Difference between revisions of "Active Directory Group Management"

From Hornbill
Jump to navigation Jump to search
(Replaced content with "This document can now be found at its new location in the [https://docs.hornbill.com/itom-packages/welcome Hornbill Document Library]. file:hornbill-document-librar...")
Tag: Replaced
Line 1: Line 1:
{{bluebanner|[[Main_Page|Home]] > [[Administration]] > [[IT_Operations_Management|IT Operations Management]] > [[ITOM_Package_Library|ITOM Package Library]] > Active Directory Group Management|[[:Category:ITOM|Index]]}}
+
This document can now be found at its new location in the [https://docs.hornbill.com/itom-packages/welcome Hornbill Document Library].
[[File:activedirectory_logo.png|activedirectory_logo.png|300px]]
 
{{IntroAndLinks|The Active Directory Group Management package for Hornbill's IT Operations Management (ITOM) contains a number of administrative operations that can be carried out on Group objects within your behind-the-firewall Active Directory domains.
 
|
 
<!-- Related Links go here -->
 
:* [[IT_Operations_Management|IT Operations Management]]
 
:* [[Business_Process_Designer|Business Process Designer]]
 
:* [[Hornbill_KeySafe|KeySafe]]
 
}}
 
  
:{|
+
    [[file:hornbill-document-library.png|ITOM Package Reference|link=https://docs.hornbill.com/itom-packages/welcome]]
|- valign="top"
 
|style="width:300px"|
 
:* [[Active Directory Group Management#Add Computer|Add Computer]]
 
:* [[Active Directory Group Management#Add Group|Add Group]]
 
:* [[Active Directory Group Management#Add User|Add User]]
 
:* [[Active Directory Group Management#Create Group|Create Group]]
 
:* [[Active Directory Group Management#Delete Group|Delete Group]]
 
 
 
|style="width:300px"|
 
:* [[Active Directory Group Management#Get Group|Get Group]]
 
:* [[Active Directory Group Management#Remove Computer|Remove Computer]]
 
:* [[Active Directory Group Management#Remove Group|Remove Group]]
 
:* [[Active Directory Group Management#Remove User|Remove User]]
 
|}
 
 
 
==Target Environment Requirements==
 
 
 
===Domain Requirements===
 
 
 
The Active Directory domain that you wish to manage requires an Active Directory Web Services to be present. See the [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391908(v=ws.10) ADWS Documentation] for more information.
 
 
 
===Script Execution Machine Requirements===
 
 
 
* The Active Directory PowerShell module needs to installed on the machine that will be executing the scripts (the correct Remote Server Administration Tools (RSAT) package for your OS);
 
* If the script execution policy on the machine executing these operations is set to Restricted, then this will need to be updated to something less restrictive. See the [https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 PowerShell Documentation] for more information.
 
 
 
==KeySafe Configuration==
 
[[File:ad_keysafe.png|300px|right|link=https://wiki.hornbill.com/images/b/bd/Ad_keysafe.png]]
 
[[File:ad_groups_add.png|300px|right|link=https://wiki.hornbill.com/images/d/d7/Ad_groups_add.png]]
 
 
 
When creating SIS jobs for operations contained within this package, they need to be run on the target machine as a user who has the correct privileges within your environment.
 
 
 
To create and securely store one or more Keys for these operations, in the admin console:
 
 
 
* Navigate to: System > Security > KeySafe;
 
* Click on + then select <code>Username + Password</code>;
 
* Give the KeySafe Key a Title (this is the name/identifier for the AD account as you will see it when creating an IT Automation Job, or adding an IT Automation node to a Business Process or Runbook);
 
* Optionally add a description;
 
* Populate the Username field with the domain username for the account being used (<code>DOMAINNAME\yourusername</code> for example);
 
* Populate the Password field with the password for the above account;
 
* Select Create Key to save.
 
 
 
Once you have created your KeySafe Key, you can then use it when creating IT Automation Jobs from this package. See screenshots to the right for examples.
 
 
 
==Package Operations==
 
The Active Directory Group Management package contains the following operations, used to create ITOM Jobs directly, or included in your [[Business_Process_Designer|Business Processes]] and also IT Operations Management Runbooks.
 
<div class="mw-collapsible mw-collapsed" data-collapsetext="Show Less" data-expandtext="Read More" style="width:1050px">
 
===Add Computer===
 
<div class="mw-collapsible-content">
 
This operation adds a Computer object to an Active Directory Group.
 
 
 
====Extra Credentials====
 
 
 
None required.
 
