Delegation difference between ARSShell and MMC?

Hello everyone,

I'm trying to set temporal group membership via powershell for protected groups (Admincount 1) but always the following error message:

Exception: Administrative Policy returned an error.
Attempted to perform an unauthorized operation.

If I try to do the same using the MMC with the exact same user, I can add the user without any issues.

Parts of the script:

$ProtectedGroups = Get-QADGroup -LDAPFilter "(admincount=1)" -Credential $cred -Service $TargetARS -Proxy -SearchRoot $Searchroot | Select-Object Name,dn | ForEach-Object {$_.dn}


If ($ProtectedGroups -contains $TargetGroup)
{
   $null = Add-QADGroupMember        -Identity $TargetGroup -Member $Member -Credential $cred -Service $AdminARS -Proxy -Control @{'ScheduledOperation-SetTime'=$StartDateTime}       
   $null = Remove-QADGroupMember -Identity $TargetGroup -Member $Member -Credential $cred -Service $AdminARS -Proxy -Control @{'ScheduledOperation-SetTime'=$EndDateTime}
}

The account has delegated rights to add/remove group members.

Is there a differnce on how ARS shell handles delegation?

Thanks

Parents
No Data
Reply
  • Hello,

    Quick observation, why the 2 different variables for the Active Roles service ($TargetARS and $AdminARS)? Is there a need to connect to 2 different Active Roles services or are these being set to the same server?

    I take it that when this is tested as the delegated user in the MMC, you are setting the temporal add and remove times as the object is being added to the group?

    Have you tried testing the code by setting your $cred variable to a user that is an Active Roles Admin, to help try and narrow down that this issue is possibly related to delegation?

    I am for the most part using the code you provided and I'm not having issues with it in my lab. I am setting $cred set to a user that has been delegated only add/remove group member rights (I essentially copied the provided "Groups - Add/Remove Members" Access Template).

    How are you setting the start date/time and end date/time variables? I'm setting these variables in my lab using this format: $StartDateTime = (Get-Date).AddHours(1).ToUniversalTime().

Children