Use Orchestrator with Service Manager to Disable User Accounts – Part 1

18 Sep

I had a customer recently who wanted a way to allow HR to disable terminated user’s network accounts without having to contact IT.  This was easily accomplished using Orchestrator with Active Directory and Service Manger integration packs along with Service Manager 2012 with the Orchestrator Connector and the SCSM Self-Service Portal.  I will cover this topic in four parts as outlined below:

Part 1 – Create Orchestrator Runbook and syncronize to Service Manager

Part 2 – Create new custom Service Request class with custom propertys (This part is optional as this could easily be accomplished using the default Service Request class instead.)

Part 3 – Create Runbook and Service Request Templates

Part 4 – Create Request Offering and publish to the portal. Optionally create custom View and notification. Part 1 – Creating the Orchestrator Runbook The Orchestrator runbook will look like this when complete:      

1. Create a new runbook in Orchestrator. The first activity should be an Initialize Data activity with a new string property called ActivityGuid. Also if you would like to have the username of the user that submitted the request in the portal readily available for use in Orchestrator (perhaps so that you can send this information to an IT administrator from Orchestrator) then you can also add another string activity called PortalUser.              

2. The second activity will utilize the SC Service Manager 2012 integration pack to access Service Manager and get the User relationship associated to the Runbook activity.  (The Active Directory User we want to get will be selected later in the portal and will be a Configuration Item in the runbook.) From the activities listed  in the SCSM Integration Pack choose the Get Relationship activity and configure as shown:              

If you are not familiar with Orchestrator and subscribing Published Data then you may have trouble with the Object Guid entry shown above but it is very simple. All that you need to do is rightclick in the Object Guid field, select Subscribe and then Published Data. Choose the ActivityGuid property from the Initialize Data activity and click OK. Also make sure the activities have been linked together as you go.  The concept of subscribing to Publish Data will be used throughout this runbook.

3. The next activity will also use the SCSM Integration Pack and the Get Object activity to get the user object associated to the relationship in the previous activity. It should be configured as follows:  


At this point you have pulled in all of the Active Directory users associated to the runbook which would include the affected CI Item (the user we want to disable) and the created by user (probably you so definitely a user we don’t want to disable!). To filter out the created by user you need to double click the link between the Get Relationship and Get Object activities, click on Exclude, then Add and add the following:


4.  The next activity comes out of the Active Directory integration pack as we will now get the active directory object for the user object that we want to disable. Add the Get User activity and configure it as follows:              

  5. The next step is to actually disable the user account. This is also found in the AD integration pack and should be configured as follows:


  6. The last step is optional as you can use the Send Email activity in Orchestrator to send an email to either a single IT administrator or a distribution list that might be concerned with who is disabling users in Active Directory and what users are getting disabled.  To accomplish this we would simply send an email with the body of the email containing the subscribed  published data of the portaluser property found in the InitializeData activity and whatever information that you want to pass regarding the user account that got disabled such as the username of that user.  See screenshot below:            


7. Make sure you have the Orchestrator connector properly configured in Service Manager and synchronize it so that the new runbook is brought into SCSM. In Part 3 we will utilize the runbook to create a runbook automation activity.

Travis Marshall

One Response to “Use Orchestrator with Service Manager to Disable User Accounts – Part 1”

  1. mario tognetti October 7, 2012 at 10:17 am #

    Great post. I’ll be waiting other posts.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: