Integration Pack: Active Directory

Introduction

I have created an Active Directory Integration Pack for Opalis. This integration pack is built on the System.DirectoryServices .NET class. As such it requires no additional dependencies (the out of the box AD integration pack for Opalis is built on Quest Tools). This project is hosted on Codeplex and is being released under the CDDL so feel free to take the code and modify / contribute! No warranties are given, either expressed or implied, look at the code and test it for yourself!


http://opalisadextension.codeplex.com/

Most objects expect some sort of Distinguished Name (DN) as input. They always expect the full DN (format LDAP://CN=blah,OU=Blah,DC=this,DC=com). Because of this I have included a “Get Object Distinguished Name” object.

Objects

The project includes objects for the following actions

  • Add User to Group
  • Remove User From Group
  • Create AD Security Group
  • Delete AD Group
  • Create User
  • Delete User
  • Create Trust Relationship
  • Delete Trust Relationship
  • Enable Account
  • Disable Account
  • Unlock Account
  • Enumerate Domains in Forest
  • Enumerate Objects in OU
  • Get Primary Domain Controller
  • Get Object Distinguished Name
  • Move AD Object
  • Get Group Membership
  • Get User Group Membership

Add User to Group

Inputs

  • User DN: Distinguished name for the user to be added to the group.
  • Group DN: Distinguished name for the group to add the user to

Action

  • Adds the given user to the given Group

Remove User from Group

Inputs

  • User DN: Distinguished name for the user to be added to the group.
  • Group DN: Distinguished name for the group to add the user to

Action

  • Removes the given user from the given Group

Create AD Security Group

Inputs

  • Containing OU Distinguished Name: Expects the DN for the OU you want to place this group in
  • Group Name: The name of the new group

Outputs

  • Group DN: The Distinguished name of the new group

Action

  • Creates a new AD Security Group

Delete AD Group

Inputs

  • Group DN: The Distinguished name of the group to delete

Outputs

  • Group DN: The Distinguished name of the deleted group

Actions

  • Deletes an AD Group

Create User

Inputs

  • LDAP Path: Distinguished name of the OU you would like to place the new user in
  • UserName: The name of the new user
  • Password: The Password of the new user

Actions

  • Creates an AD new user

Delete User

Inputs

  • Domain: The domain the user is a member of
  • Username: The Username of the user to delete

Actions

  • Removes the user from the specified domain

Create Trust Relationship

Inputs

  • Source Forest Name: The name of the source forest to create the relationship from
  • Target Forest Name: The name of the target forest to create the relationship to
  • Trust Relationship Direction: One of the following values
    • Outbound
    • Inbound
    • Bidirectional

Actions

  • Creates a trust relationship between the two forest in the supplied direction

Delete Trust Relationship

Inputs

  • Source Forest Name: The name of the source forest to create the relationship from
  • Target Forest Name: The name of the target forest to create the relationship to

Actions

  • Deletes a trust relationship between the two forests

Enabled Account

Inputs

  • Object Distinguished Name: The DN of the account you want to enable

Actions

  • Enables the account

Disable Account

Inputs

  • Object Distinguished Name: The DN of the account you want to disable

Actions

  • Disables the account in Active Directory

Unlock Account

Inputs

  • Object Distinguished Name: The DN of the account you want to Unlock

Actions

  • Unlocks the given account

Enumerate Domains in Forest

Inputs

  • Forest Name: The name of the forest you want to get all domains in (Example: contoso.com)

Outputs

  • A Correlated List of domains names

Enumerate Objects in OU

Inputs

  • Organizational Unit DN: The Distinguished name of the OU whose child objects you want a list of.

Outputs

  • A Correlated list of the Distinguished Name of all child objects in an OU.

Get Primary Domain Controller

Inputs

  • Domain Name: The name of the domain whose PDC you want

Outputs

  • The name of the PDC

Get Object Distinguished Name

Inputs

  • Domain Name: The Name of the domain to search in (Example: contoso.com)
  • Object Name: The Name of the object you are searching for (Example: Opalis Administrators)
  • Object Class: The type of object you are searching for. Must be one of the following
    • user
    • group
    • computer
    • printqueue

Outputs

  • A correlated list containing the following information for each match
    • Distinguished Name
    • Ou
    • ObjectGUID
    • Name
    • Domain

Move AD Object

Inputs

  • Distinguished Name: The current DN of the object.
  • New Location: The DN of the location you want to move the object to

Actions

  • Moves the Object to the new location

Get Group Memberships

Inputs

  • Group DN: The Distinguished Name of the group you would like to get all the members of

Outputs

  • A correlated list of the following information for each user found in the group
    • User’s Distinguished Name

Get User Group Memberships

Inputs

  • UserDN: The Distinguished Name of the user you would like to get a group listing of

Outputs

  • A list of all groups the user is a member of. The list is a list of Distinguished Names.
Advertisements
Tagged with: , , , ,
Posted in Integration Pack
23 comments on “Integration Pack: Active Directory
  1. I was trying to get policy that evaulates a AD group to see if a computer is a member. I was hoping to have the server name supplied by the databus from a SCOM Alert but when I do a Link, I can’t use Published Data in the field.

