Solved: AD Plugin for VMWare Orchestrator

ashley186 · ‎08-06-2013

Hi All,

Long Time Trawler, first time poster.

I am working on self service provisioning workflows for my company. I am trying to use the AD Plugin to Let me Delete a Computer Account From AD.

I have downloaded the Latest Version of the Plugin, but I can NOT get it working. Here are some notes:

The Account I have configured for the plugin to use DOES have permissions to Add/Remove Machines from the Domain. I have tested this by Logging into AD Users and Computers and Deleting some Computer Accounts Manually.

Inside Orchestrator: I can browse the tree fine, But When I try to Use the Built In Workflow "Destroy A Computer" The Chooser Window comes up empty.

I tried duplicating the workflow, and changing it so that it displays the AD Tree, and then it shows me all the machines, but the workflow still fails: "Cannot Find Function Destroy in objectNotFound"

I have tried some Scripting with the AD API, and keep getting errors that either Functions are not Found or Null Pointer Exceptions.

I am at a loss: The Account Has Permissions: It can see the Computers in Tree View but not Chooser View, but Cannot Select Them.

Yet in AD Users and Computers the same account will happily delete the machines.

I did have version 1.2 of the plugin and now have 1.3, but nothing has changed.

Any help would be great guys.

Regards,

Ash.

ashley186 · ‎08-11-2013

I found a solution. The problem was extra information was being captured by orchestrators' command output. It was capturing the Result of Query, But Included a Line break/CR (Even when Piping Straight into DSRM).

Solution was to run 2 Seperate Commands: Run dsquery and then perform a regex to capture only the DN. Then run DSRM with that DN. Works great, and means I only need to supply the computer name and credentials for deletion.

Thanks heaps to qc4vmware for the assistance.

Here is the updated code:

var returnVal = false;

//Query AD For DN of Computer

var commandQuery = "dsquery.exe computer -name " + computer + " -u " + username + " -p " + password

//execute Query command

var cmd = new Command(commandQuery);

cmd.execute(true);

var output = cmd.output

//need to remove any extra garbage from the output

var DNs = output.match("\".*\"")

//Log Results for DSQuery

System.log("QUERY RESULTS");

System.log("Command: " + cmd);

System.log("Command result: " + cmd.result);

System.log("Command output: " + cmd.output);

System.log("DN Match is " + DNs[0])

var commandDelete = "dsrm " + DNs[0] + " -noprompt " + " -u " + username + " -p " + password

System.log("Delete Command : " + commandDelete)

//execute Delete command

var cmd = new Command(commandDelete);

cmd.execute(true);

//Log Results for DSRM

System.log("DELETION RESULTS")

System.log(cmd)

System.log("Command result: " + cmd.result);

System.log("Command output: " + cmd.output);

if (cmd.result == 0 && cmd.output.indexOf("dsrm succeeded") >= 0) {

System.log("AD computer object deletion successful with DSRM.");

returnVal = true;

}

else {

System.log("Failed to remove computer object from AD!");

}

return returnVal;

View solution in original post

qc4vmware · ‎08-06-2013

When it comes to vCO's integration with AD I have been pretty frustrated. The AD plugin is only a part of that frustration. I finally completely removed it and instead created wrappers for the windows command line utilities and I have been much happier. I have encountered no problems since taking this route. You'll want to install them on your vCO server (assuming you are not using the appliance) and make sure you have the tweaks in place to enable running local commands on the host as follows:

1. modify config file install_directory\VMware\Orchestrator\app-server\server\vmo\conf\vmo.properties

2. add this line to the end: com.vmware.js.allow-local-process=true

3. restart the server

Heres an action that accepts a string in distinguished name format "dn" is the variable passed in and "user" and "pwd" are user and password. You can create a credential to hold this in a configuration element or pass them in on the fly.

var returnVal = false;

var commandTxt = "c:/windows/system32/dsrm.exe -noprompt \""+ dn + "\" -u " + user + " -p " + pwd;

var cmd = new Command(commandTxt);

cmd.execute(true);

System.log("Command result: " + cmd.result);

System.log("Command output: " + cmd.output);

if (cmd.result == 0 && cmd.output.indexOf("dsrm succeeded") >= 0) {

System.log("AD computer object deletion successful with DSRM.");

returnVal = true;

}

else {

System.log("Failed to remove computer object from AD!");

}

return returnVal;

ashley186 · ‎08-07-2013

Thanks for the response.

I had noticed while searching online that the plugin was causing some grief for a lot of users. I was still hopeful that I would be able to get it working, but your solution looks great. I will try it out and post back with the results.

Thanks Again.

Ashley.

ashley186 · ‎08-08-2013

Back Again,

Having mixed results here. I can get the command working by providing the DN as you described.

What I really desired was some flexbility (no having to know the DN for the machine and only supplying a name).

So I tried Piping DSQuery into DSRM (A Common Admin Practice)

var commandTxt = "dsquery.exe computer -name " + computer + " -u " + username + " -p " + password + " | dsrm -noprompt " + " -u " + username + " -p " + password + ""

Doesnt work. I cut it down first to check that DSQuery Was working and it was returning the correct DN - that part was fine.

I could copy and paste the commandTxt into a Windows Command Line and Execute it OK.

If anyone has some ideas I would love to hear them. I can only hazard a guess that the Command() object doesnt like Piping maybe or executing multiple programs.

qc4vmware · ‎08-08-2013

Here is a little package that includes a wrapper for dsquery. You could use the action to load the dn variable then call the dsrm action.

dn = System.getModule("sample").dsqueryExample("Computer","Computer","cn","computername",1,true,"username","password")[0].get("distinguishedName");

I'm not too sure if the piping should work or not... seems like it should but maybe you are hitting a bug.

ashley186 · ‎08-11-2013

I found a solution. The problem was extra information was being captured by orchestrators' command output. It was capturing the Result of Query, But Included a Line break/CR (Even when Piping Straight into DSRM).

Solution was to run 2 Seperate Commands: Run dsquery and then perform a regex to capture only the DN. Then run DSRM with that DN. Works great, and means I only need to supply the computer name and credentials for deletion.

Thanks heaps to qc4vmware for the assistance.

Here is the updated code:

var returnVal = false;

//Query AD For DN of Computer

var commandQuery = "dsquery.exe computer -name " + computer + " -u " + username + " -p " + password

//execute Query command

var cmd = new Command(commandQuery);

cmd.execute(true);

var output = cmd.output

//need to remove any extra garbage from the output

var DNs = output.match("\".*\"")

//Log Results for DSQuery

System.log("QUERY RESULTS");

System.log("Command: " + cmd);

System.log("Command result: " + cmd.result);

System.log("Command output: " + cmd.output);

System.log("DN Match is " + DNs[0])

var commandDelete = "dsrm " + DNs[0] + " -noprompt " + " -u " + username + " -p " + password

System.log("Delete Command : " + commandDelete)

//execute Delete command

var cmd = new Command(commandDelete);

cmd.execute(true);

//Log Results for DSRM

System.log("DELETION RESULTS")

System.log(cmd)

System.log("Command result: " + cmd.result);

System.log("Command output: " + cmd.output);

if (cmd.result == 0 && cmd.output.indexOf("dsrm succeeded") >= 0) {

System.log("AD computer object deletion successful with DSRM.");

returnVal = true;

}

else {

System.log("Failed to remove computer object from AD!");

}

return returnVal;