• State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 62 subscribers
  • Views 11333 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to set edsvaSecondaryOwnersCanUpdateMembershipList attribute on a group object using PowerShell

Jacob R
over 6 years ago

Hello all,

I have run into another snag when trying to modify objects in ARS with PowerShell. Currently, I am working on scripting DL creation but am hung up on changing one attribute. My current code is as follows:

Connect-QADService -Proxy

Set-QADObject domain\groupobject -ObjectAttributes @{'edsvaSecondaryOwnersCanUpdateMembershipList'=$True}

If I try to commit this change I am met with this error message:

Set-QADObject : Administrative Policy returned an error.
Object reference not set to an instance of an object.
At line:1 char:1
+ Set-QADObject domain\groupobject  -ObjectAttributes @{'ed ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=\groupobject...domain,DC=net:String) [Set-QADObject], ObjectAlreadyExistsException
+ FullyQualifiedErrorId : ActiveRoles.ManagementShell.Powershell.Cmdlets.SetObjectCmdlet

Anyone know why I may be seeing this error message?

Any assistance would be great!

Parents
  • 0 over 6 years ago

    The setting of this attribute performs a write-through of native permissions to Active Directory (the same occurs for the Primary Owner).  Does your ActiveRoles service or override account have rights to modify object security in AD?

  • 0 over 6 years ago in reply to JohnnyQuest

    In the ARS and AD console I can modify the "Manager can update membership list" for the primary owner.

    In the ARS console, I can modify this for both the primary and the secondary owners.

    In the AD console, this option does not exist for the secondary owner.

    When I modify this for the secondary owner in the ARS console and do a get-qadobject on the object it shows that the value of edsvaSecondaryOwnersCanUpdateMembershipList changed from null to true which was set with the same account that I am running this command from in PS so it seems like it wouldn't be a rights issue.

  • 0 over 6 years ago in reply to Jacob R

    I also just tried this:

    Set-QADGroup -Identity domain\groupobject -SecondaryOwnersCanUpdateMembershipList $True

    And receive the same error message as the command.

  • 0 over 6 years ago in reply to Jacob R

    After some more research, changing edsaManagerCanUpdateMembershipList as well as edsvaSecondaryOwnersCanUpdateMembershipList change other values in the object which are "links." I also noticed that if I ave both of these enabled in the console, and disable only edsvaSecondaryOwnersCanUpdateMembershipList, it also disables edsaManagerCanUpdateMembershipList. I'm not sure if this should impact trying to set a value to true but it is almost like when I try to change the value of edsvaSecondaryOwnersCanUpdateMembershipList, it cannot find the attribute in the object to change it.

    Attributes that also change when changing edsaManagerCanUpdateMembershipList and / or edsvaSecondaryOwnersCanUpdateMembershipList  to true or false:

    edsaHasATLinks  

    edsvaATLinksEffective

    edsaHasNotPredefinedATLinks 

    I am stumped, anyone insight as to what is going on would be much appreciated.

    Thank you.

  • 0 over 6 years ago in reply to Jacob R

    Do you actually have some SecondaryOwners set on the object in question?

Reply Children