Technical preview version of VMware vCenter Orchestrator Plug-In for Microsoft Active Directory

Technical preview version of VMware vCenter Orchestrator Plug-In for Microsoft Active Directory

Technical preview version of VMware vCenter Orchestrator Plug-In for Microsoft Active Directory

This is a patch release of the plug-in.

Version 3.0.10-15573702

Version 3.0.9-10953259

  • Added RoundRobinDNSServer option for Client side load balancing and fail-over capabilities.

Version 3.0.8-10511038

  • Fix a thread leak in ActiveDirectory#searchForEntry()

Version 3.0.7-7624613

  • Fix "Update an Active Directory Server" load balancing mode configuration properly not populated on vRealize Orchestrator 6.0.5
  • Fix Action 'getLoadBalancingMode' in module '' failed : TypeError: Cannot read property "mode" from null (unnamed script#1)
  • Added ActiveDirectory.getEntry() method  - Search  for ldap entry by it's distinguished name

Version 3.0.6-5491166

  • Add  Client side load balancing and fail-over capabilities for persisted Active Directory connections.
  • Fix After restarting vRO service plug-in configuration options "Search size limit" and "Search size limit per server"  are reset to their default values.

Version 3.0.4-4950206

  • Fix UserGroup.memberOf method always return NULL

Version 3.0.2-4209033

  • Added LdapFilter scripting object

    Note: 3.0.2-4209033 GA version of the plugin is available as part of vRealize Orchestrator Appliance 7.1

Version 3.0.0-4132888

  • Added generic LDAP client (LdapClient).
  • Added support for SimplePagedResultsControl. It allows the client to iterate through a potentially large set of search results in subsets of a specified

number of entries (i.e., "pages").

  • Added support for non-persistent LDAP connections ().
  • Added User.getSID() and UserGroup.getSID() scripting methods for retrieving objectSID attribute in folowing format format 'S-1-IdentifierAuthority-SubAuthority1-SubAuthority2-...-SubAuthorityn'
  • Added getGUID() support for retrieving objectGUID formatted as dashed string
  • Fix: methods discards configured LDAP base
  • Removed sub-domain entries from inventory tree of parent domain. (Deprecated since 2.0)

Notes : Compatible with vRealize Orchestrator 5.5.2+

Notes : Introduction to new feature available here  Active Directory plugin 3.0.0 - New and Noteworthy

Version 2.0.8-3635144

  • Support for named Active Directory connection configurations

Version 2.0.7-3423847

  • Fix : rename method for AD:User does not accept names that contain commas.
  • Fix : ActiveDirectory "Base" setting discarded.

Version 2.0.6-3285066

  • Fix : rename method for AD:User does not accept names that contain commas

Version 2.0.5-3151865

  • Fix : Can not modify attributes of entry containing forward slash in the name.
  • Fix : Configuration changes not propagated among vRO cluster nodes
  • Added ActiveDirectory.rename() method for renaming/moving entries inside same domain.

Version 2.0.4-3014454

  • Fix : ActiveDirectory.searchExactMatch not returning correct result when user name contain forward slash.

Version 2.0.3-2824604

  • Fix : User.memeberOf not returning correct result when user is not from default domain

Version 2.0.2-2670588

  • Fix : AD:UserGroup.userMembers return null when user name contain comma.
  • Fix : AD:UserGroup.userMembers return null when the users are not part of default domain.

Version 2.0.1-2597988

  • Fix : Configure "Active Directory plug-in options" workflow does not set default server.

Version 2.0.0-2543027 GA

  • Add support for Multiple Active Directory hosts

Notes : GA version available for download from - VMware vCenter Orchestrator Plug-In for Microsoft Active Directory Release Notes

Notes : Compatible with vRealize Orchestrator 5.5.2+

Version 1.0.6-2315152

  • Fixed validation warning messages in the AD plugin's workflows.

