This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to set edsvaSecondaryOwnersCanUpdateMembershipList attribute on a group object using PowerShell

Hello all,

I have run into another snag when trying to modify objects in ARS with PowerShell. Currently, I am working on scripting DL creation but am hung up on changing one attribute. My current code is as follows:

Connect-QADService -Proxy

Set-QADObject domain\groupobject -ObjectAttributes @{'edsvaSecondaryOwnersCanUpdateMembershipList'=$True}

If I try to commit this change I am met with this error message:

Set-QADObject : Administrative Policy returned an error.
Object reference not set to an instance of an object.
At line:1 char:1
+ Set-QADObject domain\groupobject  -ObjectAttributes @{'ed ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=\groupobject...domain,DC=net:String) [Set-QADObject], ObjectAlreadyExistsException
+ FullyQualifiedErrorId : ActiveRoles.ManagementShell.Powershell.Cmdlets.SetObjectCmdlet

Anyone know why I may be seeing this error message?

Any assistance would be great!

  • The setting of this attribute performs a write-through of native permissions to Active Directory (the same occurs for the Primary Owner).  Does your ActiveRoles service or override account have rights to modify object security in AD?

  • In the ARS and AD console I can modify the "Manager can update membership list" for the primary owner.

    In the ARS console, I can modify this for both the primary and the secondary owners.

    In the AD console, this option does not exist for the secondary owner.

    When I modify this for the secondary owner in the ARS console and do a get-qadobject on the object it shows that the value of edsvaSecondaryOwnersCanUpdateMembershipList changed from null to true which was set with the same account that I am running this command from in PS so it seems like it wouldn't be a rights issue.

  • Yes, I have 2 users currently set as secondary owners.

  • I am curious, if you look at the native AD permissions tab in the AR console for the group in question, do you see any individual users in there?  If the permissions from this setting are being passed through to AD correctly (via the AR MMC that is), you should see ACEs for the individual group owners & secondary owners.

  • "Manager can update membership list" for the primary owner.

    is a native AD permission to be used via Exchange MSFT Outlook for Primary Owner o manage DLs (legacy functionality). ARS used to incorporate it in internal Workflow.

    #2. edsaManagerCanUpdateMembershipList is ARS internal functionality for Secondary Owners (formatted "DA\jsmith;AD\joedoe") to be used internally in ARS workflow (legacy for ARS SSM 6.7). It is legacy functionality fro 6.7, and might be decommissioned today.

    I would recommend to implement #2 differently. Create MU "GroupsSecodayOwners" - permissioned AT "Group Member Modify" - Trustee BUILT-IN\Secondary Owner (Well Known SID)

    (please refer to Quest / One Identity PSO to generate the AD management workflow you need)

  • Alright, so if I understand this correctly. The best way to accomplish this would be to create a new membership group with the secondary owner permissions and add that to the DL? Also can you please link me to the PSO for reference?

    As always, much appreciated.

  • My colleague Aidar's statement concerning the nature of SecondaryOwner membership update permissions is not 100% correct.  I just did a test in my lab where I applied an individual user as a secondary owner and checked the box "...secondary owners can update membership list".

    Two things occurred:

    1) A new AR access template link was placed on the group.  It cited my user at the trustee and granted this trustee the builtin Access template Groups - Read/Write Members.

    2) Looking at the Native AD permissions, a new ACE for my user was added with Group Read/Write Members native permissions.

    So creating a Managed Unit and granting rights to secondary owners via an Access Templates is only going to accomplish the equivalent to Item 1.

    I go back to my original question to Jacob - when you check the "secondary owners can manage" box and inspect the native permissions in AD, do your secondary owners have permission there?

    If yes, then there is clearly something odd about the way the cmdlets handle this.  My guess would be that you have to set the secondary owner and "check the box" simultaneously in the same request.

  • My apologies, I am not sure where to look for the native AD permissions to check for the secondary owners permissions after checking the box in the AR console. Where are you seeing this exactly?

  • There's a tab for it in the lower right pane of your Active Roles MMC (assuming you have the Advanced Details Pane turned on).

    I just did a test and confirmed my suspicions - if your AR service or override account doesn't have native rights to set the security on the group, the cmdlet will fail.  The minute you natively grant AR the ability to manage security (because it's a Domain Admin), the cmdlet works fine.

    This was my command line:

    set-qadgroup -proxy "test group 3" -objectattributes @{edsvaSecondaryOwnersCanUpdateMembershipList=$true}

    Strangely, this dependency doesn't exist when managing the group through the AR MMC.

  • So my admin account for use with the AR also needs native AD admin access for this cmdlet to work properly?

  • No, just make sure that the AR service account (or override account on the Managed Domain, if so configured) natively (via the Delegation Wizard in ADUC) has Full Control over Groups.  That means that it can set permissions / security.

  • So I was playing around with my code working on something else and ended up changing a variable by mistake, but it was a happy mistake.

    If you run the command to add a secondary owner and add a user as a secondary owner, the edsvaSecondaryOwnersCanUpdateMembershipList attribute by default is False.

    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="secondaryowner"} | Out-Null

    However, if you run the command to add a secondary owner and  add the primary owner as a secondary owner, the edsvaSecondaryOwnersCanUpdateMembershipList attribute switches itself to True.

    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="primaryowner"} | Out-Null
    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="secondaryowner"} | Out-Nul
    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="secondaryowner"} | Out-Null

    The end result ends up being that the primary owner is both a primary and secondary owner, and both primary and secondary owners can modify DL's in Outlook.

    Strange, but I'm not complaining.

  • So I was playing around with my code working on something else and ended up changing a variable by mistake, but it was a happy mistake.

    If you run the command to add a secondary owner and add a user as a secondary owner, the edsvaSecondaryOwnersCanUpdateMembershipList attribute by default is False.

    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="secondaryowner"} | Out-Null

    However, if you run the command to add a secondary owner and  add the primary owner as a secondary owner, the edsvaSecondaryOwnersCanUpdateMembershipList attribute switches itself to True.

    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="primaryowner"} | Out-Null
    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="secondaryowner"} | Out-Nul
    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="secondaryowner"} | Out-Null

    The end result ends up being that the primary owner is both a primary and secondary owner, and both primary and secondary owners can modify DL's in Outlook.

    Strange, but I'm not complaining.

No Data