reactiveLabs

Orchestrator Active Directory Integration Pack Gotchas

When using the Orchestrator Active Directory Integration Pack in runbooks, there are a few things you have to look out for. These apply to SCORCH 2012 SP1 UR2.

  • Limit on number of objects returned in a query

    You can only return 5000 objects with a single query. In my environment, if I do a Get User or Get Computer activity with no filter, I’ll get exactly 5000 results.

    If I count them through powershell using (get-aduser -filter *).count, I get considerably more.

    Workaround

    My preferred way, split up the queries into smaller chunks. One way is to put a Get OU activity in front of the query activity and query one OU at a time. If all of your objects are in a single OU (why?), you’ll have to do something. In this case, doing multiple querys where you filter by display name would work.

    Another option is to use the SCORCH AD Integration Pack in codeplex. This will probably require more extensive reworking of your runbooks.

  • It eats carriage returns

    If you try to put data in an attribute that contains new lines (CR + LF), like an address, it will eat the CR upon insertion. If you try to compare values from a Get User that are missing the CRs against values from elsewhere with the CRs, it won’t see the difference. This problem seems to happen with the SCORCH AD IP in codeplex as well. The last couple of facts make it seem like it might be a problem with Orchestrator but I verified it is able to pass CRs along the data bus using other activities.

    Workaround

    Use the ADSI COM interface from a Run .NET Script activity to update the attributes. Ugly but it works.

  • No country field for get user/update user activities

    i18n much Microsoft? The country field is completely missing in the filters/published data and update fields for these activities.

    Workaround

    Use the SCORCH AD IP on codeplex. You will have to set three fields, country abbreviation, country name, and country number, to match the functionality of ADUC. The country abbreviation and number should be in ISO 3166 format.

  • It’s slow

    If you get more than a few records, it starts taking a loooong time. There is no filter for which attributes to get and everything has to be published to the data bus when the activity is done. This means lots of round trips.

    Workaround

    Filter down your result set as much as possible, set the ReturnDNOnly optional property to true and get the user attributes one-by-one later.

  • Modified date is actually the created date

    When you get the modified date using published data from the Get User/Get Computer/Get Group activities, it actually returns the created date.

    Workaround

    Broken record here, but SCORCH AD IP on codeplex will let you get the correct attribute.