Version 1.0.5-1866388

  • OU/AD objects from the AD plugin are getting lost/not-found. In configurations, a value with the attribute of AD:OrganizationalUnit reports "Not found"
  • Fix "Object 'OU:DC=xxxx,DC=yyyy,DC=com' of type ActiveDirectory not found" for AD entities containing special characters like COMMA in CN value.

Version 1.0.4-760

  • Plugin configuration performed trough workflows.
  • Fix. Deleted ad object is still returned by the plugin.


When using this version of the plugin, when I try and pull out the list of userMembers from an AD:UserGroup... I'm getting a null return. I recall in an older version of the plugin (maybe 1.0.3 or 1.0.4) that this was occurring... Any insight on why that might be happening? I'm definitely getting the group, and I am getting the groupMembers back.. Just never users. Interestingly, if I try it in reverse (get groups from users), that works ok, too. Just really strange.

Let me try it out and will let you know.

It appears that the error is caused when there is comma in user name. We have just provided plugin update containing fix for above mentioned issue.

Please verify if it resolves your issue.

Regards, Ivo


Installed and tested that userMembers is populating, and it is! Awesome. I'll run a more thorough test of the plugin on Monday morning and then update the SR and this thread. Appreciate the quick turnaround in resolving. You guys are awesome!

Thanks for sharing the feedback!

I've updated to 2.0.2-2670588and i'm still getting the error "Default Active Directory server not set"

Do I need to remove existing AD plugin or will vCO just update the existing one by installing the tech preview ?

it will get updated.


You've probably figured it out by now but after updating the AD Plugin, you also need to run the "Configure Active Directory plug-in options" workflow to re-set the Default Server.

Hope this helps...Ron

I'm adding this here as it appears to be monitored as well, could you look at this issue: Re: Active Directory 2.0 Plugin - searchExactMatch error

Reposting the answer from communities just in case.

According the Scripting API documentation for ActiveDirectory.searchExactMatch () function ad_host parameter should be the fourth parameter not the third one (see attached screenshot). The third parameter actually is search limit.

Any[] searchExactMatch(string type, string objectName,number limit , AD_Host adServer)

The correct line should be

var users = ActiveDirectory.searchExactMatch("User","myuser",100, ad_host);


I've raised a VMware support ticket for this too (ref: 15720319207), but thought I'd mention it here too.

When using the ActiveDirectory plugin (v2.0.3) to Search (using or searchExactMatch or searchRecursively), if any users' AD display name contains a backslash no results are returned.

Can this be replicated by anyone else, if so can it be raised as a bug?

I'm guessing this one may be one for you igaydajiev‌,

I'm using the vRO 6.0.1 VM appliance if that makes any difference.

Many thanks,


Speaking of the magic of backslashes as escape characters...

The recommendation is to escape special characters in distinguished names with a backslash... but the AD:OrganizationalUnit.createUserwithDetails(...) method creates a display name, for a STRING that has a comma in it, like this...

Kohler\, Sean

I wouldn't ideally have a display name in this format, but I am dealing with some AD legacy...

I have tried to escape the escape  (trick it) by setting up my displayName as

Kohler\, Sean

and then running it. 

The method was too smart for my trick and it escaped the escape and the comma...  Smiley Happy

Kohler\\\, Sean

is what I ended up with.

I am going to try to change the name post creation to remove the backslash  (using the AD:User object), but this behavior is less than ideal (if it will work... haven't tried it yet).  Just take the Display Name string as I want it to be and make it be that EXACT string on the User Object for Display Name and I would be happy!

"Kohler, Sean" != "Kohler\, Sean"

(especially for a "Display Name" because it is ugly displayed with a backslash)



So this does set the Display Name properly.  I can use this as a workaround since the display name isn't set correctly on AD:User creation.

adUserTemp.setAttribute("displayName","Test, Automation");

Thanks for the tip, Sean!! I too am using the createUserWithDetails Action element and was looking for a way to standardize Display Names separated by a comma. Figured the best way to do this was to change the source parameter of the displayName Local Parameter (in the Workflow) to an "attribute" and then hard-code the values using your logic above. This method also eliminates any user input errors. The code I used was:

tmpUser.setAttribute("displayName", lastName + "," + firstName);


I really like how this plugin is progressing, its becoming very useful.

