François-Xavier Cat

Lead DevOps Engineer

2 minute read

Following my previous post, today I continuemy SCSM journey. I had to create a new automation workflow using SCSM and SCORCH to give the ability to a portal user to add an Active Directory Account to one or more group(s).

Once you get the input of the user, the selected user account and groups impacted by the request are added to the Service Request Related Item, in the Configuration Item field.

Finding this information with PowerShell was not easy. Also Users and Groups are tagged as “User Class” and we want to avoid querying the Active Directory to verify is a user is really a user and a group… really a group object.

Here is an example of Service Request using the SCSM Console:

See the objects highlighted, those are stored in the CMDB of SCSM and not in AD. We properly see the class of each objects.

Retrieving this information with PowerShell/Smlets module

Using PowerShell with the SMlets module, this information is not easily accessible. The problem:We can’t tell if an object is an user or a group. Computer however shows correctly as computer object.

# Get a single ticket with AD objects
$SRTicket = Get-SCSMObject -Id 992315e4-a94c-6e35-2720-51fe9808f903

# Get all the classes of the first object (which is a group in this case)
((Get-SCSMRelationshipObject -BySource $SRTicket -Filter "RelationshipID -eq 'd96c8b59-8554-6e77-0aa7-f51448868b43'").targetobject

Note that the RelationshipID’d96c8b59-8554-6e77-0aa7-f51448868b43’is used for Active Directory objects.

In the output, we have 2 groups, 1 user and 1 computer. But It looks like we can’t find out if the groups are actually group object or a user is really an user object.

Finding the real class of an object

To work around that, we have to use the method GetClasses() which reveal more information.

# Get all the classes of the first object (which is a group in this case)
((Get-SCSMRelationshipObject -BySource $SRTicket -Filter "RelationshipID -eq 'd96c8b59-8554-6e77-0aa7-f51448868b43'").targetobject | Select-Object -First 1).getclasses()

Note that I’m selecting only the first object (Select -first 1), which is a group object.

You have to look at the property Name and look for “Microsoft.AD.*User/Group or Computer, to find the real object class.

Adding a property Class

Finally you can use the following piece of code to retrieve all the class. We are adding a property called “Class” that will run against each object and check which value is present: “Microsoft.AD.User”, “Microsoft.AD.Group” or “Microsoft.AD.Computer”.

# Retrieve Relationship Objects CLASS of AD objects(Computers, Users and Groups)) inside SCSM
(Get-SCSMRelationshipObject -BySource $SRTicket -Filter "RelationshipID -eq 'd96c8b59-8554-6e77-0aa7-f51448868b43'").targetobject |
Select-Object -Property DisplayName, @{
    Label = "Class";
    Expression = {
        if ($_.getclasses().name -contains "Microsoft.AD.User")
        {
            "User"
        }
        elseif ($_.getclasses().name -contains "Microsoft.AD.Group")
        {
            "Group"
        }
        elseif ($_.getclasses().name -contains "Microsoft.Windows.Computer")
        {
            "Computer"
        }
    }
}

Leave a comment

You may also enjoy

Microsoft MVP 2020-2021

less than 1 minute read

It is a great pleasure and honor to receive the Microsoft MVP award for another year