Unable to set edsvaSecondaryOwnersCanUpdateMembershipList attribute on a group object using PowerShell

Hello all,

I have run into another snag when trying to modify objects in ARS with PowerShell. Currently, I am working on scripting DL creation but am hung up on changing one attribute. My current code is as follows:

Connect-QADService -Proxy

Set-QADObject domain\groupobject -ObjectAttributes @{'edsvaSecondaryOwnersCanUpdateMembershipList'=$True}

If I try to commit this change I am met with this error message:

Set-QADObject : Administrative Policy returned an error.
Object reference not set to an instance of an object.
At line:1 char:1
+ Set-QADObject domain\groupobject  -ObjectAttributes @{'ed ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=\groupobject...domain,DC=net:String) [Set-QADObject], ObjectAlreadyExistsException
+ FullyQualifiedErrorId : ActiveRoles.ManagementShell.Powershell.Cmdlets.SetObjectCmdlet

Anyone know why I may be seeing this error message?

Any assistance would be great!

  • The setting of this attribute performs a write-through of native permissions to Active Directory (the same occurs for the Primary Owner).  Does your ActiveRoles service or override account have rights to modify object security in AD?

  • In the ARS and AD console I can modify the "Manager can update membership list" for the primary owner.

    In the ARS console, I can modify this for both the primary and the secondary owners.

    In the AD console, this option does not exist for the secondary owner.

    When I modify this for the secondary owner in the ARS console and do a get-qadobject on the object it shows that the value of edsvaSecondaryOwnersCanUpdateMembershipList changed from null to true which was set with the same account that I am running this command from in PS so it seems like it wouldn't be a rights issue.

  • I also just tried this:

    Set-QADGroup -Identity domain\groupobject -SecondaryOwnersCanUpdateMembershipList $True

    And receive the same error message as the command.

  • After some more research, changing edsaManagerCanUpdateMembershipList as well as edsvaSecondaryOwnersCanUpdateMembershipList change other values in the object which are "links." I also noticed that if I ave both of these enabled in the console, and disable only edsvaSecondaryOwnersCanUpdateMembershipList, it also disables edsaManagerCanUpdateMembershipList. I'm not sure if this should impact trying to set a value to true but it is almost like when I try to change the value of edsvaSecondaryOwnersCanUpdateMembershipList, it cannot find the attribute in the object to change it.

    Attributes that also change when changing edsaManagerCanUpdateMembershipList and / or edsvaSecondaryOwnersCanUpdateMembershipList  to true or false:




    I am stumped, anyone insight as to what is going on would be much appreciated.

    Thank you.

  • Do you actually have some SecondaryOwners set on the object in question?

  • Yes, I have 2 users currently set as secondary owners.

  • I am curious, if you look at the native AD permissions tab in the AR console for the group in question, do you see any individual users in there?  If the permissions from this setting are being passed through to AD correctly (via the AR MMC that is), you should see ACEs for the individual group owners & secondary owners.