Powershell execute an action on compliance search - powershell

I created a new compliance search, and started the compliance search, now i want to execute an action with that compliance search to purge the results. However, i keep getting that the flag -Purge is not available.
PS C:\WINDOWS\system32> New-ComplianceSearchAction -Purge -PurgeType SoftDelete -SearchName "TEST delete a meeting"
A parameter cannot be found that matches parameter name 'Purge'.
+ CategoryInfo : InvalidArgument: (:) [New-ComplianceSearchAction], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,New-ComplianceSearchAction
+ PSComputerName : nam05b.ps.compliance.protection.outlook.com
I have also tried re-ordering the flags as checked below, still the same error:
PS C:\WINDOWS\system32> New-ComplianceSearchAction -SearchName "TEST delete a meeting" -Purge -PurgeType "SoftDelete"
A parameter cannot be found that matches parameter name 'Purge'.
+ CategoryInfo : InvalidArgument: (:) [New-ComplianceSearchAction], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,New-ComplianceSearchAction
+ PSComputerName : nam05b.ps.compliance.protection.outlook.com
enter code here

Old question, but Ill answer it in case it helps anyone else who comes by it...
The error "A parameter cannot be found that matches parameter name..." can be misleading. If your syntax is correct(and yours is) it usually means that you don't have sufficient permission to run the action for that commandlet. According to this question on answers.microsoft:
To delete messages, a person has to be a member of the Organization
Management role group or be assigned the Search And Purge management
role.
More details here
You may be wondering "why doesn't it just tell me that I don't have permission?" It makes a little more sense when you understand why you get this error. Remember that your session can't see(for lack of a better term) parameters or commandlets you don't have permissions for. So depending on what you are trying to do PowerShell may tell you "thats not a valid command" or "thats not a valid parameter", when in fact those are valid commmands and parameters, your session just can't see them if you don't have access to run it. This will also happen if you are connected to a wrong URI in your O365 PowerShell session(e.g. the outlook uri instead of the compliance uri)

Related

PowerShell Import-GPO: Operation not valid

Afternoon everyone. I'm running into an issue I'm not sure how to handle. I'm working on a script for work to deploy a Domain Controller using PSremoting. It all works well in fine until I get to where I'm importing some GPOs from backups.
*All the commands are run under invoke-command
I run the command Import-GPO -BackUpName $GPO -TargetName $GPO -Path $GPOPath -MigrationTable $MigTable -CreateIfNeeded
When I run this, I get an error on the host:
Operation is not valid due to the current state of the object.
+ CategoryInfo : NotSpecified: (:) [Import-GPO], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.GroupPolicy.Commands.ImportGpoCommand
+ PSComputerName : v204-DC1
I can't seem to find anything that says what this means. When I check for the GPOs on the DC, they all show up and seem to be linked properly. I am curious what this error is, or if I should just append -ErrorAction SilentlyContinue to the end of my code.
Ended up being an issue with my migration table. I rolled back to an earlier one and ended up being good to go

InvalidCastException when trying to obtain UserPrincipal.Current

I have a PowerShell script which checks the currently signed in user as part of its start-up process. I'm using .Net to do this by adding the assembly:
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$cUser = [System.DirectoryServices.AccountManagement.UserPrincipal]::Current
For almost everyone this works fine and I get a UserPrincipal object that I can use elsewhere, however there are a couple of users who get the following error when running it:
Unable to cast object of type 'System.DirectoryServices.AccountManagement.GroupPrincipal' to type 'System.DirectoryServices.AccountManagement.UserPrincipal'. At line:2 char:1
+ [System.DirectoryServices.AccountManagement.UserPrincipal]::Current
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], InvalidCastException
+ FullyQualifiedErrorId : System.InvalidCastException
This is on a standard Windows 10 20H2 install and doesn't matter if PowerShell is running elevated or not. I've never seen this call return anything other than a UserPrincipal before, so I would be grateful for any advice: is this something I can deal with in code, or is there some underlying issue with the machines that are returning this exception?
I don't know if this is what you're looking for:
$cUser = Get-ADUser $Env:Username -Properties *
This has the most important attributes that you can use for whatever you want later on. It provides as much attribute as the code you posted that didn't work for some of the user.

