ADSI commands causing Access Denied errors - powershell

I'm attempting to set the description attribute in ADSI via PowerShell, but keep getting "access denied". It's executing from a non-privileged user, but the user does have Write All Properties permissions over this object. With those permissions, I don't see why I would need to be a DA to write to that attribute.
Example shown here:
$Computer = [ADSI]"LDAP://cn=TESTER,cn=Computers,dc=lab,dc=local"
$Computer.Put("description", "test")
$Computer.setinfo()
$Computer.setinfo() Exception calling "setinfo" with "0" argument(s): "Access is denied. " At line:1 char:1 + $Computer.setinfo() + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI`
When I don't include the parenthesis (eg: $Computer.setinfo), it sets the attribute locally but never pushes it to AD. Yes i'm running in an elevated PS session.

As #Lee_Dailey mentioned, you'd better include the error message in the original post.
About the issue, are you running the script in an elevated prompt? It does not matter whether user has permissions on AD object or not if the resource requires running in elevated prompt. You should explicitly run as administrator if it needs. Can you please check again to see if that is the case here?

Related

PowerShell error: Exception calling "FindOne" with "0" argument(s): "The user name or password is incorrect. "

There is a Windows Server VM in my department that hosts some of our Web Applications. We want one of this Web Applications to get, automatically, the user department based on his NT-USER. To do so, we imagine the following path:
User enters in the Website. His NT-User is automatically taken
by IIS Whindows Authentication;
We Powershell (using an Active
Directory API) using the NT-User as a parameter;
We finally get
the user name and department.
This API works fine in my personal computer, but not in the Server. I am executing a Powershell script like this:
$helpstring = find-user 'fie7ca' | select displayname, name, st, l, distinguishedname
$helpstring;
In my personal computer:
It works fine.
But then (in the Server), I receive the following error:
Exception calling "FindOne" with "0" argument(s): "The user name or password is incorrect.
"
At C:\Users\RBAdmin_App2\Documents\WindowsPowerShell\Modules\BC-Tools\User-Functions.psm1:496 char:11
+ $user = $searcher.FindOne()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DirectoryServicesCOMException
I am imagine that I need a Active Directory feature, use LDAP or something that I do not know.
This problem was regarding the company proxy.

PowerShell Script with Clixml and Taskscheduler

Here's the problem:
When I run my PowerShell script manually, everything works fine. But it doesn't work via task scheduling.
The reason is probably my stored credentials for Active Directory and Mobile Device Management.I stored them with "Export-Clixml" but the xml files cant be read when i open the script with task scheduler. Without it works perfect.
The task scheduler is executed with the same user who saved the credentials in the XML before.
I hope you understand what I mean.
Edit 1:
I've tried the Solution from "Bender the Greatest".
Unfortunately it still doesn't work. I exported my credentials with "Export-Clixml" and import them with "Import-Clixml".
It doesn't matter if I generate them manually via my admin account or via the system account (with psexec). If I then execute it via the corresponding account with which the credentials were generated, it still doesn't work.
But it seems to find the credentials (I saw that in the log). But The import doesn't seem to work.
If I manually include the credentials in the script it works fine, but I would have liked to store them encrypted.
[Lizenzauswertung] Überprüfe Zugangsdaten
[Lizenzauswertung] MDM Zugangsdaten gefunden - Credentials found
[Lizenzauswertung] MDM AccessToken gefunden - Credentials found
[Lizenzauswertung] AD Zugangsdaten gefunden - Credentials found
Here im trying to decrypt the Password from the XML File:
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:171 Zeichen:1
+ $PSCPW = $CredsMDM.GetNetworkCredential().Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:171 Zeichen:1
+ $PSCPW = $CredsMDM.GetNetworkCredential().Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
This is a replacement for the username to have the right spelling for a webrequest:
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:172 Zeichen:1
+ $RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:172 Zeichen:1
+ $RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Here you can see the errors that occur when importing the MDM credentials. The reason for the errors is described above. I edit the credentials after importing them before they are passed to the script.
The MDM Access Token is not encrypted and can be read.
The AD credentials are not processed beforehand, but passed directly to the AD commands. Therefore, no error is displayed here. Since it does not finish the AD report, which I saw in the log, these are not imported either.
Here is a little Codesnippet of the Import/Export. Just got the code here for the MDM credentials. The other queries are the same.
If (Test-Path $CredentialsMDM){
$CredsMDM = Import-Clixml -Path $CredentialsMDM
Write-Host "[Lizenzauswertung] MDM Zugangsdaten gefunden" -ForegroundColor Green
} else {
Write-Host "[Lizenzauswertung] MDM Zugangsdaten nicht gefunden" -ForegroundColor Yellow
Get-Credential -Message "Zugangsdaten für MDM / Airwatch" | export-clixml -path $CredentialsMDM
$CredsMDM = Import-Clixml -Path $CredentialsMDM
}
Write-Host "[Lizenzauswertung] Zugangsdaten überprüft" -ForegroundColor Green
$PSCUser = $CredsMDM.UserName
$PSCPW = $CredsMDM.GetNetworkCredential().Password
$RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
$AccessToken = $CredsMDMAT.accesstoken
$Auth = $CredsAD
(I am sorry for the spaghetti code.)
You need to provide the error you're getting but I'm going to take a shot in the dark here. I'm guessing you're either exporting secretAD.xml as one user and running your script as another user from Task Scheduler, or exporting secretAD.xml on another computer/server. By default, credentials are able to be decrypted only by the user that built it on that specific server. This is how Windows' Data Protection API (DPAPI) works.
The easy way to fix this is to generate secretAD.xml as the user you intend to run the script as. You can specify your own key for decryption, which can be used by any user on any box, but you will need to figure out a method of secure delivery of the decryption key to the runtime. If you want/need to run the script as NT Authority\SYSTEM, I recommend using psexec to open an interactive SYSTEM Powershell session, generate the credential, and then use Export-CliXml to serialize the credential to secretAD.xml.
Note that the default DPAPI key gets changed when an account password is rotated, so you'll need to remember to rebuild the credential when that happens.
I've found the solution to my problem.
The reason was that the path to the credentials was ".\secretMDM.xml".
The task scheduler executes the script at a different location.
Therefore I had to specify the whole path of the file.
Thanks for the help anyway.
Edit:
Out of interest I created the "Credential" - XML files with the Task Scheduler. Have a look where it stores the files ;)

