vCO Active Directory 'Create User Group' Action Does Not Populate SamAccountName with Expected Result

While using the Create a user group in an organizational unit Active Directory workflow in vCenter Orchestrator 5.5.1 I noticed an unexpected result after the group had been created in AD.

Although the group was successfully created, the SamAccountName attribute appeared to have been populated with a seemingly random string and not the name of the group as I would have expected.

Apart from being a bit inconsistent for my liking this could have potentially undesired results from applications querying AD using the SamAccountName property. For instance I discovered this problem while attempting to add a tenant administrator group to a tenant in vCAC; none of my groups would show in the search list, despite them existing. I consequently tracked it down to this problem. So I think it was using the SamAccountName property to search for them.

Workaround:

So I implemented the following workaround. The Create a user group in an organizational unit workflow is actually utilising two actions createUserGroup and getUsergroupFromContainer.

It’s possible to call these actions from a Scriptable Task. So I created a new workflow containing a Scriptable Task, with the intention to add some additional code to modify the AD group post creation.

The workflow takes two parameters: GroupName and OU (to which I added some presentation so the OU could be selected via a browse button)

The scriptable task took those as inputs

and then used the following code:

 

[code language=“javascript”]

System.getModule(“com.vmware.library.microsoft.activeDirectory”).createUserGroup(GroupName,OU);

userGroup = System.getModule(“com.vmware.library.microsoft.activeDirectory”).getUsergroupFromContainer(OU,GroupName);

userGroup.setAttribute(‘SamAccountName’,GroupName); [/code]

After running my own workflow the group is now showing the expected SamAccountName:

A couple of useful notes on this.

How did I know there was a setAttribute method on a Group Object?

When you are in the scripting pane, there is an API browser in the top left corner. If you search for AD:Group you can then view what is available on that object:

API Explorer

The API Explorer is also available from the main vCO page:

Anyone else experience this issue?

Update 16/05/2014:

I posted this over on the VMware communities and it looks like there is a fix coming in the next release of the AD plugin.

Update 19/05/2015:

I revisited this today and noticed that in version 1.0.5 of the AD plugin there is a new workflow Create a user group in a group and set attribute “Group name (pre-Windows 2000).

 

The schema has an additional scriptable task which sets the samAccountName of the group post creation - like in my own fix above.

The problem is, I don’t want to create a new group inside an existing group. I want to create a new group inside an OU (wouldn’t you?) . So I took a copy of the Library workflow Create a user group in an organizational unit ….

 

and copied the scriptable task fix into it.

Tip: Did you know you could copy and paste vRO workflow elements between workflows, even across multiple vRO client sessions? I discovered it by accident once, pretty cool :-)

 

Note: I needed to switch the output of the getUsergroupFromContainer action from an output parameter named newUserGroup to an output attribute named userGroup so that an AD:Group object could be passed into the Change “Group name… scriptable task.

 

The output of the Change “Group name… scriptable task should  then auto-match to the newUsergroup output parameter. if not, make it so:

Now its possible to create the groups with the samAccountName properly configured.