Introduction
I have created an Active Directory Integration Pack for Opalis. This integration pack is built on the System.DirectoryServices .NET class. As such it requires no additional dependencies (the out of the box AD integration pack for Opalis is built on Quest Tools). This project is hosted on Codeplex and is being released under the CDDL so feel free to take the code and modify / contribute! No warranties are given, either expressed or implied, look at the code and test it for yourself!
http://opalisadextension.codeplex.com/
Most objects expect some sort of Distinguished Name (DN) as input. They always expect the full DN (format LDAP://CN=blah,OU=Blah,DC=this,DC=com). Because of this I have included a “Get Object Distinguished Name” object.
Objects
The project includes objects for the following actions
- Add User to Group
- Remove User From Group
- Create AD Security Group
- Delete AD Group
- Create User
- Delete User
- Create Trust Relationship
- Delete Trust Relationship
- Enable Account
- Disable Account
- Unlock Account
- Enumerate Domains in Forest
- Enumerate Objects in OU
- Get Primary Domain Controller
- Get Object Distinguished Name
- Move AD Object
- Get Group Membership
- Get User Group Membership
Add User to Group
Inputs
- User DN: Distinguished name for the user to be added to the group.
- Group DN: Distinguished name for the group to add the user to
Action
- Adds the given user to the given Group
Remove User from Group
Inputs
- User DN: Distinguished name for the user to be added to the group.
- Group DN: Distinguished name for the group to add the user to
Action
- Removes the given user from the given Group
Create AD Security Group
Inputs
- Containing OU Distinguished Name: Expects the DN for the OU you want to place this group in
- Group Name: The name of the new group
Outputs
- Group DN: The Distinguished name of the new group
Action
- Creates a new AD Security Group
Delete AD Group
Inputs
- Group DN: The Distinguished name of the group to delete
Outputs
- Group DN: The Distinguished name of the deleted group
Actions
- Deletes an AD Group
Create User
Inputs
- LDAP Path: Distinguished name of the OU you would like to place the new user in
- UserName: The name of the new user
- Password: The Password of the new user
Actions
- Creates an AD new user
Delete User
Inputs
- Domain: The domain the user is a member of
- Username: The Username of the user to delete
Actions
- Removes the user from the specified domain
Create Trust Relationship
Inputs
- Source Forest Name: The name of the source forest to create the relationship from
- Target Forest Name: The name of the target forest to create the relationship to
-
Trust Relationship Direction: One of the following values
- Outbound
- Inbound
- Bidirectional
Actions
- Creates a trust relationship between the two forest in the supplied direction
Delete Trust Relationship
Inputs
- Source Forest Name: The name of the source forest to create the relationship from
- Target Forest Name: The name of the target forest to create the relationship to
Actions
- Deletes a trust relationship between the two forests
Enabled Account
Inputs
- Object Distinguished Name: The DN of the account you want to enable
Actions
- Enables the account
Disable Account
Inputs
- Object Distinguished Name: The DN of the account you want to disable
Actions
- Disables the account in Active Directory
Unlock Account
Inputs
- Object Distinguished Name: The DN of the account you want to Unlock
Actions
- Unlocks the given account
Enumerate Domains in Forest
Inputs
- Forest Name: The name of the forest you want to get all domains in (Example: contoso.com)
Outputs
- A Correlated List of domains names
Enumerate Objects in OU
Inputs
- Organizational Unit DN: The Distinguished name of the OU whose child objects you want a list of.
Outputs
- A Correlated list of the Distinguished Name of all child objects in an OU.
Get Primary Domain Controller
Inputs
- Domain Name: The name of the domain whose PDC you want
Outputs
- The name of the PDC
Get Object Distinguished Name
Inputs
- Domain Name: The Name of the domain to search in (Example: contoso.com)
- Object Name: The Name of the object you are searching for (Example: Opalis Administrators)
-
Object Class: The type of object you are searching for. Must be one of the following
- user
- group
- computer
- printqueue
Outputs
-
A correlated list containing the following information for each match
- Distinguished Name
- Ou
- ObjectGUID
- Name
- Domain
Move AD Object
Inputs
- Distinguished Name: The current DN of the object.