Powershell execute an action on compliance search

I created a new compliance search, and started the compliance search, now i want to execute an action with that compliance search to purge the results. However, i keep getting that the flag -Purge is not available.
PS C:\WINDOWS\system32> New-ComplianceSearchAction -Purge -PurgeType SoftDelete -SearchName "TEST delete a meeting"
A parameter cannot be found that matches parameter name 'Purge'.
+ CategoryInfo : InvalidArgument: (:) [New-ComplianceSearchAction], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,New-ComplianceSearchAction
+ PSComputerName : nam05b.ps.compliance.protection.outlook.com
I have also tried re-ordering the flags as checked below, still the same error:
PS C:\WINDOWS\system32> New-ComplianceSearchAction -SearchName "TEST delete a meeting" -Purge -PurgeType "SoftDelete"
A parameter cannot be found that matches parameter name 'Purge'.
+ CategoryInfo : InvalidArgument: (:) [New-ComplianceSearchAction], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,New-ComplianceSearchAction
+ PSComputerName : nam05b.ps.compliance.protection.outlook.com
enter code here
Old question, but Ill answer it in case it helps anyone else who comes by it...
The error "A parameter cannot be found that matches parameter name..." can be misleading. If your syntax is correct(and yours is) it usually means that you don't have sufficient permission to run the action for that commandlet. According to this question on answers.microsoft:
To delete messages, a person has to be a member of the Organization
Management role group or be assigned the Search And Purge management
role.
More details here
You may be wondering "why doesn't it just tell me that I don't have permission?" It makes a little more sense when you understand why you get this error. Remember that your session can't see(for lack of a better term) parameters or commandlets you don't have permissions for. So depending on what you are trying to do PowerShell may tell you "thats not a valid command" or "thats not a valid parameter", when in fact those are valid commmands and parameters, your session just can't see them if you don't have access to run it. This will also happen if you are connected to a wrong URI in your O365 PowerShell session(e.g. the outlook uri instead of the compliance uri)

Access denied adding domain user to local administrators group

When adding a domain user to the local administrators group I receive an access denied, this worked before and now sadly and strangely it no longer does.
$user = "mydomain/user"
$group = [ADSI]"WinNT://./Administrators,group"
$group.Add("WinNT://$user,user")
Exception calling "Add" with "1" argument(s): "Access is denied.
"
At C:\test\Untitled5.ps1:3 char:1
+ $group.Add("WinNT://$user,user")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
Logged on as a domain administrator
Same error using the PowerShell ISE or the console
Yet, I am able to add the user through the Computer Management MMC snap-in, no problem.
This is most likely User Account Control (UAC) related. Make sure you run PowerShell "As Administrator." Otherwise, if you're not running "as admin," you're running PowerShell under your user's account's standard user token, which doesn't have access to make this change.

Powershell Error when run on a different machine

I wrote a script to take an AD user, disable the user, remove the user from group memberships and move the user to an OU. I originally wrote this on our Windows 2008 R2 DC (I know, bad idea) and I wanted to run the script locally on my Win 7 SP1 machine. It has the AD role installed as stated in this article (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx)
I ran on both the DC and my Win7 machine $PSVersionTable and they are exactly the same. I can run ADSIEDIT.msc on the Win 7 machine. The error is occurring when doing an AD user lookup. See error output below:
Here is my script: https://github.com/nocode99/powershell/blob/master/UserDisableGroupRemoval.ps1
Property 'filter' cannot be found on this object; make sure it exists and is settable.
At C:\Admin\test.ps1:23 char:12
+ $ADsearch. <<<< filter = "(&(objectClass=user)(sAMAccountName=$user))"
+ CategoryInfo : InvalidOperation: (filter:String) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound
You cannot call a method on a null-valued expression.
At C:\Admin\test.ps1:24 char:32
+ $ADfind = $ADsearch.findOne <<<< ()
+ CategoryInfo : InvalidOperation: (findOne:String) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Any ideas? The ActiveDirectory module imports with no issues and I want my users to run this locally on their machine rather than the DC.
Looks like I needed to include a filter before the lookup and added:
$adsearch = [adsisearcher]""
though I'm not sure why this works without the filter on AD server itself.