 
 
====Input Parameters====
 
 
 
* <code>MemberIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Member Computer (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>GroupIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Group (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>MemberServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the Computer
 
* <code>GroupServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the Group
 
 
 
====Output Parameters====
 
 
 
* <code>Errors</code> - Any errors returned by the operation.
 
* <code>Outcome</code> - Outcome of the operation. Can be OK or FAIL.
 
</div></div>
 
<div class="mw-collapsible mw-collapsed" data-collapsetext="Show Less" data-expandtext="Read More" style="width:1050px">
 
===Add Group===
 
<div class="mw-collapsible-content">
 
This operation adds a Group object to an Active Directory Group.
 
 
 
====Extra Credentials====
 
 
 
None required.
 
 
 
====Input Parameters====
 
 
 
* <code>MemberIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Member Group (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>GroupIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Group (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>MemberServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the Group
 
* <code>GroupServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the Group
 
 
 
====Output Parameters====
 
 
 
* <code>Errors</code> - Any errors returned by the operation.
 
* <code>Outcome</code> - Outcome of the operation. Can be OK or FAIL.
 
</div></div>
 
<div class="mw-collapsible mw-collapsed" data-collapsetext="Show Less" data-expandtext="Read More" style="width:1050px">
 
===Add User===
 
<div class="mw-collapsible-content">
 
This operation adds a User object to an Active Directory Group.
 
 
 
====Extra Credentials====
 
 
 
None required.
 
 
 
====Input Parameters====
 
 
 
* <code>MemberIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Member User (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>GroupIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Group (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>MemberServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the User
 
* <code>GroupServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the Group
 
 
 
====Output Parameters====
 
 
 
* <code>Errors</code> - Any errors returned by the operation.
 
* <code>Outcome</code> - Outcome of the operation. Can be OK or FAIL.
 
</div></div>
 
<div class="mw-collapsible mw-collapsed" data-collapsetext="Show Less" data-expandtext="Read More" style="width:1050px">
 
===Remove Computer===
 
<div class="mw-collapsible-content">
 
 
 
This operation removes a Computer object from an Active Directory Group.
 
 
 
====Extra Credentials====
 
 
 
None required.
 
 
 
====Input Parameters====
 
 
 
* <code>MemberIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Member Computer (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>GroupIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Group (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>MemberServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the Computer
 
* <code>GroupServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the Group
 
 
 
====Output Parameters====
 
 
 
* <code>Errors</code> - Any errors returned by the operation.
 
* <code>Outcome</code> - Outcome of the operation. Can be OK or FAIL.
 
</div></div>
 
<div class="mw-collapsible mw-collapsed" data-collapsetext="Show Less" data-expandtext="Read More" style="width:1050px">
 
===Remove Group===
 
<div class="mw-collapsible-content">
 
 
 
This operation removes a Group object from an Active Directory Group.
 
 
 
====Extra Credentials====
 
 
 
None required.
 
 
 
====Input Parameters====
 
 
 
* <code>MemberIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Member Group (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>GroupIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Parent Group (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>MemberServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the Member Group
 
* <code>GroupServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the Parent Group
 
 
 
====Output Parameters====
 
 
 
* <code>Errors</code> - Any errors returned by the operation.
 
* <code>Outcome</code> - Outcome of the operation. Can be OK or FAIL.
 
</div></div>
 
<div class="mw-collapsible mw-collapsed" data-collapsetext="Show Less" data-expandtext="Read More" style="width:1050px">
 
===Remove User===
 
<div class="mw-collapsible-content">
 
 
 
This operation removes a User object from an Active Directory Group.
 
 
 
====Extra Credentials====
 
 
 
None required.
 
 
 
====Input Parameters====
 
 
 
* <code>MemberIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Member User (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>GroupIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Group (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>MemberServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the User
 
* <code>GroupServer</code> - Optionally provide the Active Directory Domain Services instance to connect to to return the Group
 
 
 
====Output Parameters====
 
 
 
* <code>Errors</code> - Any errors returned by the operation.
 
* <code>Outcome</code> - Outcome of the operation. Can be OK or FAIL.
 
</div></div>
 
<div class="mw-collapsible mw-collapsed" data-collapsetext="Show Less" data-expandtext="Read More" style="width:1050px">
 
===Create Group===
 
<div class="mw-collapsible-content">
 
 
 
This operation creates a new Active Directory Group.
 
 
 
====Extra Credentials====
 
 
 
None required.
 
 
 
====Input Parameters====
 
 
 
* <code>Name</code> '''(MANDATORY)''' - The name of the Group object. must be unique within your Active Directory.
 
