Hi! Everyone, I have hit another brick wall, but as usually, I'm clueless and hope I can get some knowledge here. I have completed the creation of a Runbook to unlock AD User accounts following the workflow attached. The steps includes; Initialize Data - Get user input for AD User login ID Run .Net Script (Powershell) - Check Input for null value in entry Run .Net Script (Powershell) - Check whether Inputted user login ID user object exist in AD Run .Net Script (Powershell) - Check whether Inputted user login ID user object is enabled and lockout status is true Run .Net Script (Powershell) - Check whether Inputted user login ID user object is in the same AD Group as the Runbook user Run .Net Script (Powershell) - Unlock Inputted user login ID I test run this Runbook in 3 ways; Runbook Tester - Completed successfully Using Run in Runbook Designer - Failed, no pop-up screen to request for input Using Run in Orchestrator Console - Failed, while executing the below script less the quotes "$CurrentUserGroupObj = Get-ADUser -Identity $CurrentUser -Properties MemberOf" Can someone shed some light what is going on? Thank you and best regards. Ronald

The options are: SCSM -> "shoot sparrows with cannons" 3rd party solution -> not allowed Enter the user in the Initialize Data as a second input parameter

Hi, Based on your script, $ENV:Username may return a computer account when you run the script with the System account. As Leon/Stefan/Andreas mentioned, which account do you use to log on the Orchestrator Runbook Service?

Hi, The Runbook Tester is different compared to when you run the runbook normally by using the " Run " button, or when running the runbook via the " Runbook Console " (web console). The Runbook Tester enables you to simulate the most steps of Orchestrator Workflows, however there are some functionalities that are not the same. Below you'll find a list of different things when running a runbook with the Runbook Tester: Runbooks are not executed with the “Orchestrator Runbook Service”. Runbooks are executed with the account running Runbook Designer / Runbook Tester. Runbooks are executed on the system running Runbook Designer / Runbook Tester. Runbooks must be checked out. Stefan has posted a good blog post about the differences over here: Functionality differences executing Runbook with Runbook Tester From the above blog post: Below are some differences for the runbook activities, when running the Runbook Tester: All Standard Activities like “Run .Net Script”, “Run Program” or Activities from categories “File Management” and “Text File Management” are executed with the user account which started Runbook Designer / Runbook Tester. This account may have other permissions than the logon account of “Orchestrator Runbook Service”. All Actives are executed on the system running Runbook Designer / Runbook Tester and not with “Orchestrator Runbook Service”. If this are different system there may be different firewall settings or access permissions. In tab “Security” you can specify alternate credentials in the most Standard Activities. The Activities may fail if the user running Runbook Tester has not the permission to impersonate the user. The “Invoke Runbook” Activity will fail if the Runbook that should be invoked is also checked out (behavior in System Center 2012 SP1 Orchestrator). The Counter values are not saved into the Datastore and the original Counters are unaffected by execution with Runbook Tester. The “Send Platform Event” Activity will execute in the Runbook Tester, but it will not write an event in tab “Events”. The Instance of the “Runbook” executed in Runbook Tester will not be saved in “Log History” of the Runbook. Before you transfer a Runbook to production make sure that it is executed with “Orchestrator Runbook Service” as you expect: If you need to pass values to the “Initialize Data” Activity you can start the Runbook with “Orchestration Console”. Turn on Logging in the Properties of the Runbook to see in in “Log” and “Log History” all Activity specific and common data for each executed Activity. Disable the Activities you don’t want to test temporarily. (If the reply was helpful please don't forget to upvote or accept as answer , thank you) Best regards, Leon

Hi, does this post https://sc-orchestrator.vasol.eu/functionality-differences-executing-runbook-with-runbook-tester/ answer you question? Regards, Stefan

In addition to Leon and Stefan: If you like to test PowerShell scripts for use in Orchestrator start a 32-bit! PowerShell ISE or 32-bit PowerShell in the user context of the Orchestrator Runbook Service account. This way executing the PS Script is working the same than executed by Orchestrator Runbook Service. Maybe this is helpful. Regards Andreas Baumgarten (Please don't forget to Accept as answer if the reply is helpful)

Runbook Tester vs Run in Runbook Designer vs Run in Orchestrator Console

Ronald Seow 206

Hi! Everyone,

I have hit another brick wall, but as usually, I'm clueless and hope I can get some knowledge here.

I have completed the creation of a Runbook to unlock AD User accounts following the workflow attached. The steps includes;

Initialize Data - Get user input for AD User login ID
Run .Net Script (Powershell) - Check Input for null value in entry
Run .Net Script (Powershell) - Check whether Inputted user login ID user object exist in AD
Run .Net Script (Powershell) - Check whether Inputted user login ID user object is enabled and lockout status is true
Run .Net Script (Powershell) - Check whether Inputted user login ID user object is in the same AD Group as the Runbook user
Run .Net Script (Powershell) - Unlock Inputted user login ID

I test run this Runbook in 3 ways;

Runbook Tester - Completed successfully
Using Run in Runbook Designer - Failed, no pop-up screen to request for input
Using Run in Orchestrator Console - Failed, while executing the below script less the quotes

"$CurrentUserGroupObj = Get-ADUser -Identity $CurrentUser -Properties MemberOf"

Can someone shed some light what is going on?

Thank you and best regards.
Ronald

XinGuo-MSFT 18,771 Reputation points

2020-08-25T08:13:16.593+00:00

Hi,

What's your Orchestrator version?

