Creating Active Directory users via API?

We would like to prepopulate Octopus Deploy users via the API, and assign them to teams so people automatically get the correct rights.

(We’re using Active Directory logins. We can’t use Active Directory groups for this purpose because our users are not in the same domain as the Octopus Deploy service account and the groups are.)

I see that when users log in from the site, it’s setting a password of some sort for them automatically. Would we need to set that when creating users from the API, and if so, what data would we use for that?

Hi Andrew,

Thanks for getting in touch. I had to investigate this a bit (review the authentication code) but if your your Octopus server is set to use integrated windows authentication (i.e. you ran Octopus.Server.exe configure --webAuthenticationScheme=IntegratedWindowsAuthentication) then passwords shouldn’t be required. I think everything should work well for your scenario but it’s a bit complicated so let me know how you go!

Thanks

Rob

It turns out that the API wouldn’t let us create users without a password (or at least Octopus.Client wouldn’t). We ended up having to submit a “junk” password to get them to create successfully. But once we did that it’s all working well - the actual value was irrelevant.

Hi Andrew,

Thanks for following-up and sharing that. I didn’t realise it would still be required.

Happy deploying!

Rob

Hi Andrew,

Would you mind sharing the User provisioning script you ended up using? There’s a user on another thread that could really benefit of it :).

Cheers
Dalmiro

I have a similar enough question/problem that I’ll piggy-back on this one for now.

I’m not using Windows Authentication for OD. But our WCF services do. So I’ve just migrated all the AD configuration into library variable sets in OD with the intent of controlling AD configuration from OD and removing the need for our deployment staff to access our domain controllers directly.

I have another library variable set which stores AD user credentials and I have the passwords as sensitive. I wanted to iterate through these and create the users in AD if not found. Like Andrew above, I can’t access sensitive variables via the API.

At this stage, I’m considering introducing a small encryption utility our deployment team can use to encrypt passwords before storing them in OD but unobscured. My deployment process would need to decrypt these before handing them on to the AD cmndlets. This runs contrary to our approach of removing as much manual effort and potential risk points from that process.

If someone can think of a better supported, more integrated solution, I’m all ears.

Actually, please disregard my senior moment. At deploy-time, I have access to $OctopusParameters and can get my sensitive variables from there.

For whoever’s interested, I’m using the ActiveDirectory module in Powershell to create users and groups. I found that I needed to get a grasp on x500 paths, but otherwise it’s pretty straightforward.

E.g:

New-AdGroup -name $securityGroupName -groupscope Global -path “OU=GroupTypeA,OU=Groups,OU=MyProduct,DC=domain,DC=local”

Here in the path I have to order the OU’s backwards. In AD Users and Computers, my groups are in a folder (or organisational unit) called GroupTypeA which is in a folder called Groups which is in a folder called MyProduct. That is, GroupTypeA is the leaf node but comes first in the sequence. I’m adding the group to “domain.local”. This is split up at the dots. Unlike the OU’s, these are in familiar order.

New-AdUser -name $userName -path “OU=UserTypeA,OU=Users,OU=MyProduct,DC=domain,DC=local” -accountpassword (ConvertTo-SecureString $password -AsPlainText -Force) -enabled $true

The OU part of the x500 path works the same way as when creating groups. The commandlet requires a secure string type argument for the password. $password is plaintext. Newly created users will begin as disabled unless explicitly enabled.

Hope this helps.

Thanks for coming back with your findings :slight_smile:

For anyone interested, on this OSS project there are examples on how to create Octopus users with Powershell: