Integrating Active Directory with System Center Orchestrator

With the release of System Center 2012, admins at large organization can now take advantage of the many monitoring, alerting, backup, restore, automation and remediation capabilities of this new suite. The advanced automation capabilities in System Center are delivered through System Center Orchestrator. You might know this product as Opalis, the company originally responsible for the product, that Microsoft acquired in December 2009.

The strength and possibilities, from an Active Directory point of view, of System Center Orchestrator is the capability to automate provisioning and deprovisioning through advanced run book procedures. Business people will call these ‘workflows’.

An example…

A typical example could be to automatically deprovision a user when he/she leaves the company. Within a run book you can remove an account from Active Directory, remove the entity from the SQL Server HRM database, unauthorize his/her computer from the DirectAccess group, deliver e-mails to a (former) manager after his/her consent, etc. All the stuff you could also use Z-term for, but then with advanced workflowing and on the spot delegated decision making through e-mail/SharePoint and with robust reporting. (at a significant cost)

When designing run book procedures in System Center Orchestrator, pre-defined actions are available through the picker in the Orchestrator Client. Also, commands are available. To deprovision the account in the example you would issue a couple of PowerShell, dsmod.exe or admod.exe commands. The downside of this approach is that when your command errors out (for instance: the useraccount was protected against accidental deletion) you would be searching high and low for the reason.

Introducing the new Integration Pack for Active Directory

The preferred approach is to use the new Integration Pack for Active Directory. This is an add-on for System Center 2012 Orchestrator that enables you to connect Orchestrator to your Active Directory Domain Controllers running Windows Server 2008 R2 to automate its management. This Integration Pack was first introduced on April 2, 2012 with version 7.0.

Using the picker you can now create run book steps to create and delete user and computer objects, find and update user and computer object attributes, create, delete and update groups, reset a users password, unlock a user account, disable and enable user accounts, Move user accounts, computer accounts and groups to a different OU, add or remove user accounts  and computer accounts to/from groups and nest and unnest groups.

Download the Integration Pack for Active Directory

Alternatively, if you’re not running Windows Server 2008 R2 or the most recent version of System Center Orchestrator / Opalis, you can use the open source Opalis Active Directory Extension from CodePlex.

Further reading

System Center 2012 Updates
Active Directory Integration Pack for System Center 2012 – Orchestrator
Integration Packs for System Center 2012 – Orchestrator
The list so far: Integration Packs for System Center 2012 – Orchestrator
Trickle of releases – System Center 2012 Downloads
Orchestrator Integration Packs for the System Center 2012 Products are Available for Download

leave your comment