Here are some tips for your reference.

How to run Active Directory cmdlets in Orchestrator .Net Activity
Ronald Seow 206 Reputation points

2020-08-26T00:47:35.497+00:00

Hi! XinGuo,

You are right, I check your article and I immediately encountered the error in the version 2 environment. I followed the guide and remodify the Registry (I did it few days back). I am still getting the error running the Runbook in Orchestrator Console with the following error;

Name : Check Group
Type : Run .Net Script
Status : Failed
Publish Data : Error Summary Text
Value : Cannot find an object with identity: '2016SVR3$' under: 'DC=test,DC=com'.

Maybe the other day after I modified the Registry, Runbook Tester can execute my script and now the error is on Console side.

Do you have any idea about this error?

Appreciate your kind advise.

Thank you and best regards.
Ronald
XinGuo-MSFT 18,771 Reputation points

2020-08-26T06:37:08.643+00:00

>Value : Cannot find an object with identity: '2016SVR3$' under: 'DC=test,DC=com'.

'2016SVR3$' looks like a computer account not a user account.
Ronald Seow 206 Reputation points

2020-08-26T07:06:08.477+00:00

Hi XinGuo,

Yes, 2016SVR3 is the computer object of the Orchestrator Server. All the roles of Orchestrator sits on this Server except for the SQL Database Server.

Do you know why this computer object is requested for my Runbook? I have posted the scripts for "Check Group" just now, so you can reference that. Prior to this action, I do have a few more Run .Net Script objects that are also querying AD for user info and no such error. Hence, I have been knocked off course as I do test at every stage.

Kindly advise if you know of anything that can resolve this error.

Thank you.
Ronald

Accepted answer

Andreas Baumgarten 111.3K Reputation points MVP

2020-08-27T09:47:43.543+00:00
The options are:

SCSM -> "shoot sparrows with cannons"

3rd party solution -> not allowed

Enter the user in the Initialize Data as a second input parameter
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

17 additional answers

XinGuo-MSFT 18,771 Reputation points

2020-08-26T09:11:31.237+00:00

Hi,

Based on your script, $ENV:Username may return a computer account when you run the script with the System account.

As Leon/Stefan/Andreas mentioned, which account do you use to log on the Orchestrator Runbook Service?
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Leon Laude 85,816 Reputation points

2020-08-25T06:11:39.463+00:00
Hi,

The Runbook Tester is different compared to when you run the runbook normally by using the "Run" button, or when running the runbook via the "Runbook Console" (web console).

The Runbook Tester enables you to simulate the most steps of Orchestrator Workflows, however there are some functionalities that are not the same. Below you'll find a list of different things when running a runbook with the Runbook Tester:

Runbooks are not executed with the “Orchestrator Runbook Service”.

Runbooks are executed with the account running Runbook Designer / Runbook Tester.

Runbooks are executed on the system running Runbook Designer / Runbook Tester.

Runbooks must be checked out.

Stefan has posted a good blog post about the differences over here:
Functionality differences executing Runbook with Runbook Tester

From the above blog post:

Below are some differences for the runbook activities, when running the Runbook Tester:

All Standard Activities like “Run .Net Script”, “Run Program” or Activities from categories “File Management” and “Text File Management” are executed with the user account which started Runbook Designer / Runbook Tester. This account may have other permissions than the logon account of “Orchestrator Runbook Service”.

All Actives are executed on the system running Runbook Designer / Runbook Tester and not with “Orchestrator Runbook Service”. If this are different system there may be different firewall settings or access permissions.

In tab “Security” you can specify alternate credentials in the most Standard Activities. The Activities may fail if the user running Runbook Tester has not the permission to impersonate the user.

The “Invoke Runbook” Activity will fail if the Runbook that should be invoked is also checked out (behavior in System Center 2012 SP1 Orchestrator).

The Counter values are not saved into the Datastore and the original Counters are unaffected by execution with Runbook Tester.

The “Send Platform Event” Activity will execute in the Runbook Tester, but it will not write an event in tab “Events”.

The Instance of the “Runbook” executed in Runbook Tester will not be saved in “Log History” of the Runbook.

Before you transfer a Runbook to production make sure that it is executed with “Orchestrator Runbook Service” as you expect:

If you need to pass values to the “Initialize Data” Activity you can start the Runbook with “Orchestration Console”.

Turn on Logging in the Properties of the Runbook to see in in “Log” and “Log History” all Activity specific and common data for each executed Activity.

Disable the Activities you don’t want to test temporarily.

(If the reply was helpful please don't forget to upvote or accept as answer, thank you)

Best regards,
Leon
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Stefan Horz 3,466 Reputation points

2020-08-25T09:16:01.843+00:00

Hi,

does this post https://sc-orchestrator.vasol.eu/functionality-differences-executing-runbook-with-runbook-tester/ answer you question?
Regards,
Stefan
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Andreas Baumgarten 111.3K Reputation points MVP

2020-08-25T18:03:22.03+00:00

In addition to Leon and Stefan:
If you like to test PowerShell scripts for use in Orchestrator start a 32-bit! PowerShell ISE or 32-bit PowerShell in the user context of the Orchestrator Runbook Service account.
This way executing the PS Script is working the same than executed by Orchestrator Runbook Service.

Maybe this is helpful.

Regards

Andreas Baumgarten

(Please don't forget to Accept as answer if the reply is helpful)
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Runbook Tester vs Run in Runbook Designer vs Run in Orchestrator Console

17 additional answers

Your answer