    Any help would be great…

    • randorfer says:

      Hey David,

      Are you saying you are trying to use published data inside of the link object for some sort of decision making? If so you cannot do this (you can use a run .net script object or use the compare multiple values object from the data manipulation IP). Can you post a picture of your workflow (or send me an email with a picture of it) or detail it out a bit more, I probably can help :-).

  2. […] пакеты для управления AD и локальными […]

  3. Peter Forster says:

    Hi,
    any idea why it is not possible at all to create a new AD user? I’m able to create a new AD group, but not a new AD user. Opalis WF just says “successful” but a user is never created. Now I installed network monitor and sniffed the traffic. There I found some interesting information: The first “netlogon” traffic I see is that the “Create new AD User” option searches the AD for the user properties specified. After that the netlogon response is: 4 4:30:51 PM 2/21/2011 39.9142666 SVATANDC01 SVATANOP01 NetLogon NetLogon:LogonSAMUserUnknownEX (SAM Response when user is unknown): 25 (0x19) {LDAP:22, UDP:21, IPv4:33}
    So the message is clear. But it never tries to create the user. Any idea whats causing this?
    Many thanks in advance if you can help us!
    Peter Forster

  4. Peter Forster says:

    Hi,
    ok – so you think there are problems with the IP itself?!
    If you need guys that will test your IP – send the stuff to me and we can provide you with any feedback you want. Currently we are stuck because the Microsoft pack is still not available for 6.3 and yours doesn’t work 🙂
    Anyway, thanks that you are working hard on the IPs for 6.3 and share them on Codeplex. As I said – if you need any support we can help you!
    Thanks
    Peter Forster

    • randorfer says:

      Hey Peter,

      The IP is incorrectly catching errors and writing them out to STD out. This means that the IP always returns success. I am modifying the IP so that it correctly returns errors and the error message. I am always looking for testers if your interested

    • randorfer says:

      By the way, the most common reason for not successfully creating the account is passing a password for the new account that does not meet your companies password restrictions.

  5. Peter Forster says:

    Hi,
    just tried to send you an e-mail – but it tells me: mx01.perfora.net #<mx01.perfora.net #5.0.0 smtp;550 : invalid address> #SMTP#

    Password will be fine – I have configured a strong password…!
    Thanks!

  6. TT says:

    Hi, I’m running your IP on a Windows Server 2008 R2 SP box, where Opalis has been installed (runs fine). When trying to create an user, I’m getting the following error:
    “There is no such object on the server. Exception: DirectoryServicesCOMException. Target site:DirectoryEntry.Bind…..

    Any idea what’s causing this?

  7. Ian Barnes. says:

    We are working on an OPALIS project do you have any advise for creating an Active Directory Integration Pack or have the codes for adding a pack to our OPALIS. We are not allowed to add or run any independant software within our environment. (Limitations and Knowledge are holding our project back) This information would be most welcome. Regards, Ian B.

    • randorfer says:

      Hey Ian,

      I think there are a lot of people in your situation and this is one of the reasons I release all the source code for the integration packs. I will write a blog post on how to take that code, compile it and turn it into your own IP. I will try to get that out for you Sunday.

  8. Mike says:

    Sir – great work – are you able to add a delete computer object?

    • randorfer says:

      Hey Mike,

      I am going to be updating all of the integration packs to support Orchestrator 2012 so I will be going over all of this code again. So, there is a possibility that I will be able to accomodate your request. Can you post this on the discussion board on codeplex?

      Thanks,
      -Ryan

  9. Mike says:

    Sure, thanks sir!

  10. Jim says:

    Is there a reason you didn’t include the method “Add Computer to Group” like was in the original IP? For those of us that manage membership using AD groups that would be very handy!

    Thanks for the great work,

    Jim

  11. marianneldn says:

    I have an issue that one of my colleague create a runbook with orchestrator, then we take backup and uninstall and reinstall orchestrator then import runbook .. I install active directory & system center integration packs but now I couldn’t open this runbook,it said the activity may not be installed or was not converted , I use this URL also http://opalisadextension.codeplex.com/ and download all the AD integration pack versions existing , someone failed to register, others said it is not compatible. I need to ask you if you have any other version of Active Directory Integration Pack …

  12. AGO says:

    Hi all,
    only a small tip if you try to use ‘Get Object Distinguished Name’ against the global catalog. Put the GC port behind the Domain like ‘Contoso.com:3268’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: