• State Not Answered
  • Replies 4 replies
  • Subscribers 62 subscribers
  • Views 917 views
  • Users 0 members are here
Options
Related

Started getting Access is denied error

alex iserlis
over 1 year ago

Hello,

This command was working fine and it stopped recently. Not related to ACL, since I can add user using a console.

Add-QADGroupMember -Identity "na\DSS-RO" -Member "xyz"

Name Type DN
---- ---- --
Alex Iserlis user CN=xyz,OU=Users,OU=FD,DC=na,DC=xyz,DC=com
Add-QADGroupMember : Access is denied.
At line:1 char:1
+ Add-QADGroupMember -Identity "na\DSS-RO" -Member "xyz"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-QADGroupMember], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,ActiveRoles.ManagementShell.Commands.AddGroupMemberCmdlet2

Parents
  • 0 over 1 year ago

    Hi  

    If you can add or remembers users to or from a group with the Active Roles console, but not via Active Directory Users and Computers, the error is likely due to a missing parameter 

    The proxy parameter telling the commandlet to use Active Roles (EDMS ADSI provider) to perform the command, rather than Active Directory (LDAP ADSI Provider). Omitting proxy says use AD, and if you have not permissions in AD to perform that action, it will error,

    Add-QADGroupMember -Identity "na\DSS-RO" -Member "xyz" -Proxy

  • 0 over 1 year ago in reply to Stu.Pollock

    Hi Stu Pollock.

    When I use "-Proxy" parameter, I'm experiencing 2 issues"

    1. It takes 2 minutes to run a command (not a big deal)

    2.  We have a Workflow to approve adding users to sensitive groups. It works fine if we add users to groups using ARS console and very flaky if we add users to groups using command line:

    add-QADGroupMember -Identity "na\DSS-RO" -Member "xyz" -proxy

    Name Type DN
    ---- ---- --
    xyz user CN=xyz,OU=Users,OU=FD,DC=na,DC=xyz,DC=com
    WARNING: Operation was submitted for approval. Object: CN=DSS-RO,OU=PB_ARS_Controlled,OU=Groups,DC=na,DC=xyz,DC=com, OperationID:
    7-251163.

    I ran the same command in 10 min and it didn't kick an approval workflow, and user was added to the sensitive group

    add-QADGroupMember -Identity "na\DSS-RO" -Member "xyz" -proxy

    Name Type DN
    ---- ---- --
    xyz user CN=xyz,OU=Users,OU=FD,DC=na,DC=xyz,DC=com

    Thanks in advance.

    Alex

  • 0 over 1 year ago in reply to alex iserlis

    Did you receive the "need approval" and "no approval" results in the SAME Powershell window using the SAME credentials?

    The reason for my question is that if you run a PoSh command as a user with AR Admin rights (vs. a regular delegated AR user) then you can bypass Approvals (depending on how the workflow is configured - they can be setup to ALWAYS require approval).

Reply
  • 0 over 1 year ago in reply to alex iserlis

    Did you receive the "need approval" and "no approval" results in the SAME Powershell window using the SAME credentials?

    The reason for my question is that if you run a PoSh command as a user with AR Admin rights (vs. a regular delegated AR user) then you can bypass Approvals (depending on how the workflow is configured - they can be setup to ALWAYS require approval).

Children