Analysts can quickly see if the person is VIP and you can also make various workflows or notifications based on this property.



What is missing in the above post is how we figure out who is VIP or not. For many, this relationship is set in Active Directory via Group membership. So if you are part of a special Security Group, you are VIP. That’s the approach I will take here and provide the script needed to sync members of that group over – whoever is member of the given AD group will be marked or unmarked as VIP in SCSM. Just replace the AD groupname and perhaps the VIP property name (mine is called VIP here). After that you need to set up a scheduled workflow to run this script. This could be Orchestrator, SMA, a powershell workflow or just a regular windows scheduled task.

Here goes:

# //***************************************************************************
# // ***** Script Header *****
# //
# // Solution:  
# // File:      SCSM-SetVIPStatus.ps1
# // Author:    Morten Meisler, Coretech A/S.
# // Purpose:   Sync AD VIP Group members with SCSM CMDB Users
# //                                 
# //
# // Usage:     
# //
# //
# // CORETECH A/S History:
# // 1.0.0     MME 23/08/2016  Initial version.
# //
# // Customer History:
# //
# // ***** End Header *****
# //***************************************************************************
# //----------------------------------------------------------------------------

$ErrorActionPreference = "stop"
trap [Exception] {  
    $ErrorMessage = "SCRIPT: SCSM-SetVIPStatus.ps1 failed`n"
    $ErrorMessage += "Runas domain: $($env:userdomain)`n"
    $ErrorMessage += "Script location: $PSScriptRoot`n`n"
    $ErrorMessage += "Error: Line,char: {0},{1} - Details: {2}" -f $_.InvocationInfo.ScriptLineNumber,$_.InvocationInfo.OffsetInLine, $_.Exception
    throw $ErrorMessage
      #Write-EventLog -LogName "Operations Manager" -Source "Health Service Script" -EntryType Error -EventID 913 -Message $ErrorMessage  -Category 1

# //----------------------------------------------------------------------------
#//  Global constant and variable declarations

#VIP AD Group Name

#SCSM Server
$SCSMServer = "localhost"

#//  Procedures

#//  Main routines

#output start time
$StartTime = get-date
Write-Output "Started at $StartTime - Running as $($env:userdomain)\$($env:username)"

#Import Modules
if (!(Get-Module smlets)){Import-Module smlets}
if (!(Get-Module ActiveDirectory)){Import-Module ActiveDirectory}

#SCSM Classes
$ADUserClass = Get-SCSMClass -Name "Microsoft.AD.User$" -ComputerName $SCSMServer

#Get users from SCSM where VIP is true
$SCSMVIPUsers = @( Get-SCSMObject -Class $ADUserClass -Filter "VIP -eq true" -ComputerName $SCSMServer)

#Get AD Group members
$ADMembers = Get-ADGroupMember -Identity $ADGroup

#Users that are in AD VIP Group but have their SCSM VIP Property set to False OR SCSM Users with VIP Property set to true but missing in AD Group
$VIPDifferenceUsers = Compare-Object -ReferenceObject $SCSMVIPUsers -DifferenceObject $ADMembers -Property "distinguishedName" -PassThru

foreach ($VIPDifferenceUser in $VIPDifferenceUsers)
    #User is missing from AD group but have VIP = true.$VIPDifferenceUser is now an SCSM object
    if ($VIPDifferenceUser.GetType().Name -like "EnterpriseManagementObject")
        Write-Output "Setting VIP to false for SCSM User: $($VIPDifferenceUser.DisplayName) ..."
        Set-SCSMObject -SMObject $VIPDifferenceUser -Property VIP -Value $false -ComputerName $SCSMServer
    #User has VIP set to False in SCSM, but is member of VIP AD Group. $VIPDifferenceUser is now an AD object, so we must get the corresponding SCSM User
       Write-Output "Setting VIP to true for SCSM User: $($VIPDifferenceUser.Name) ..."
       $SCSMUser = Get-SCSMObject -Class $ADUserClass -Filter "DistinguishedName -eq $($VIPDifferenceUser.distinguishedName)" -ComputerName $SCSMServer
       Set-SCSMObject -SMObject $SCSMUser -Property VIP -Value $true -ComputerName $SCSMServer

$EndTime = Get-Date
$Totaltime = $EndTime - $StartTime
Write-Output "Finished at $(get-date) - Total Runtime $Totaltime"


Enjoy Smiley