- New Location: The DN of the location you want to move the object to
Actions
- Moves the Object to the new location
Get Group Memberships
Inputs
- Group DN: The Distinguished Name of the group you would like to get all the members of
Outputs
-
A correlated list of the following information for each user found in the group
- User’s Distinguished Name
Get User Group Memberships
Inputs
- UserDN: The Distinguished Name of the user you would like to get a group listing of
Outputs
- A list of all groups the user is a member of. The list is a list of Distinguished Names.
Advertisement
I was trying to get policy that evaulates a AD group to see if a computer is a member. I was hoping to have the server name supplied by the databus from a SCOM Alert but when I do a Link, I can’t use Published Data in the field.
Any help would be great…
Hey David,
Are you saying you are trying to use published data inside of the link object for some sort of decision making? If so you cannot do this (you can use a run .net script object or use the compare multiple values object from the data manipulation IP). Can you post a picture of your workflow (or send me an email with a picture of it) or detail it out a bit more, I probably can help
.
Pingback: Welcome, Opalis! « PowerShell и другие скрипты
Hi,
any idea why it is not possible at all to create a new AD user? I’m able to create a new AD group, but not a new AD user. Opalis WF just says “successful” but a user is never created. Now I installed network monitor and sniffed the traffic. There I found some interesting information: The first “netlogon” traffic I see is that the “Create new AD User” option searches the AD for the user properties specified. After that the netlogon response is: 4 4:30:51 PM 2/21/2011 39.9142666 SVATANDC01 SVATANOP01 NetLogon NetLogon:LogonSAMUserUnknownEX (SAM Response when user is unknown): 25 (0×19) {LDAP:22, UDP:21, IPv4:33}
So the message is clear. But it never tries to create the user. Any idea whats causing this?
Many thanks in advance if you can help us!
Peter Forster
Hey Peter,
I have some ideas why this is failing. I will do some code modifications and testing and probably post an updated IP shortly
Hi,
ok – so you think there are problems with the IP itself?!
If you need guys that will test your IP – send the stuff to me and we can provide you with any feedback you want. Currently we are stuck because the Microsoft pack is still not available for 6.3 and yours doesn’t work
Anyway, thanks that you are working hard on the IPs for 6.3 and share them on Codeplex. As I said – if you need any support we can help you!
Thanks
Peter Forster
Hey Peter,
The IP is incorrectly catching errors and writing them out to STD out. This means that the IP always returns success. I am modifying the IP so that it correctly returns errors and the error message. I am always looking for testers if your interested
By the way, the most common reason for not successfully creating the account is passing a password for the new account that does not meet your companies password restrictions.
Hi,
just tried to send you an e-mail – but it tells me: mx01.perfora.net #<mx01.perfora.net #5.0.0 smtp;550 : invalid address> #SMTP#
Password will be fine – I have configured a strong password…!
Thanks!
Hi, I’m running your IP on a Windows Server 2008 R2 SP box, where Opalis has been installed (runs fine). When trying to create an user, I’m getting the following error:
“There is no such object on the server. Exception: DirectoryServicesCOMException. Target site:DirectoryEntry.Bind…..
Any idea what’s causing this?
Hey,
Can you tell me what the configuration was for the object (what inputs you used)
We are working on an OPALIS project do you have any advise for creating an Active Directory Integration Pack or have the codes for adding a pack to our OPALIS. We are not allowed to add or run any independant software within our environment. (Limitations and Knowledge are holding our project back) This information would be most welcome. Regards, Ian B.
Hey Ian,
I think there are a lot of people in your situation and this is one of the reasons I release all the source code for the integration packs. I will write a blog post on how to take that code, compile it and turn it into your own IP. I will try to get that out for you Sunday.
Sir – great work – are you able to add a delete computer object?
Hey Mike,
I am going to be updating all of the integration packs to support Orchestrator 2012 so I will be going over all of this code again. So, there is a possibility that I will be able to accomodate your request. Can you post this on the discussion board on codeplex?
Thanks,
-Ryan
Sure, thanks sir!
Is there a reason you didn’t include the method “Add Computer to Group” like was in the original IP? For those of us that manage membership using AD groups that would be very handy!
Thanks for the great work,
Jim
Hey Jim,
I must have missed this when I re-wrapped the IP, thanks for the heads up. I will get a new version of it out this weekend (quite a bit going on at work this week).
Hey Jim,
I just looked at the code and you can use the ‘Add User to Group’ object to add any object in AD to a group (user, computer, group etc etc). Hope this helps.
-Ryan
Yes! Thats perfect thank you!