How Do I Create a User CI via PowerShell and Sync Remaining Properties with AD Connector?
We have created a Service Request for my company's onboarding/new hire process. Once submitted, there's a manual activity that takes place for our security team to create the new user's account in active directory. Once that step is completed, we have a Cireson PowerShell Activity run. The script in the activity initiates a sync of our AD connector to bring the new user's account/info over into SCSM so that it can be used as the affected user on other SRs that are created via PowerShell in later activities. This process has worked for us so far, but we've noticed that, due to the volume of these requests being submitted, the AD connector is running constantly throughout the day.
In order to prevent any potential impact to performance this can cause, we've decided to try to change the process. If possible, we want to create a user CI in SCSM via PowerShell with only a minimal amount of properties and then allow the AD connector to run at it's scheduled time at night to sync the remaining properties.
Here's the code I have so far:
$ADUser = Get-ADUser -Filter {SurName -eq $LastName -and GivenName -eq $FirstName} -Properties * | ? { $_.whenCreated -ge $SR_Obj.CreatedDate.ToLocalTime() } # Create user in SCSM with minimal properties $PropHash = @{ DistinguishedName = $ADUser.DistinguishedName UserName = $ADUser.SamAccountName SID = [System.Security.Principal.SecurityIdentifier]$ADUser.SID FQDN = "domain1.company.com" Domain = "DOMAIN1" FirstName = $ADUser.GivenName LastName = $ADUser.SurName DisplayName = $ADUser.DisplayName EmployeeId = $ADUser.EmployeeId UPN = $ADUser.UserPrincipalName } $User = New-SCSMObject -Class $UserClass -PropertyHashtable $PropHash -PassThru -NoCommit # Get the new user's manager $ManagerID = (Get-ADUser -Identity $ADUser.Manager).SamAccountName $HiringManager = Get-SCSMObject -Class $UserClass -Filter "UserName -eq $ManagerID" # Assign the hiring manager as the new user's manager $Manager_User_Rel = New-SCSMRelationshipObject -Relationship (Get-SCSMRelationshipClass -Name 'System.UserManagesUser') -Source $HiringManager -Target $User -NoCommit $Manager_User_Rel.Commit()
This code works just fine to create the user in SCSM using properties from AD. The problem I'm facing is having AD sync the remaining properties. I assumed that the AD connector would see the UserName/DistinguishedName/UPN on this new user object and make the association between it and the AD account, but that doesn't seem to be the case. The connector runs, but no new properties like address, phone number, email, etc are synced to the SCSM user account.
So my questions are:
1.) Has anyone done anything like this before? If so, how?
2.) If not, can this be done at all?
3.) Where is the link/relationship between AD accounts and SCSM user CIs? Is the AD connector looking for any one specific property to tie the two together?
Any info you can provide would be greatly appreciated.
Answers
I have created an Orchestrator runbook that creates a user in SCSM and then uses the username to lookup the user details in AD
#Get User AD Info
Then I use these variables in the runbook.
Check this post I made and please feel welcome to ask if you have any questions about the craziness that is going on there.
https://community.cireson.com/discussion/4049/service-manager-user-import-commissioning#latest
I have actually reworked the runbook to use more Orchestrator SCSM activities but what you need is explained in the script
Screenshot of new Process