Hello everyone,
I'm trying to set temporal group membership via powershell for protected groups (Admincount 1) but always the following error message:
Exception: Administrative Policy returned an error.
Attempted to perform an unauthorized operation.
If I try to do the same using the MMC with the exact same user, I can add the user without any issues.
Parts of the script:
$ProtectedGroups = Get-QADGroup -LDAPFilter "(admincount=1)" -Credential $cred -Service $TargetARS -Proxy -SearchRoot $Searchroot | Select-Object Name,dn | ForEach-Object {$_.dn}
If ($ProtectedGroups -contains $TargetGroup)
{
$null = Add-QADGroupMember -Identity $TargetGroup -Member $Member -Credential $cred -Service $AdminARS -Proxy -Control @{'ScheduledOperation-SetTime'=$StartDateTime}
$null = Remove-QADGroupMember -Identity $TargetGroup -Member $Member -Credential $cred -Service $AdminARS -Proxy -Control @{'ScheduledOperation-SetTime'=$EndDateTime}
}
The account has delegated rights to add/remove group members.
Is there a differnce on how ARS shell handles delegation?
Thanks