Trigger Workflow on Computer Domain Join

I would create a virtual attribute that would tell you if the computer account has been "seen" by Active Roles.  

Then create an Automation workflow that containing a Search activity.  The workflow can be scheduled to search for computer accounts (in a specific location - probably the Computers container) where this attribute is not populated.

(If the Computers container is not practical, then you could also create a Managed Unit that would hold computers from various OU('s) you specify) that are missing your "seen" virtual attribute

The workflow would modify the "seen" attribute and make whatever other changes are needed using an Update Activity.

References:

Automation Workflow

Search Activity

Managed Unit

That is a very creative solution.

I guess this "seen" attribute could just a simple "TRUE/FALSE"? Assuming I don't intend to do anything else with it.

And yeah, the Computer OU would probably not work for us since when we do domain joins during provisioning the computers go directly into their respective OU. Computers will only end up in the default Computers OU if we do a manual disjoin/delete/rejoin.

Although, talking about it now, I see how I could even change that and us a workflow to move computer accounts based on their name.

I may do this anyway to move computers out of that OU in the event someone forgets to move the computer account.

Thank you JohnnyQuest for the great suggestion as usual!

Cheers

'Glad I could help you get the wheels turning in the right direction. 

Hey JohnnyQuest ,

In the Automation Workflow, I see you can run PowerShell scripts.

My workflow right now will update a virtual attribute on a computer object based on certain criteria.

Is there a way of accessing the target object (in this case, a computer object) from the workflow from the PowerShell script?

Similar to how you can use $Request when you are using a script module and a non-workflow policy. You can easily access the parameters of the current requested operation.

I created a new script module with a custom function, and I provide the $Request variable as a parameter to the function, but the contents of the function are not what I expected.

It seems it contents information about the workflow itself, and not the target the workflow is processing.

Are there any examples floating around that show how to reference the target object of a workflow using a PowerShell script step?

Cheers

Oh... I found this - Accessing Object information within Script Activity in a Workflow (4251612) (oneidentity.com)

My thought was that you would use a Search Activity in your Automation Workflow to find and process your unseen-by-ActiveRoles computers.

When you place a Search Activity into a workflow, any activity items placed into the (hard to see) delineated area immediately below the Search are executed against each object returned by the Search (like a for loop iterating over the returned objects)

Here's a snippet of code showing how to reference the objects returned by the Search in a script:

# Next line assumes you named the Search in the workflow 'Unseen_Computers"

$CurrentComputer = $workflow.FoundObject("Unseen_Computers").get("distinguishedName")

# Do stuff with the computer

You can also reference the objects using the built-in, codeless activities like "Update" which would allow you to update properties (including virtual ones) of a found object.

Hey Johnny,

I actually followed your instructions exactly (at least I think).

• I created a managed unit that dynamically pulls in workstations that do not have my new "seen" attribute populated with TRUE.
• I then created a workflow that searches in that managed unit for any computer accounts.
• I then modify the "seen" attribute on those found objects.

Using you same suggestion, I then created a second workflow that with the same purpose, except this time I am modifying a separate attribute

• I created a managed unit that dynamically pulls in workstations that has my "seen" attribute as TRUE and my new "location" attribute as blank.
• I then created a workflow that searches in that managed unit for any computer accounts.
• I then modify the "location" attribute on those found objects.
• After I update the "location" attribute in ARS, I want to connect to a 3rd party system via their API and update the computer account in the third party.
  • This is where I need to pass the found objects to a PowerShell script.

Sorry for my poor explanation previously. 

I think you gave me the information I need though to reference the found objects

Is there a way to explore the $workflow attribute to see everything that it stores?

It's not really well documented.  If you locate the SDK chm file in your Admin Service install and do a search on 'workflow', you will find some information there.

i.e. you will find an SDK folder on your Admin Service host containing this file.

I keep forgetting about the SDK folder! I will check that thank you.

The snippet of code you gave me worked like a charm. I was able to pull all of the object attributes I needed. I just have to try connecting to the 3rd party API and updating the computer object in that system.

Really appreciate your help and quidance!