One of the most common tasks for an IT department is administration of security groups. Security groups are used to control access to most of today’s applications. Memberships of some groups are modified often, for example group that control access to project work spaces. Often I see this modification handle as a request to service desk that service desk either does it manual or they escalate it to 2nd line that does it manually. Often it is done direct in Active Directory Users and Computers whit a user account that has unnecessary high permissions. The risk of human errors are always there, as often the Active Directory tool is run with a high privilege account and the engineer modifying the group can misunderstand what to do.
In this blog post I will show a idea how to handle group management with the self service portal in Service Manager and configure Orchestrator to execute all modification. A nice benefit by using Service Manager is that you get tracking of everything, who submitted the change, who approved it and so on. A nice benefit of using Orchestrator is that is will be done the same every time and no manual steps are required. In this example a manager, a user that is configured as manager on a security group in Active Directory can, with the self service portal in Service Manager
- Add member to security group
- Remove member from security group
- Request a list of members of a security group
I wrote a blog post a couple of weeks ago around password reset with Service Manager and Orchestrator. This idea around group management is very similar to the password reset idea, for that reason I will not write down all the steps again. Look at the password reset post how this build the integration between Orchestrator and Service Manager. One difference compared with the password reset post is that I use Business Phone instead of Pager to store the manager value. That is affect both runbooks and when you build the portal offering,
The group management idea is built on a number of runbooks
- 10.1.1 Invoke 10.1.2 and 10.1.3 to list group members, update the service request and then send a updated list of members to the manager
- 10.1.2 List group members. This is done with a customer assembly. The Active Directory integration pack includes a “Get Group” activity, but it do not get members of the group, only the group itself. I created a new activity that use Powershell to list group members.
- 10.1.3 Updates the service request with a new description
- 10.1.5 Handle add member to group
- 10.1.6 Handle remove member from group
List group members
A manager navigates to the self service portal and request a list of group members. The manager can select only groups where the manager is owner. Read more about details how that works in the password reset blog post. The 10.1.1 runbook executes, as it is part of the service request template for the list group members offering. The runbook ends with sending a e-mail to the manager. The e-mail contains a list of all members of the security group.
Add/remove member of group
A manager (owner of at least one group) navigates to the self service portal and select either the Add User To Group offering or the Remove User From Group offering. Select which group and input the username of the user to add or remove to/from the security group.
This was a simple example of what you could do with Service Manager and Orchestrator. You can of course add a lot more features and details. I didn’t spend any time on fault tolerance or error handling in the runbooks as this is an example, but for all production runbooks you should really spend time on that.
You can download my custom assembly file for list group members in Active Directory, Service Manager management pack and Orchestrator runbooks here, 20120716_GroupManagement. Please note that this is provided “as is” with no warranties at all.