VIP Users Part 2 or how to synchronize group membership from AD to SCSM

Dealing with VIP users is a common practice within Service Management. This old blogpost explains a very good approach to mark VIP users in SCSM as VIP users. We simply extend the User class with an extra boolean property (true/false) and we then expose that property on the Incident right under the Affected User. That way Analysts can quickly see if the person is VIP and you can also make various workflows or notifications based on this property.



What is missing in the above post is how we figure out who is VIP or not. For many, this relationship is set in Active Directory via Group membership. So if you are part of a special Security Group, you are VIP. That’s the approach I will take here and provide the script needed to sync members of that group over – whoever is member of the given AD group will be marked or unmarked as VIP in SCSM. Just replace the AD groupname and perhaps the VIP property name (mine is called VIP here). After that you need to set up a scheduled workflow to run this script. This could be Orchestrator, SMA, a powershell workflow or just a regular windows scheduled task.

Here goes:

# //*************************************************************************** # // ***** Script Header ***** # // # // Solution: # // File: SCSM-SetVIPStatus.ps1 # // Author: Morten Meisler, Coretech A/S. # // Purpose: Sync AD VIP Group members with SCSM CMDB Users # // # // # // Usage: # // # // # // CORETECH A/S History: # // 1.0.0 MME 23/08/2016 Initial version. # // # // Customer History: # // # // ***** End Header ***** # //*************************************************************************** # //---------------------------------------------------------------------------- $error.Clear() $ErrorActionPreference = "stop" trap [Exception] { $ErrorMessage = "SCRIPT: SCSM-SetVIPStatus.ps1 failed`n" $ErrorMessage += "Runas domain: $($env:userdomain)`n" $ErrorMessage += "Script location: $PSScriptRoot`n`n" $ErrorMessage += "Error: Line,char: {0},{1} - Details: {2}" -f $_.InvocationInfo.ScriptLineNumber,$_.InvocationInfo.OffsetInLine, $_.Exception throw $ErrorMessage continue; #Write-EventLog -LogName "Operations Manager" -Source "Health Service Script" -EntryType Error -EventID 913 -Message $ErrorMessage -Category 1 } # //---------------------------------------------------------------------------- #// #// Global constant and variable declarations #/ #//---------------------------------------------------------------------------- #VIP AD Group Name $ADGroup = "SG-SCSM-VIP-USERS" #SCSM Server $SCSMServer = "localhost" #//---------------------------------------------------------------------------- #// Procedures #//---------------------------------------------------------------------------- #//---------------------------------------------------------------------------- #// Main routines #//---------------------------------------------------------------------------- #output start time $StartTime = get-date Write-Output "Started at $StartTime - Running as $($env:userdomain)\$($env:username)" #Import Modules if (!(Get-Module smlets)){Import-Module smlets} if (!(Get-Module ActiveDirectory)){Import-Module ActiveDirectory} #SCSM Classes $ADUserClass = Get-SCSMClass -Name "Microsoft.AD.User$" -ComputerName $SCSMServer #Get users from SCSM where VIP is true $SCSMVIPUsers = @( Get-SCSMObject -Class $ADUserClass -Filter "VIP -eq true" -ComputerName $SCSMServer) #Get AD Group members $ADMembers = Get-ADGroupMember -Identity $ADGroup #Users that are in AD VIP Group but have their SCSM VIP Property set to False OR SCSM Users with VIP Property set to true but missing in AD Group $VIPDifferenceUsers = Compare-Object -ReferenceObject $SCSMVIPUsers -DifferenceObject $ADMembers -Property "distinguishedName" -PassThru foreach ($VIPDifferenceUser in $VIPDifferenceUsers) { #User is missing from AD group but have VIP = true.$VIPDifferenceUser is now an SCSM object if ($VIPDifferenceUser.GetType().Name -like "EnterpriseManagementObject") { Write-Output "Setting VIP to false for SCSM User: $($VIPDifferenceUser.DisplayName) ..." Set-SCSMObject -SMObject $VIPDifferenceUser -Property VIP -Value $false -ComputerName $SCSMServer #User has VIP set to False in SCSM, but is member of VIP AD Group. $VIPDifferenceUser is now an AD object, so we must get the corresponding SCSM User }else { Write-Output "Setting VIP to true for SCSM User: $($VIPDifferenceUser.Name) ..." $SCSMUser = Get-SCSMObject -Class $ADUserClass -Filter "DistinguishedName -eq $($VIPDifferenceUser.distinguishedName)" -ComputerName $SCSMServer Set-SCSMObject -SMObject $SCSMUser -Property VIP -Value $true -ComputerName $SCSMServer } } $EndTime = Get-Date $Totaltime = $EndTime - $StartTime Write-Output "Finished at $(get-date) - Total Runtime $Totaltime"

Enjoy Smiley

Comments (2):

  1. Cary Myers says:

    Thank you for this script! One comment when running it. I modified the line here to allow the array from $SCSMVIPUsers to be empty and allow the script to run.

    #Get users from SCSM where VIP is true
    $SCSMVIPUsers = @( Get-SCSMObject -Class $ADUserClass -Filter “VIP -eq true” -ComputerName $SCSMServer)

  2. Morten Meisler Morten Meisler says:

    yes thank you, I did not account for null values (classic mistake hehe). I will update the script with this modification :)

Leave a Reply