PowerShell Script with Clixml and Taskscheduler

Here's the problem:
When I run my PowerShell script manually, everything works fine. But it doesn't work via task scheduling.
The reason is probably my stored credentials for Active Directory and Mobile Device Management.I stored them with "Export-Clixml" but the xml files cant be read when i open the script with task scheduler. Without it works perfect.
The task scheduler is executed with the same user who saved the credentials in the XML before.
I hope you understand what I mean.
Edit 1:
I've tried the Solution from "Bender the Greatest".
Unfortunately it still doesn't work. I exported my credentials with "Export-Clixml" and import them with "Import-Clixml".
It doesn't matter if I generate them manually via my admin account or via the system account (with psexec). If I then execute it via the corresponding account with which the credentials were generated, it still doesn't work.
But it seems to find the credentials (I saw that in the log). But The import doesn't seem to work.
If I manually include the credentials in the script it works fine, but I would have liked to store them encrypted.
[Lizenzauswertung] Überprüfe Zugangsdaten
[Lizenzauswertung] MDM Zugangsdaten gefunden - Credentials found
[Lizenzauswertung] MDM AccessToken gefunden - Credentials found
[Lizenzauswertung] AD Zugangsdaten gefunden - Credentials found
Here im trying to decrypt the Password from the XML File:
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:171 Zeichen:1
+ $PSCPW = $CredsMDM.GetNetworkCredential().Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:171 Zeichen:1
+ $PSCPW = $CredsMDM.GetNetworkCredential().Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
This is a replacement for the username to have the right spelling for a webrequest:
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:172 Zeichen:1
+ $RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:172 Zeichen:1
+ $RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Here you can see the errors that occur when importing the MDM credentials. The reason for the errors is described above. I edit the credentials after importing them before they are passed to the script.
The MDM Access Token is not encrypted and can be read.
The AD credentials are not processed beforehand, but passed directly to the AD commands. Therefore, no error is displayed here. Since it does not finish the AD report, which I saw in the log, these are not imported either.
Here is a little Codesnippet of the Import/Export. Just got the code here for the MDM credentials. The other queries are the same.
If (Test-Path $CredentialsMDM){
$CredsMDM = Import-Clixml -Path $CredentialsMDM
Write-Host "[Lizenzauswertung] MDM Zugangsdaten gefunden" -ForegroundColor Green
} else {
Write-Host "[Lizenzauswertung] MDM Zugangsdaten nicht gefunden" -ForegroundColor Yellow
Get-Credential -Message "Zugangsdaten für MDM / Airwatch" | export-clixml -path $CredentialsMDM
$CredsMDM = Import-Clixml -Path $CredentialsMDM
}
Write-Host "[Lizenzauswertung] Zugangsdaten überprüft" -ForegroundColor Green
$PSCUser = $CredsMDM.UserName
$PSCPW = $CredsMDM.GetNetworkCredential().Password
$RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
$AccessToken = $CredsMDMAT.accesstoken
$Auth = $CredsAD
(I am sorry for the spaghetti code.)
You need to provide the error you're getting but I'm going to take a shot in the dark here. I'm guessing you're either exporting secretAD.xml as one user and running your script as another user from Task Scheduler, or exporting secretAD.xml on another computer/server. By default, credentials are able to be decrypted only by the user that built it on that specific server. This is how Windows' Data Protection API (DPAPI) works.
The easy way to fix this is to generate secretAD.xml as the user you intend to run the script as. You can specify your own key for decryption, which can be used by any user on any box, but you will need to figure out a method of secure delivery of the decryption key to the runtime. If you want/need to run the script as NT Authority\SYSTEM, I recommend using psexec to open an interactive SYSTEM Powershell session, generate the credential, and then use Export-CliXml to serialize the credential to secretAD.xml.
Note that the default DPAPI key gets changed when an account password is rotated, so you'll need to remember to rebuild the credential when that happens.
I've found the solution to my problem.
The reason was that the path to the credentials was ".\secretMDM.xml".
The task scheduler executes the script at a different location.
Therefore I had to specify the whole path of the file.
Thanks for the help anyway.
Edit:
Out of interest I created the "Credential" - XML files with the Task Scheduler. Have a look where it stores the files ;)

ADSI commands causing Access Denied errors

I'm attempting to set the description attribute in ADSI via PowerShell, but keep getting "access denied". It's executing from a non-privileged user, but the user does have Write All Properties permissions over this object. With those permissions, I don't see why I would need to be a DA to write to that attribute.
Example shown here:
$Computer = [ADSI]"LDAP://cn=TESTER,cn=Computers,dc=lab,dc=local"
$Computer.Put("description", "test")
$Computer.setinfo()
$Computer.setinfo() Exception calling "setinfo" with "0" argument(s): "Access is denied. " At line:1 char:1 + $Computer.setinfo() + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI`
When I don't include the parenthesis (eg: $Computer.setinfo), it sets the attribute locally but never pushes it to AD. Yes i'm running in an elevated PS session.
As #Lee_Dailey mentioned, you'd better include the error message in the original post.
About the issue, are you running the script in an elevated prompt? It does not matter whether user has permissions on AD object or not if the resource requires running in elevated prompt. You should explicitly run as administrator if it needs. Can you please check again to see if that is the case here?

Set-SPBusinessDataCatalogThrottleConfig : Cannot bind parameter 'Identity'

If you are working with a larger external list (more than 2000 items) in dev environment it works perfectly, but when you work in production environment, it throws error
"Unable to display this Web Part. To troubleshoot the problem, open this Web page in a Microsoft SharePoint Foundation-compatible HTML editor such as Microsoft SharePoint Designer. If the problem persists, contact your Web server administrator. Correlation ID: ...........".
So start to working to fix the BCS limit through powershell.
When I enter below command in powershell I get error in cmd. Any idea?
PS C:\Program Files\Nintex\Nintex Workflow 2010> Set-SPBusinessDataCatalogThrott
leConfig -Identity Get-SPBusinessDataCatalogThrottleConfig -Scope ThrottleType I
tems Database-GUID-ServiceApplicationProxy 5222b2db-fdd1-43f5-accb-7f039155f654-
8000-default maximum 6000
Set-SPBusinessDataCatalogThrottleConfig : Cannot bind parameter 'Identity'. Can
not convert the "Get-SPBusinessDataCatalogThrottleConfig" value of type "System
.String" to type "Microsoft.SharePoint.BusinessData.SharedService.ThrottleConfi
g".
At line:1 char:50
+ Set-SPBusinessDataCatalogThrottleConfig -Identity <<<< Get-SPBusinessDataCat
alogThrottleConfig -Scope ThrottleType Items Database-GUID-ServiceApplicationPr
oxy 5222b2db-fdd1-43f5-accb-7f039155f654-8000-default maximum 6000
+ CategoryInfo : InvalidArgument: (:) [Set-SPBusinessDataCatalogT
hrottleConfig], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.SharePo
int.BusinessData.SharedService.SPSetSPBusinessDataCatalogThrottleConfig
At first glance there seems to be some issues in your PowerShell syntax. You specify another cmdlet as value for the -Identity parameter, and that won't work. Sharepoint is not really my expertise, but this article by lionelro on the msdn blogs looks like a good place to start. Especially since the start of the article describes your issue online appearing on the production environment. Hope it helps.