• State Not Answered
  • Replies 1 reply
  • Subscribers 62 subscribers
  • Views 443 views
  • Users 0 members are here
Options
Related

Get-QADUser - Access denied

craig mcfarlane
8 months ago

Team. 

I have this script that is getting the values of various AD attributes and sticking them in to a CSV for me. 

I am getting the error message below. I am logged on to the AR Server with the service account. It has full read write to everything including the local folder and file

FirstName-LastName-Display is a VA

Also changing (Get-QADUser $Secretary).Displayname also gives the same error message so its not specific to it being the VA

DefaultNamingContext                               Type            
--------------------                               ----            
CN=Active Directory                                ARS             
Get-QADUser : Access is denied.
At line:10 char:10
+         (Get-QADUser $Secretary).'FirstName-LastName-Display'
+          ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-QADUser], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,ActiveRoles.ManagementShell.Po 
   wershell.Cmdlets.GetUserCmdlet
 
Get-QADUser : Access is denied.
At line:10 char:10
+         (Get-QADUser $Secretary).'FirstName-LastName-Display'
+          ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-QADUser], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,ActiveRoles.ManagementShell.Po 
   wershell.Cmdlets.GetUserCmdlet

Connect-QADService -Service "AR-SERVER-NAME" -Proxy
$OUName = "OU=HERE"
$CSVName = "C:\Export.csv"

$report = foreach ($user in (Get-QADUser -SearchRoot $OUName -SizeLimit 0 -IncludedProperties Initials, Secretary , Division, Seealso, FirstName-LastName-Display )) 
{
    $secretaries = foreach($secretary in $user.Secretary)
    {
        #(Get-QADUser $Secretary).DisplayName
        (Get-QADUser -SizeLimit 0 -IncludedProperties 'FirstName-LastName-Display' $Secretary).'FirstName-LastName-Display'
        
    }
    $seeAlso = foreach($also in $user.seeAlso)
    {
        (Get-QADUser -SizeLimit 0 -IncludedProperties 'FirstName-LastName-Display' $also).'FirstName-LastName-Display'
    }
    [pscustomobject]@{
        'LogonName'     = $user.SamAccountName
        'FirstName'     = $user.FirstName
        'Initials'      = $user.Initials
        'LastName'      = $user.LastName
        'DisplayName'   = $user.DisplayName
        'Name'          = $user.Name
        'eMail'         = $user.Email
        'Office'        = $user.physicalDeliveryOfficeName
        Secretary       = $secretaries -join ", "
        SeeAlso         = $seeAlso -join ", "
    }
}
$Report | Export-Csv -path $CSVName -NoTypeInformation -Force -Encoding UTF8

Parents
  • 0 8 months ago

    What is odd is if i move a few test accounts out to a new OU and run the script against them there then its fine, move them back and i get the access denied yet everything else is fine. 

    This is an odd one, I cant move users out of an OU as stuff will break but i cant see what would be different if anything between OU's

Reply
  • 0 8 months ago

    What is odd is if i move a few test accounts out to a new OU and run the script against them there then its fine, move them back and i get the access denied yet everything else is fine. 

    This is an odd one, I cant move users out of an OU as stuff will break but i cant see what would be different if anything between OU's

Children
No Data