* <code>SamAccountName</code> '''(MANDATORY)''' - The sAMAccountName of the Group object. Must be unique within your Active Directory.
 
* <code>Path</code> '''(MANDATORY)''' - The distinguished name of the OU/Container where you wish to create the Group.
 
* <code>GroupCategory</code> '''(MANDATORY)''' - Can be either Distribution or Security
 
* <code>GroupScope</code> '''(MANDATORY)''' -  Can be DomainLocal, Global or Universal
 
* <code>DisplayName</code> - The displayName of the Group object.
 
* <code>Description</code> - The description of the Group object.
 
* <code>HomePage</code> - Specifies the URL of the home page of the object.
 
* <code>ManagedBy</code> - Specifies the user or group that manages the object by providing one of the following property values:
 
:* A distinguished name
 
:* A GUID (objectGUID)
 
:* A security identifier (objectSid)
 
:* SAM account name (sAMAccountName)
 
* <code>Server</code> - The Active Directory Domain Services instance to perform the operation against, specified in one of the following ways:
 
:* Domain name values:
 
::* Fully qualified domain name
 
::* NetBIOS name
 
:* Directory server values:
 
::* Fully qualified directory server name
 
::* NetBIOS name
 
::* Fully qualified directory server name and port
 
* <code>Mail</code> - The email address of the Group object.
 
 
 
====Output Parameters====
 
 
 
* <code>Errors</code> - Any errors returned by the operation.
 
* <code>Outcome</code> - Outcome of the operation. Can be OK or FAIL.
 
* <code>distingiuishedName</code> - The Distinguished Name of the new Group.
 
* <code>objectGUID</code> - the Object GUID of the new Group.
 
* <code>sid</code> - the SID of the new Group.
 
</div></div>
 
<div class="mw-collapsible mw-collapsed" data-collapsetext="Show Less" data-expandtext="Read More" style="width:1050px">
 
===Delete Group===
 
<div class="mw-collapsible-content">
 
 
 
This operation deletes an Active Directory Group.
 
 
 
====Extra Credentials====
 
 
 
None required.
 
 
 
====Input Parameters====
 
 
 
* <code>GroupIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Group (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>Server</code> - The Active Directory Domain Services instance to perform the operation against, specified in one of the following ways:
 
:* Domain name values:
 
::* Fully qualified domain name
 
::* NetBIOS name
 
:* Directory server values:
 
::* Fully qualified directory server name
 
::* NetBIOS name
 
::* Fully qualified directory server name and port
 
 
 
====Output Parameters====
 
 
 
* <code>Errors</code> - Any errors returned by the operation.
 
* <code>Outcome</code> - Outcome of the operation. Can be OK or FAIL.
 
</div></div>
 
<div class="mw-collapsible mw-collapsed" data-collapsetext="Show Less" data-expandtext="Read More" style="width:1050px">
 
===Get Group===
 
<div class="mw-collapsible-content">
 
 
 
This operation retrieves information about an Active Directory Group.
 
 
 
====Extra Credentials====
 
 
 
None required.
 
 
 
====Input Parameters====
 
 
 
* <code>GroupIdentity</code> '''(MANDATORY)''' - Provide the Identity of the Group (distinguished, objectGUID, objectSid or sAMAccountName)
 
* <code>Server</code> - The Active Directory Domain Services instance to perform the operation against, specified in one of the following ways:
 
:* Domain name values:
 
::* Fully qualified domain name
 
::* NetBIOS name
 
:* Directory server values:
 
::* Fully qualified directory server name
 
::* NetBIOS name
 
::* Fully qualified directory server name and port
 
 
 
====Output Parameters====
 
 
 
* <code>Errors</code> - Any errors returned by the operation.
 
* <code>Outcome</code> - Outcome of the operation. Can be OK or FAIL.
 
* <code>CanonicalName</code>
 
* <code>CN</code>
 
* <code>Description</code>
 
* <code>DisplayName</code>
 
* <code>DistinguishedName</code>
 
* <code>GroupCategory</code>
 
* <code>GroupScope</code>
 
* <code>ManagedBy</code>
 
* <code>Name</code>
 
* <code>ObjectGUID</code>
 
* <code>ObjectSid</code>
 
* <code>SamAccountName</code>
 
</div></div>
 
[[Category:ITOM]]
 

Revision as of 14:50, 12 February 2024

This document can now be found at its new location in the Hornbill Document Library. 

   ITOM Package Reference
Retrieved from "https://wiki.hornbill.com/index.php?title=Active_Directory_Group_Management&oldid=31938"