• State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 62 subscribers
  • Views 11345 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to set edsvaSecondaryOwnersCanUpdateMembershipList attribute on a group object using PowerShell

Jacob R
over 6 years ago

Hello all,

I have run into another snag when trying to modify objects in ARS with PowerShell. Currently, I am working on scripting DL creation but am hung up on changing one attribute. My current code is as follows:

Connect-QADService -Proxy

Set-QADObject domain\groupobject -ObjectAttributes @{'edsvaSecondaryOwnersCanUpdateMembershipList'=$True}

If I try to commit this change I am met with this error message:

Set-QADObject : Administrative Policy returned an error.
Object reference not set to an instance of an object.
At line:1 char:1
+ Set-QADObject domain\groupobject  -ObjectAttributes @{'ed ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=\groupobject...domain,DC=net:String) [Set-QADObject], ObjectAlreadyExistsException
+ FullyQualifiedErrorId : ActiveRoles.ManagementShell.Powershell.Cmdlets.SetObjectCmdlet

Anyone know why I may be seeing this error message?

Any assistance would be great!

  • 0 over 6 years ago in reply to JohnnyQuest

    My apologies, I am not sure where to look for the native AD permissions to check for the secondary owners permissions after checking the box in the AR console. Where are you seeing this exactly?

  • 0 over 6 years ago in reply to Jacob R

    There's a tab for it in the lower right pane of your Active Roles MMC (assuming you have the Advanced Details Pane turned on).

    I just did a test and confirmed my suspicions - if your AR service or override account doesn't have native rights to set the security on the group, the cmdlet will fail.  The minute you natively grant AR the ability to manage security (because it's a Domain Admin), the cmdlet works fine.

    This was my command line:

    set-qadgroup -proxy "test group 3" -objectattributes @{edsvaSecondaryOwnersCanUpdateMembershipList=$true}

    Strangely, this dependency doesn't exist when managing the group through the AR MMC.

  • 0 over 6 years ago in reply to JohnnyQuest

    So my admin account for use with the AR also needs native AD admin access for this cmdlet to work properly?

  • 0 over 6 years ago in reply to Jacob R

    No, just make sure that the AR service account (or override account on the Managed Domain, if so configured) natively (via the Delegation Wizard in ADUC) has Full Control over Groups.  That means that it can set permissions / security.

  • 0 over 6 years ago in reply to JohnnyQuest

    So I was playing around with my code working on something else and ended up changing a variable by mistake, but it was a happy mistake.

    If you run the command to add a secondary owner and add a user as a secondary owner, the edsvaSecondaryOwnersCanUpdateMembershipList attribute by default is False.

    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="secondaryowner"} | Out-Null

    However, if you run the command to add a secondary owner and  add the primary owner as a secondary owner, the edsvaSecondaryOwnersCanUpdateMembershipList attribute switches itself to True.

    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="primaryowner"} | Out-Null
    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="secondaryowner"} | Out-Nul
    Set-QADObject domain\object -ObjectAttributes @{'edsvaSecondaryOwners'="secondaryowner"} | Out-Null

    The end result ends up being that the primary owner is both a primary and secondary owner, and both primary and secondary owners can modify DL's in Outlook.

    Strange, but I'm not complaining.