vCO Active Directory 'Create User Group' Action Does Not Populate SamAccountName with Expected Result
While using the Create a user group in an organizational unit Active Directory workflow in vCenter Orchestrator 5.5.1 I noticed an unexpected result after the group had been created in AD.
Although the group was successfully created, the SamAccountName attribute appeared to have been populated with a seemingly random string and not the name of the group as I would have expected.
Apart from being a bit inconsistent for my liking this could have potentially undesired results from applications querying AD using the SamAccountName property. For instance I discovered this problem while attempting to add a tenant administrator group to a tenant in vCAC; none of my groups would show in the search list, despite them existing. I consequently tracked it down to this problem. So I think it was using the SamAccountName property to search for them.
Workaround:
So I implemented the following workaround. The Create a user group in an organizational unit workflow is actually utilising two actions createUserGroup and getUsergroupFromContainer.
It’s possible to call these actions from a Scriptable Task. So I created a new workflow containing a Scriptable Task, with the intention to add some additional code to modify the AD group post creation.
The workflow takes two parameters: GroupName and OU (to which I added some presentation so the OU could be selected via a browse button)
The scriptable task took those as inputs
and then used the following code:
[code language=“javascript”]
System.getModule(“com.vmware.library.microsoft.activeDirectory”).createUserGroup(GroupName,OU);
userGroup = System.getModule(“com.vmware.library.microsoft.activeDirectory”).getUsergroupFromContainer(OU,GroupName);
userGroup.setAttribute(‘SamAccountName’,GroupName); [/code]
After running my own workflow the group is now showing the expected SamAccountName:
A couple of useful notes on this.
How did I know there was a setAttribute method on a Group Object?
When you are in the scripting pane, there is an API browser in the top left corner. If you search for AD:Group you can then view what is available on that object:
API Explorer
The API Explorer is also available from the main vCO page:
Anyone else experience this issue?
Update 16/05/2014:
I posted this over on the VMware communities and it looks like there is a fix coming in the next release of the AD plugin.
Update 19/05/2015:
I revisited this today and noticed that in version 1.0.5 of the AD plugin there is a new workflow Create a user group in a group and set attribute “Group name (pre-Windows 2000).
The schema has an additional scriptable task which sets the samAccountName of the group post creation - like in my own fix above.
The problem is, I don’t want to create a new group inside an existing group. I want to create a new group inside an OU (wouldn’t you?) . So I took a copy of the Library workflow Create a user group in an organizational unit ….
and copied the scriptable task fix into it.
Tip: Did you know you could copy and paste vRO workflow elements between workflows, even across multiple vRO client sessions? I discovered it by accident once, pretty cool :-)
Note: I needed to switch the output of the getUsergroupFromContainer action from an output parameter named newUserGroup to an output attribute named userGroup so that an AD:Group object could be passed into the Change “Group name… scriptable task.
The output of the Change “Group name… scriptable task should then auto-match to the newUsergroup output parameter. if not, make it so:
Now its possible to create the groups with the samAccountName properly configured.