Custom C# Component – Adding a Computer to a Group in Active Directory

Symantec Connect user Turl posted a forum question asking how to add a computer to an Active Directory group in a Workflow project, because in the Active Directory component library, there’s no boxed component to do this.


I am trying to add a computer to an AD-Group in my Worklfow.

How can that be done?

I know that there is a component to add user to a Group. But there is no component for computers.

Does anyone have an idea how this could be solved?



After a bit of effort (and learning, as I am not presently a respectable coder), I was able to create a custom C# Code (Script) Component that accomplishes this task.

Start with loading in the Scripting.dll library.


2015-04-17_15-05-37Next, grab a Code (Script) Component and place it on the designer canvas.


Give it a friendly name if you’d like.


Now, let’s go through the component wizard and go over how to configure it to add a computer to a group.

Here’s a quick look at the steps if you’re already familiar with this component.  Keep reading to see how to configure each step with more detail.


So for step 1, we’re defining input parameters, or variables internal to the code component, and how they’re mapped to variables in the workflow process.  This is how we take values from (for example) form elements and pass/map them into our code component.


Click “Edit Parameter Mappings” to map Workflow process variables to the internal code variables you’ve added here.

So let’s assume we are using a form for input.


We will map the output variables of the corresponding TextBox components to the internal parameters in the code component, like so:


For step 2, we’re defining the output variable(s) of the Code component.  While this action doesn’t necessarily require an output, let’s add one so we can capture any exceptions and see anything that goes wrong.  We can also output a friendly success message in the event the move goes as planned.


Step 3 is where we supply the code data and context configuration.  As I so often do, I will again note my very limited working knowledge of C# code, and I do welcome pointers or advice on code structure and syntax, as well as best practice.  Now that that’s out of the way, here’s the page 3 layout:

2015-04-17_15-41-34And here’s my take on what the code is doing.

First off, ensure C# is selected in the Language dropdown.

Second, ensure you’ve provided these namespaces:

  • System
  • System.DirectoryServices (required for DirectoryEntry class)
  • System.DirectoryServices.AccountManagement (required for ComputerPrincipal, GroupPrincipal, and PrincipalContext classes)

Finally, enter this code, correcting for your domain info:

// this line creates the authentication context for AD interface
using(PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "intuitive.cb", "DC=intuitive,DC=cb"))
// this try/catch will gracefully handle errors
// here we find the computer item by the CompName mapped input parameter
ComputerPrincipal comp = ComputerPrincipal.FindByIdentity(ctx, CompName);
// then we set a variable to pass in the computer's DN below
string compDN = comp.DistinguishedName;
// here we find the group item by the GroupName mapped input parameter
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, GroupName);
// then we set a variable to pass in the group's DN below
string groupDN = group.DistinguishedName;
// here we indicate where the group is located, by the group's DN
DirectoryEntry entry = new DirectoryEntry("LDAP://intuitive.cb/" + groupDN);
// here we perform the actual adding of the computer to the group, by computer DN
// then we commit the adjustment
// we merge and return the success string as the output variable string
return "Added " + CompName + " to group " + GroupName + ".";
// if an exception occurs in the try block, this catch will catch it
catch (Exception e)
// output the error message string to the output variable string
return e.Message;

Step 4 provides a testing platform for the code, and fields for the test input values.  Keep in mind that this is not a self-contained test; any data processed here will actually commit if successful.  If you’ve configured your component properly, you should see no errors either in the test result or the component itself.

Notes on Authentication:

Depending on how your Workflow Service is configured to run, you may need to further authenticate using a different context configuration in the code.  It may take something like this instead:

PrincipalContext ctx = new PrincipalContext(ContextType.Domain,

Featured Components

Code (Script) Component


Further Reading

Symantec Connect Forum Post


A demo package is available for Workflow versions 7.5 + on the demo page.

2 thoughts on “Custom C# Component – Adding a Computer to a Group in Active Directory

  1. Thanks for the nice article and the whole blog. It is really useful.
    Just one point regarding this – it seems to me like regular AD component “Add User To Group” works fine also with computer object.
    Your code (with some) would be definitely useful when it is needed to add computers from different domains to Universal or Domain local groups.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s