Active Directory Powershell insufficient access inside of a script, but able to run the command from the command line

0
votes

I seem to be having a weird permission issue with active directory. The user that is running this script has access to change active directory atributes and is able to do it from the command line, but unable to run the command inside of the script.

The command im trying to run is this:

Set-ADUser -identity $user.DistinguishedName -replace @{info="1"}

this command runs and executes fine inside of the Powershell command line. The command line is also being ran as the user that runs the script. So the user has has the right permission to change active directory attributes. However, when i put this command in the script, I get a permission issue.

Inside of my script this is the block that gets the error:

       try{
            Set-ADUser -identity $user.DistinguishedName  -replace @{info="1"}
            Set-ADUser -identity $username  -replace @{employeeID="<not set>"}
            Logwrite "Employee ID: Cleared!"
            }
        catch{
            #Update Log Of Error

            $errorcountforemail = $errorcountforemail + 1
            logwrite "Employee ID:******* [FAILED] *******"
            $errortest = $_
            Write-Output $_
            Out-File -FilePath $logfile2 -Append -InputObject "`n" -Encoding ascii -Width 50
            Out-File -FilePath $logfile2 -Append -InputObject "Problem setting ad user for $username" -Encoding ascii -Width 50
            Out-File -FilePath $logfile2 -Append -InputObject $_ -Encoding ascii -Width 50
            Out-File -FilePath $logfile2 -Append -InputObject "`n" -Encoding ascii -Width 50
        }

This is the Error with the names changed for confidentiality. 

*---------------------* Errors for: ############## *---------------------*



Problem setting ad user for ################
Set-ADUser : Insufficient access rights to 
perform the operation
At C:\##################.ps1:199 char:13
+             Set-ADUser -identity 
$user.DistinguishedName  -replace @{ ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: 
(#########################:ADUser) 
[Set-ADUse    r], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServe
r:8344,Microsoft.ActiveDirectory.Management.Com   
 mands.SetADUser

Things i have tried:

-running as admin and with highest privileges.

-starting the script in a batch file that runs it as admin

-forcing credentials like this: Set-ADUser -identity $user.DistinguishedName -credentials $domaincredential -replace @{info="1"} with the credentials of this user because it does have access to make these changes.

Any thoughts?

1
powershellpermissionsactive-directoryuser-permissions
You can test whether "running as a script" is the issue by putting that single command in a .ps1 file and then have the user run the .ps1 file. If it works that way, then the problem is obviously elsewhere. - Bill_Stewart
I Just tried that and it works. So there is something that is breaking it. I just made a script that looks like this in a seperate file and it works: Import-Module activedirectory try{ Set-ADUser -Identity mdecarlo -Replace @{info="1"} } catch{ Write-Output $_ } - Matthew Decarlo
Now that you know the problem is in the script you're using to run the command, you can load it in a debugger (the ISE can be useful for this), run it as the other user, set a breakpoint a few lines before your line of code runs, step through, and see where/why it's not working. - Bill_Stewart
So after debugging, I found that it actually doesnt have access to edit the disabled users but it has access to edit the regular users, and i tested the command on my own user account which is enabled.i kinda made an error in my tests by not testing it on the disabled user. So i guess all's i have to do is give it access to edit the disabled users because that is where these users are located. and then it should work. Thanks for the help :) Permissions are still very new to me. - Matthew Decarlo

1 Answers

0
votes

My issue was a permission issue with the disabled users OU.I gave the user permission to edit disabled users and It is now working as intended; this was not an issue with my code.