create AD user and create AD Group using System Center Orchestrator

Question

create AD user and create AD Group using System Center Orchestrator

SSE@TUE 120

Hi,

I have created a runbook on my System Center Orchestrator as following:

create AD User (it is working)
Enable AD User (it is working)
Enable Mailbox (it is working)
ADD the new created AD user to existing group (it is working)
Create a new AD group (it is working)
ADD the new created AD user (step 1) to the new created AD Group (step 5) ( does not work)

What do I wrong?

here my runbook

runbook4

best regards

Nick

Accepted answer

2 additional answers

Your answer

Answer 1

Andreas Baumgarten 123.4K MVP Volunteer Moderator

Hi @SSE@TUE ,

the correct order of the activities in your runbook shown in the screenshot should be:

Create User - link -> Enable User - link -> Create Group1 - link -> Add user to Group1

From Enable User - link -> Create Group2 - link -> Add user to Group2

This way the user will be created and enabled

After the user is enabled the Group1 and Group2 can be created parallel and the user can be added to the groups after the groups are created

Second option could be:

Create User - link -> Enable User

From Create User - link -> Create Group1 - link -> Add user to Group1

From Create User - link -> Create Group2 - link -> Add user to Group2

Both options will work.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator

2025-06-20T07:22:07.1833333+00:00

Hi @SSE@TUE ,

are there any additional questions to this topic?

If you found the answer helpful, it would be great if you please mark it "Accept as answer". This will help others to find answers in Q&A.

Regards

Andreas Baumgarten
SSE@TUE 120 Reputation points

2025-06-26T15:10:47.08+00:00

Hi Sorry again,

it does not work, I have created a new Runbook, as you did write

on the activity "add user to group", I added "Group Distinguished Name" from create Group and "User Distinguished Name" from activity "Enabled User"

is that correct so?

thank you for your help
Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator

2025-06-26T15:31:22.25+00:00

Hi @SSE@TUE ,

it should be the Distinguished Name of the Group. Not the Container Distinguished Name.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
SSE@TUE 120 Reputation points

2025-06-27T06:01:35.1833333+00:00

Hi,

First of all, would you please blacken my domain name in first Picture? Thank you.

reagrds
SSE@TUE 120 Reputation points

2025-06-27T06:26:08.0933333+00:00

Second of all, I thing you understand my question wrong or I can not explain correctly.

"Add User to Group" Properties

I selected by "Group Distinguished Name" the following option

I selected by "User Distinguished Name" the following option

Finally, it looks so

are these steps now correct?

Thank you again for help
Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator

2025-06-27T09:05:05.1833333+00:00

Hi @SSE@TUE ,

please read my last comment again!

it should be the Distinguished Name of the Group. Not the Container Distinguished Name.

You choosed/added the wrong property in the Group Distingusihed Name in the Add User To Group properties. It has to be Distinguished Name (6th in the list) and not Container Distinguished Name (second in the list) of the Create Group activity.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
SSE@TUE 120 Reputation points

2025-06-27T09:21:51.3433333+00:00

ok, and for "User Distinguished Name"

Is it correct for Distinguished Name from [Enable User]??
Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator

2025-06-27T09:39:50.7633333+00:00

Hi @SSE@TUE ,

ok, and for "User Distinguished Name" Is it correct for Distinguished Name from [Enable User]??

that looks good to me.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
SSE@TUE 120 Reputation points

2025-06-27T09:43:16.1766667+00:00

ok, thank you, let me please check and I will let you know
SSE@TUE 120 Reputation points

2025-06-27T11:40:03.4333333+00:00

Thank you for your help. It is working now

Answer 2

Andreas Baumgarten 123.4K MVP Volunteer Moderator

Hi @SSE@TUE ,

how are the Add User to Group activities configured?

A screenshot of the details might be helpful.

Do you get any error messages when the activities are executed?

Basicially you need to configure the Distinguished Name of the AD user and the AD group to add the user to the group. For instance:

CN=Peter Pan,OU=Sales,DC=Fabrikam,DC=COM

CN=Group1,OU=Sales,DC=Fabrikam,DC=COM

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

SSE@TUE 120 Reputation points

2025-06-18T06:53:58.23+00:00

Hi,

As I wrote, if I create a new group, it is working, but I cannot add the created user in step 1 to that new created group in step 4.

the new created security group is called "SE-RPAD"

and I want to add the new created AD user in step 1 in that group "SE-RPAD"

is my link wrong or how should be the link?

Answer 3

Andreas Baumgarten 123.4K MVP Volunteer Moderator

Hi @SSE@TUE ,

to add the created user to the AD group you need the Distinguished Name of the group.

Easiest way to get this done is to use a Get Group activity before with a filter on the SamAccount Name (SE-RPAD in your example). Link this activity before the Add User to Group activity and use the DN of the published data of the Get Group activity.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

SSE@TUE 120 Reputation points

2025-06-18T08:04:06.9833333+00:00

thank you for your replay. I know what you mean. Could you please give me an example for Get Group? Do you have an example Link or an runbook example?

thank you
Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator

2025-06-18T08:10:03.9466667+00:00

Hi @SSE@TUE ,

please take a look here:

Instead of the Display Name filter I would recommend the Sam account name, which is unique.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
SSE@TUE 120 Reputation points

2025-06-18T08:39:52.4933333+00:00

what is here in your example mean with ABC?

I will create a new runbook with create ad user and create ad group and try an example and let you know
Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator

2025-06-18T08:59:20.85+00:00

Hi @SSE@TUE ,

ABC is just an example/placeholder for the value you want to filter on. In your case the Name in the filter settings would be Sam account name and the Value would be SE-RPAD .

If you create a new group in the runbook as well you don't need the Get Group activity. The distinguished name (DN) of the new created group is available in the published data of the Create Group activity. You need the Get group activity just for existing AD groups (getting the DN) you want to use in your runbook to add user into.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
SSE@TUE 120 Reputation points

2025-06-18T11:56:32.3166667+00:00

Hi,

Oh, I think you understand my question wrong. I can add the new created AD User in existing AD Group, it is working. What I want, is , if I create new AD User and new AD Group, I want to add the new created AD User in the new created AD Group in on step

Regards
Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator

2025-06-18T12:07:26.95+00:00
Hi @SSE@TUE ,

to create a new AD user and a new AD group and add the new created user to the new created group it is a 3 step process:

Create User activity

Create Group activity

Add User to Group activity

In the Add User to Group activity use the published data of the two activities before.

Both Create ... activities are providing the required Distinguished Names of the user object and the group object if executed successfully .

But you have to sort the activities in the right order by linking the activities:

The Add User to Group activity needs to be executed after the Create User and Create Group activities.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
SSE@TUE 120 Reputation points

2025-06-18T12:46:08.63+00:00

Ok, then has my runbook wrong activity above in my question?

because I have linked from Enable User activity to the Add user to group activity.

It should be linked from create AD user activity directly to the Add user to group activity. AM I right?
SSE@TUE 120 Reputation points

2025-06-18T13:55:21.6733333+00:00

I think the Second option is elegant , I will try it and see the result

Thank you for help

Share via

create AD user and create AD Group using System Center Orchestrator

2 additional answers

Your answer