One request, can we get a method to move objects (computers, groups, users)? It really the one main missing features that I'm having to work around thru SCORH or a powershell script somewhere. Having this function would allow me to reduce lots of complexity.



Yes! Thank you so much!

One issue I have encountered is that the rename method for AD:User does not accept names that contain commas, even when escaped. I haven't tested it with other objects but would anticipate the same result. It would be great if we could get a fix for this.

Thanks for work on this so far, this plugin has really helped our org get stuff done!

EDIT: Side note, I can't seem to find the ActiveDirectory.move() method anywhere in the API browser nor can I use the method with any of the other object classes.

Thanks for getting back.

The actual method name is ActiveDirectory.rename(). I have update the document.

This method can also be used to rename User. If you don't provide newParent parameter (null vallue) it will rename the current entry and preserve it under same parent.

I also tried invoking rename method on User entry. In case new name contains ","  it will fail. I was able to rename it if the new name is  escaped like so "User with \, comma in name". I will take a look at it . For proper prioritization  and tracking you could open official customer request ...

OK, I didn't see that there was this method under Active Directory, I have been encountering this error when using the AD:User rename method. I will create a ticket for tracking for the error I was encountering.


It looks that "" does not follow "Base" setting.

Example if I create AD host with Base "OU=Customers,DC=domain,DC=local" and use that one on it still can find users from OU "OU=Admins,DC=domain,DC=local" too.

OlliJanatuinenHi OlliJanatuinen

I was just able to confirm it and will work on providing a resolution. For proper tacking could you open a customer request to vmware.



Technical prevew vesrsion of the plugin containing the fix has been just published.

Yes, I can confirm that it works right now. Thanks Smiley Happy

Feature request: Support for AD connection naming

I would be useful to have possibility to specify name for AD connection on "Add an Active Directory server" workflow.

That is needed especially when you have multiple connection to same domain with different Base selections.

Support for named connecitons added starting with version 2.0.8 of the plugin. Any feedback is welcome.

Any ideas why a string is coming through as null when calling the Create a user group in an organizational unit and set attribute "Group Name"?  I see the variable populated with the correct name, however the workflow fails every time with: "TypeError: Cannot call method "createUserGroup" of null"

I just try it in my environment  running AD plugin version 2.0.8 and it seems OK. Workflow completed successfully`

Could  you provide your version of vRO & AD plugin. Is this out of the box Workflow cumming with the plugin or custom one? How do you invoke it?


I'm having trouble doing search:'OrganizationalUnit', '', ADhost)

It works ok if base of ADHost is set to root of AD, but if ADHost is created with some specific OU as base (Like, OU=Users,DC=domain,DC,local), then it does not work at all.

Any suggestions, or is it a bug that needs to be fixed? Smiley Happy

Which version of the plugin do you use?

What do you mean by "does not work at all." Could you provide sample workflow and brief description of the scenario.

For example we have user X in ou Y. AD host base is  set to Z searching for somestring we receive ...


Version is latest (Version 2.0.8-3635144).

We have action with following script:


ADOUArray = new Array();
TempArray = new Array();
TempArray ='OrganizationalUnit', '', ADhost)

for each (var row in TempArray) {

return ADOUArray;


And ADhost is 'AD:AdHost'

If that ADhost is with base like:


Then it works and returns organizational units

But, if on ADhost base is like:


It returns nothing.

And, we are trying to get list of Organizational Units, not users Smiley Wink

Hope that this clarifies a bit.

Looks like an issue. Please open a bug . When opening the issue please provide vRO server log  bundel in DEBUG mode)

Hi igaydajiev,

Does the current Version 2.0.8-3635144 fix the objectSid issue identified in this thread?

