Home Powershell Activity

Using the Active Directory module - assistance required

Leigh_KildayLeigh_Kilday Member Ninja IT Monkey ✭✭✭✭
I'm trying to convert appropriate Orchestrator runbooks to Cireson PowerShell Activities. When it's internal to SCSM, I am having no issues, but when I need to use the ActiveDirectory module, it doesn't seem to work no matter how I structure it.

I note the format of the script during one of the webinars (39:56) remotes to the DC. As we do not have remote PS rights to our DCs, I can't figure out how else to make this work.


The error we get when we try using $env:COMPUTERNAME in place of the $DC variable is:
Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.

Of course, I have installed AD Web Services on this machine and it works perfectly well using PowerShell ISE.

The original runbook had encrypted credentials and remoted to another server using credssp, but using certs to encrypt our credentials is a bit of a pain.

How can I get this script to work in CPA?

Best Answer

  • Leigh_KildayLeigh_Kilday Member Ninja IT Monkey ✭✭✭✭
    Answer ✓
    Hi @Brian_Wiest, I was just using that as an example since my network is disconnected and I can't get my scripts up here.

    I'm using SMA for this so it's no longer an issue.

Answers

  • Filip_TheyssensFilip_Theyssens Partner IT Monkey ✭

    Hi Leigh,

    I Always execute remote AD command using the following method:

    https://blogs.msdn.microsoft.com/adpowershell/2009/03/11/active-directory-powershell-the-drive-is-the-connection/


    Just make sure the AD CMDLet is installed on the workflow server then.

    Also make sure that the SCSM Workflow account has the rigths to perform the task you want to perform in the script.

    Hope it helps

  • Nicholas_VelichNicholas_Velich Cireson Consultant Ninja IT Monkey ✭✭✭✭
    Hi Leigh,

    Did you make any progress with this? I think Filip's suggestion is interesting and seems promising, although I haven't tried it personally.

    One other suggestion I have when it comes to PS remoting might be to use a PSSession against a custom PSSessionConfiguration. With typical installations, you have a few PS Session Configurations by default (view these with Get-PSSessionConfiguration as an admin). You can create new session configurations, and for these custom sessions you can limit the cmdlets available to users of that session. For example, if you only wanted those users to use the "Get-ADUser" cmdlet when they connect, you could do that. Further, for each session, you can configure only certain users to be able to connect (i.e. the workflow service which is running CPA).

    One other note is that we don't need to connect to the DC, and I would recommend against that anyway since it seems to be an unnecessary risk. Any machine with the AD Cmdlets installed should be able to use this method, and it keeps an extra bit of distance between DC and automation tools/users.

    Thanks,
    Nick

  • Adam_DzyackyAdam_Dzyacky Product Owner Contributor Monkey ✭✭✭✭✭
    Haven't tested myself in Cireson PSA, but from a SMA runbook perspective I can tell you that I have the cmd-lets locally available on the SCSM Workflow server and then use the -credential and -server parameters in order to talk to the domain from within the InlineScript that is running on the scsm wf server.

    This has become so second nature to me I actually assumed I'd have to perform the same thing in a Cireson PSA. But again, haven't tested this.
  • Leigh_KildayLeigh_Kilday Member Ninja IT Monkey ✭✭✭✭
    Unfortunately my effort was diverted onto something else so I just invoked a SMA runbook for this because I already had that working.

    Incomplete...
  • Leigh_KildayLeigh_Kilday Member Ninja IT Monkey ✭✭✭✭
    Two issues here:
    1. In a PSA, $env:username returns the computer name, so I assume it's not using the workflow account.
    2. SCSM is installed in domain X, with users in domain X, Y and Z. Using any ActiveDirectory command requires credentials to be passed that have access to all of those domains. I can't see a way to get creds into my script without storing them unsecured. Without creds, I the following error; "Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running."
  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    Why do you need to remote into a DC to perform a disable command?
    Installing Remote administrator tools on your primary SCSM server will add AD locally so you can just run the command on the local server.

    (Screenshot from Server 2008)

  • Leigh_KildayLeigh_Kilday Member Ninja IT Monkey ✭✭✭✭
    Answer ✓
    Hi @Brian_Wiest, I was just using that as an example since my network is disconnected and I can't get my scripts up here.

    I'm using SMA for this so it's no longer an issue.
Sign In or Register to comment.