• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 62 subscribers
  • Views 1700 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Delegation difference between ARSShell and MMC?

andres schaffhauser
over 5 years ago

Hello everyone,

I'm trying to set temporal group membership via powershell for protected groups (Admincount 1) but always the following error message:

Exception: Administrative Policy returned an error.
Attempted to perform an unauthorized operation.

If I try to do the same using the MMC with the exact same user, I can add the user without any issues.

Parts of the script:

$ProtectedGroups = Get-QADGroup -LDAPFilter "(admincount=1)" -Credential $cred -Service $TargetARS -Proxy -SearchRoot $Searchroot | Select-Object Name,dn | ForEach-Object {$_.dn}


If ($ProtectedGroups -contains $TargetGroup)
{
   $null = Add-QADGroupMember        -Identity $TargetGroup -Member $Member -Credential $cred -Service $AdminARS -Proxy -Control @{'ScheduledOperation-SetTime'=$StartDateTime}       
   $null = Remove-QADGroupMember -Identity $TargetGroup -Member $Member -Credential $cred -Service $AdminARS -Proxy -Control @{'ScheduledOperation-SetTime'=$EndDateTime}
}

The account has delegated rights to add/remove group members.

Is there a differnce on how ARS shell handles delegation?

Thanks

Parents
  • 0 over 5 years ago

    Hello,

    Quick observation, why the 2 different variables for the Active Roles service ($TargetARS and $AdminARS)? Is there a need to connect to 2 different Active Roles services or are these being set to the same server?

    I take it that when this is tested as the delegated user in the MMC, you are setting the temporal add and remove times as the object is being added to the group?

    Have you tried testing the code by setting your $cred variable to a user that is an Active Roles Admin, to help try and narrow down that this issue is possibly related to delegation?

    I am for the most part using the code you provided and I'm not having issues with it in my lab. I am setting $cred set to a user that has been delegated only add/remove group member rights (I essentially copied the provided "Groups - Add/Remove Members" Access Template).

    How are you setting the start date/time and end date/time variables? I'm setting these variables in my lab using this format: $StartDateTime = (Get-Date).AddHours(1).ToUniversalTime().

Reply
  • 0 over 5 years ago

    Hello,

    Quick observation, why the 2 different variables for the Active Roles service ($TargetARS and $AdminARS)? Is there a need to connect to 2 different Active Roles services or are these being set to the same server?

    I take it that when this is tested as the delegated user in the MMC, you are setting the temporal add and remove times as the object is being added to the group?

    Have you tried testing the code by setting your $cred variable to a user that is an Active Roles Admin, to help try and narrow down that this issue is possibly related to delegation?

    I am for the most part using the code you provided and I'm not having issues with it in my lab. I am setting $cred set to a user that has been delegated only add/remove group member rights (I essentially copied the provided "Groups - Add/Remove Members" Access Template).

    How are you setting the start date/time and end date/time variables? I'm setting these variables in my lab using this format: $StartDateTime = (Get-Date).AddHours(1).ToUniversalTime().

Children
  • 0 over 5 years ago in reply to Richard.Lambert

    Hello Richard,

    There is security requirement to use different ARS.

    The code works with the credentials of an Active Roles Admin but that is not our goal. If I run the exact same code with the same (limited) credentials on the $adminARS directly, it also works.

    A) Run script on automation server: $AdminARS is contacted but authorization fails. I can see the entry in the EventLog on $adminARS

    B) Run script on $adminARS: No issues.

    Both are run with the same credentials.

    The code itself doesn't appear to be the problem but it seems to ignore the delegation when connecting from another machine