Automating vCAC Tenant Creation with vCO: Part 2 AD Users, Groups and OUs

In this series we will see how to automate the creation of a tenant in vCAC using vCO. There are multiple tasks to provision a tenant in vCAC, so even though it is an automation product itself, there’s no reason why you shouldn’t look at automating parts of it too.

In part 2 we will create the AD Users, Groups and OUs to support the vCAC tenant. In this example we will create:

OUs

TenantName and sub-OUs, Users and Groups

Users

A vcoservice account and tenant admin

Groups

A tenant admin group and infrastructure admin group

We’re using vCO 5.5.1 and the AD plugin ships by default. We need to configure it to work with a Domain Controller, so run the Configure Active Directory Server workflow.

Now in the vCO Inventory view we can traverse the AD structure

2) Use a vCO Configuration Element to store the default Tenants OU.

Since we will place each tenant OU into the default Tenants OU each time, we can store this object in a vCO Configuration Element and assign it as an attribute in the workflow.

3) Create a workflow for the AD requirements. Later on we will plug this into the Create Tenant workflow which will handle all of the different parts. Add an input tenantName ….

Here we work on the presentation of the input and ensure that the user is guided into supplying us with the correct information.

and an attribute tenantOU (the configuration element created above)

4) Create an OU

Add the Create an organizational unit workflow to the schema

Set the In parameters, firstly ouName

and also ouContainer

Create an Out parameter, which will be the Tenant OU that this workflow creates

I find the Visual Binding tab really useful as a quick visual checker that everything is set as I am expecting

We need to create two sub-OUs from the tenant OU. Since the Create OU workflow only creates one, I will show you an alternative for creating multiples rather than adding the workflow many times. Create a scriptable task and call it Create Sub OUs

As inputs we need the tenantName and tenantNameOU .

For outputs we need to create the two OUs as attributes of type AD:OrganizationalUnit since we will need to use these OUs later.

Again, mapped out view helps me to visualise I am on the right track….

The scripting code to create the OUs is relatively straightforward. We can call any action by using the path to it and then supplying the necessary parameters. In this case we use the createOrganizationalUnit and getOrganizationUnitFromOrganizationUnit actions from the ActiveDirectory plugin.

[code language=“javascript”]

// Create the Users and Groups OUs using the createOrganizationalUnit action System.getModule(“com.vmware.library.microsoft.activeDirectory”).createOrganizationalUnit(“Users”,tenantNameOU); System.getModule(“com.vmware.library.microsoft.activeDirectory”).createOrganizationalUnit(“Groups”,tenantNameOU);

// Retrieve the OU objects for Output var usersOU = System.getModule(“com.vmware.library.microsoft.activeDirectory”).getOrganizationUnitFromOrganizationUnit(tenantNameOU,“Users”); var groupsOU = System.getModule(“com.vmware.library.microsoft.activeDirectory”).getOrganizationUnitFromOrganizationUnit(tenantNameOU,“Groups”);

[/code]

5) Create Users and Groups

Now we need to create some user accounts and groups, so add a scriptable task

As inputs we need tenantName, tenantOU, usersOU and groupsOU.

We need to output one of the users, its password and two of the groups for use later on:

We need them to be out-parameters, not attributes, so that we can use them outside of the workflow later. If you create the Source parameter by clicking in the correct place above and choosing parameter rather than attribute then the workflow Out parameters will be created for you.

We also need to make use of a Configuration Element for the ActiveDirectory domain. This provides a handy way to supply static values to the workflow without hard-coding them into a script element somewhere.

Navigate to Configuration Elements and create a new one

We can use this Configuration Element in our workflow by adding it as an attribute. Use the chooser button to select it.

Add the dnsDomain string to the Users and Groups scriptable task

To create the user accounts we need to supply a password. I generate a random one with a helper action createRandomPassword. Store this somewhere that you can easily reference.

We want to output two users and two groups from the workflow and also the vcosvcPassword.

Here’s the code to create the users and groups, and add the users to the groups

[code language=“javascript”] // Create vcoService and Tenant Admin users var vcosvcPassword = System.getModule(“com.jonathan.action.general”).generateRandomPassword(12) System.getModule(“com.vmware.library.microsoft.activeDirectory”).createUserWithPassword(tenantName + “_vCOSvc”,vcosvcPassword,vcosvcPassword,dnsDomain,tenantName + “_vCOSvc”,usersOU); var tenantadminPassword = System.getModule(“com.jonathan.action.general”).generateRandomPassword(12) System.getModule(“com.vmware.library.microsoft.activeDirectory”).createUserWithPassword(tenantName + “_TenantAdmin”,tenantadminPassword,tenantadminPassword,dnsDomain,tenantName + “_TenantAdmin”,usersOU);

System.log(“vcosvc password is: " + vcosvcPassword); System.log(“tenantadmin password is: " + tenantadminPassword);

// Retrieve the vcoService and Tenant Admin users var vcoServiceUser = System.getModule(“com.vmware.library.microsoft.activeDirectory”).getUserFromContainer(usersOU,tenantName + “_vCOSvc”); var tenantAdminUser = System.getModule(“com.vmware.library.microsoft.activeDirectory”).getUserFromContainer(usersOU,tenantName + “_TenantAdmin”);

System.log(“Tenant admin is: " + tenantAdminUser.distinguishedName);

// Create the Tenant Admin and Infra Admin groups System.getModule(“com.vmware.library.microsoft.activeDirectory”).createUserGroup(tenantName + “_TenantAdmins”,groupsOU); System.getModule(“com.vmware.library.microsoft.activeDirectory”).createUserGroup(tenantName + “_InfraAdmins”,groupsOU);

// Retrieve the Tenant Admin and Infra Admin groups and fix the SamAccountName tenantAdminsGroup = System.getModule(“com.vmware.library.microsoft.activeDirectory”).getUsergroupFromContainer(groupsOU,tenantName + “_TenantAdmins”); tenantAdminsGroup.setAttribute(‘SamAccountName’,tenantName + “_TenantAdmins”);

infrastructureAdminsGroup = System.getModule(“com.vmware.library.microsoft.activeDirectory”).getUsergroupFromContainer(groupsOU,tenantName + “_InfraAdmins”); infrastructureAdminsGroup.setAttribute(‘SamAccountName’,tenantName + “_InfraAdmins”); //Add tenant admin to admin groups var tenantAdminUserArray = [tenantAdminUser]; tenantAdminsGroup.addElements(tenantAdminUserArray); infrastructureAdminsGroup.addElements(tenantAdminUserArray);

[/code]

Finally we need to get the usersOU and groupsOU out of the workflow, having already used them in the workflow. Add an additional scriptable task to do this.