Overview

Perform operations on users, groups, and computers in Microsoft on-premise Active directory.

This app communicates with the on-premise active directory using the orchestration server.


Description

Orchestration apps let you automate repeatable tasks and actions that span across a diverse set of systems and applications using workflows. The list of actions supported for this app include:


User Management

1.  Create User

2.  Delete User

3.  Get User

4.  Add User To Group

5.  Remove User From Group

6.  Disable User

7.  Reset Password

8.  Enable User

9.  Is User Account Locked

10. Is User Enabled

11. Unlock Account

12. Update Users Home Location

13. Update User

14. Add User to Multiple Groups

15. Get User with UPN


Group Management

1. Create Group

2. Delete Group

3. Get Group

4. Is User In Group


Computer Management

1. Delete Computer

2. Disable Computer

3. Enable Computer

4. Is Computer Enabled

5. Get Computer OU


Working Principle

The app communicates with the on-premise active directory with the help of the Orchestration server, which resides in the same private network as the Active Directory server and acts as an agent.

The Orchestration server establishes an outbound secure connection over port 443, from inside the private network and looks for any incoming app requests.

 

Once it receives the app request over the outbound connection, Orchestration server will then communicate with the on-premise Active Directory residing in the same private network using WinRM  - Windows Remote Management.


Prerequisites

  1. Orchestration Server Installation

Orchestration server should be installed using the installer, on a windows server. This installer can be found in your Freshservice tenant in the “Admin” module.

Admin > 

 Orchestration Centre > Orchestration Server > “Download Windows Installer”.

To know more about the orchestration server installation please refer to the Orchestration Server solution article.


  1. WinRM quickconfig Command 

1.  Open up a powershell terminal on the Active Directory server.. 

2. Run the following command in the powershell terminal: 

winrm quickconfig


What does the “winrm quickconfig” Command Do?

The "winrm quickconfig" command performs these operations:

  1. Starts the WinRM service and sets the service startup type to auto-start.

  2. Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.

  3. Defines ICF(Internet Connection Firewall) exceptions for the WinRM service, and opens the ports for HTTP and HTTPS.



Note

The winrm quickconfig command creates a firewall exception only for the current user profile. If the firewall profile is changed for any reason, you should run winrm quickconfig to enable the firewall exception for the new profile; otherwise, the exception might not be enabled. For more information please refer to the documentation here.


Installation Parameters

The app requires the following parameters during installation, these parameters will be used to authenticate the calls from the app to the on-premise Active Directory server.


  1.  Active Directory Server IP:

The IP address of the Active Directory server. It can be a private IP or a public IP depending upon the server configurations. 

The private IP address can be retrieved using a powershell terminal with the following command: 

ipconfig /all

 

From the command result, copy the IPv4 address.



  1.  Active Directory Server Username: 

The username used for logging in into the Active Directory server.


  1. Active Directory Server Password:

The password used for authenticating the user on the Active Directory server.


  1. WinRM Port:

The default WinRM port is 5985 for communication over HTTP, and 5986 for communication over HTTPS, unless WinRM port is explicitly configured. 



Networking Requirements

Please ensure that the following network communication is established before executing the app actions -


  1. Communication on default WinRM port (or a custom port based on your configurations), from the Orchestration server to the Microsoft AD server should be enabled. You can use telnet utility to verify the open WinRM port.



Verify Connection Using “Test App Action”

You can also use the “Test App Action” functionality inside the Workflow Automator’s App Node to verify the connection between the Orchestration server and On-Premise Active Directory.