ActiveDirectory plugin - getAttribute("objectSid")

Thank you

Just published new tech preview version 3.0.0-4132888 of AD plugin that should cover objectSid property. There is dedicated getSID() scripting method on User * UserGroups object that can be used to return formatted objectSID attribute. Since 3.0.0 version of hte plugin tehre is also getAttributeValueBytes() scripting method returning attribute value as byte[] array.

Any feedback is appreciated.

Hi Janne

Issue with'OrganizationalUnit', '', ADhost) not working in case of specific LDAP base provided  is resolved in 3.0.0-4132888

Any feedback is appreciated

Hi.. I would need to download the specific version 3.0.2-4209033. Would you be able to provide the link for that?

This version is distributed with vRO 7.1.0.  You can download  vRO 7.1.0 and take it from there.

Download VMware vRealize Automation

Note : I do recommend using latest available version of the plugin which is compatible with vRO 5.5.2+.  It is backward compatible, contains fixes for issues reported from other customers and also all bug fixes are applied on top of the latest version.


I am not able to install version 3.0.6-5491166 using the vRO installed on vRA 6.2.3-3093005 appliance.

It is possible to upload the plug-in but on the plug-ins overview tab it always displays:

     Active Directory 3.0.6-5491166     Will perform installation at next server startup.

I restarted the both the vRO service and the whole appliance several times but the status is not changing at all.

Any Idea how to solve this issue?



PS: I also tried to use this guide to first uninstall the older version of the plug-in to start from scratch with the new version. But no change in behavior: Uninstalling a plug-in from vRealize Orchestrator 5.5.x, 6.0.x, and 7.x (2064575) | VMware KB

Have you checked server.log file for clues?

Can you share so I can take a look?

Many thanks for the memory leak fix for ActiveDirectory#searchForEntry().

We have many many LDAP calls and needed to use exactly this call. Just to get our situation we start with ~100 Java Threads of vCO process. After 1-2 days there 5000+ Java Threads like "Health Check Thread for LDAPConnectionPool".

With this fix we see a much more stable situation like Java Threads got closed again dealing with LDAP.

Thank you very much!


I think we have got a bug, which has been fixed in earlier version, but has returned.

Using vRA7.6 and the AD plugin 3.0.9. When a VM is destroyed the workflow "Remove machine from active directory (event broker)" is triggered but fails. Looks like due not being able to delete a lead from a SPN registration.

I think the issue was previously been addressed back in 2013 and 14.

[2019-08-13 11:10:57.895] [I] Using AD host with ID = #_v2_#,#RootItem#,#33687ce2-7ce5-4bc8-967b-4eb2a49d94d7#

[2019-08-13 11:10:57.896] [I] Computer GUID = \f0\d1\80\65"3\84\40\89\05\ba\3b\ff\7e\d7\dd

[2019-08-13 11:10:57.897] [I] Custom workflow tag = AD.DestroyComputer

[2019-08-13 11:10:57.912] [I] Found 0 customization workflows.

[2019-08-13 11:10:57.952] [E] Error in (Workflow:Remove machine from active directory (Event Broker) / Remove Computer (item14)#15) 00002015: UpdErr: DSID-031A1226, problem 6003 (CANT_ON_NON_LEAF), data 0

So this happened year ago, worked and now I'm having issues again.

Running 7.5 and 3.0.10-15573702.

It's pretty weird.  I can run the workflow "Create a user group in an organiational unit and set attribute "Group Name" fine, occasionally.  Most of the time it fails with error "TypeError: Cannot call method "setAttribute" of null (Workflow:Create a user group in an organizational unit and set attribute "Group name" / Change "Group name (pre-Windows 2000)" attribute (item3)#10198)".

I can't get it to work at all when nested inside my workflow. 

Version history
Revision #:
1 of 1
Last update:
‎11-08-2013 05:01 AM
Updated by: