I would like to set Edge as an Assigned Access to a User.
I'm using the following PowerShell Command:
Set-AssignedAccess -AppUserModelId Microsoft.MicrosoftEdge -UserName xy
But I always get the following error (translated from German):
System error 1376 has occurred.
The specified local group does not exist.
New-CimInstance : A general error has occurred, for which
no specific error code is available.
C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1:300
Zeichen:13
+ New-CimInstance -ClassName WEDL_AssignedAccess -Property ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (WEDL_AssignedAccess:CimInstance) [New-CimInstance], CimException
+ FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.NewCimInstanceCommand
The local user exists, and the app exists too. I also logged in with the user I want to set the assignedaccess to make sure the profile is set u0p correctly
This happened on two different Windows 10 (build 14393) machines
I'm on PSVersion:
PS C:\WINDOWS\system32> $psversiontable.psversion.toString()
5.1.14393.1944
Does anybody know how to solve this?
Ran in to this yesterday. From what i could tell the "local group" thats referenced is actually the admin group.
I ran the following commands in an elevated powershell prompt:
Net localgroup administrators /add.
This creates a local Administrators group.
Net localgroup administratörer administrators /add.
This adds the administrators group to the local admin group (Administratörer is the Swedish localization of Administrators, use the local version depending on your country and replace it).
After this is done, run your previous commands.
Give it a try, hope it helps :)
//Chris
Set-AssignedAccess -UserName weakusername -AUMID Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
Related
I'm semi-new to PowerShell, so please excuse if I mix up some terminology. I need to manage M365-Groups via PS. I've inherited a productive machine which had a very old ExchangeOnlineModule installed (v. 0.4578.0). This version did allowed me to read the M365-Group members via get-unifiedGroupLinks -identity "zzz.test" -LinkType Members, but not to add members.
Next installed the latest productive version of the ExchangeOnlineMangement module according to MS' manual.
The command
Get-InstalledModule
shows me version 2.0.5.
The command
Get-Module -ListAvailable
shows both old an new version, installed in "Directory: C:\Program Files\WindowsPowerShell\Modules"
When I now try to run the following Add-command, I receive the error below:
Add-UnifiedGroupLinks -Identity "zzz.test" -LinkType Members -Links "mytestuser#mydomain.com"
Add-UnifiedGroupLinks : The term 'Add-UnifiedGroupLinks' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At line:1 char:1
+ Add-UnifiedGroupLinks -Identity "zzz.test" -LinkType Members -Link ...
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Add-UnifiedGroupLinks:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Same after I "manually" import that specific module version with "Import-Module".
Can anyone help me understand why this command works on my test machine, but is simply not recognized on this one? I already restarted that productive machine after the installation.
Thank you in advance & best regards
MK
Figured it with testing: The issue was insufficient access rights in AzureAD for the user used to connect to Exchange Online.
It would seem that the module only loads the commands for which you have the access rights to use into the connected session. Therefor, when you try to use such a command (like Add-UnifiedGroupLins) you get a "Term is not recognized" error, instead of something meaningfull.
For those who care: It worked for me after adding the Exchange administrator role and, obviously, with the Global administrator role. Maybe there is a lesser role that is sufficient, but I haven't found it.
I've been trying to solve this problem for days and at least narrowed it down. I'm writing a script for my company with a user interface that allows my colleagues to easily create a new Active Directory user based on a template user, create a new mailbox and add Calendar permissions to their Manager.
Everything is working except for adding the Calendar permissions.
We are running two Exchange Servers, let's call them Exchange1 and Exchange2. Enabling the mailbox based on the AD user works fine but when I get to the step of adding calendar permissions I get this error:
The mailbox /o=COMPANY/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGE2/cn=Microsoft System
Attendant kann nicht geöffnet werden.
+ CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], MailboxUnavailableException
+ FullyQualifiedErrorId : [Server=EXCHANGE1,RequestId=4f818454-7ffc-4fd9-b57d-594bedd7fab6,TimeStamp=15.10.2020 14:11:32] [FailureCategory=Cmd
let-MailboxUnavailableException] 676ABDB0,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
+ PSComputerName : EXCHANGE1
The command I'm trying to run:
Enable-Mailbox -Identity $ADUser
$EmailCalendar = $Email + ":\Calendar"
Add-MailboxFolderPermission -Identity $EmailCalendar -User $Manager -AccessRights Editor
I'm really new to using Powershell administrating Exchange servers, so I'm kind of at my troubleshooting end. It doesn't matter if I connect to EXCHANGE1 or EXCHANGE2, the error message stays the same and I'm having trouble understand why the mailbox is unavailable.
Any help is appreciate:)
Updated SFB-prem to CU9 but for some reason unable to move test user to Teams or SFBO. anyone facing this issue?
I tried to used PS commands and SFB admin portal but same results
$cred=Get-Credential
$url="https://admxxxx.online.lync.com/HostedMigration/hostedmigrationService.svc"
Move-CsUser -Identity teamstestuser02#xxx.com -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url
Move-CsUser : Unable to connect to some of the servers in pool
"XXX.com" due to a Distributed Component Object Model (DCOM) error.
Verify that Front End service is running on servers in this pool. If
the pool is set up for load balancing, verify that load balancer is
configured correctly. At line:2 char:1
+ Move-CsUser -Identity teamstestuser02#XXXX.com -Target "sip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=TeamsTestUse...p,xx.xxcom:OCSADUser) [Move-CsUser],
MoveUserException
+ FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet
Have you run this on the FrontEnd Server itself?
I have hit and misses with Move-CsUser when it targets SkypeOnline
Potential mitigations I found:
-Run on FE
-Specify undocumented Switch -DomainController to point it at a writable DC
https://learn.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud should have all the juice you need, make sure that the user you are running this command as (i.E. logged into the FE) has CsServerAdministrator and the $Cred has Global Admin or User Admin + Skype For Business Admin
Hope that helps :)
I used -UseOAuth switch on the Frond End server and the issue resolved. Some users return errors for Rollback, and nothing works for these users until I used force switch, which they lost their contacts and meeting info.
I'm at a bit of a loss with where to start with this one.
I have one Azure account with 2 subscriptions (I'm not the full admin just a co-admin so can't edit them) and both are called Pay-As-You-Go with different IDs.
I can connect powershell to the account and log in, list the subscriptions, select the subscription that I want to use.
However when I issue the get-AzureVM command either in a script or from the
command line I get the error below:
Get-AzureVM : Account with name 'Pay-As-You-Go' does not exist.
Parameter name: accountName
At line:1 char:1
+ Get-AzureVM
+ ~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzureVM], ArgumentException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagement.IaaS.GetAzureVMCommand
I can enter a specific VM name and service name and get the same error back.
My confusion stems from the fact that I haven't specified that account name as far as I'm aware in the command.
I have been playing around on the machine quite a lot this morning with writing wrapper scripts to allow selection of different user name connections via a prompt and selection of the relevant subscription but nothing I'm aware would have affected this command.
I can still run the commands below and get the output I expect:
Get-AzureAccount
Get-AzureSubscription -current
So the session is working for sure.
The VM I am trying to query was created from a custom image this morning and I can RDP to it and it seems to be running normally
Any ideas would be great?
The best way to do that it is to Execute the command Clear-AzureProfile it will require you to login again the problem it is that you account has been logged out. The sam problem happens when you have 2 different subscription for 2 different accounts and you change from one to another after executing some commands on the first one. Using the clear command after the switch solves that.
Well, I'm not sure of the root cause of this one, restarting the machine, opening closing the IDE etc had no effect.
But I did find by running Remove-AzureAccount and then running Add-AzureAccount again that it resolved.
So I just removed my account from powershell and re-added it to solve...
I'm using a script to create a folder on a remote server which is a filew server and a RODC.
When I run the script from a domain admin user the command complet successfuly. When I run with an account that is on the group that can administer the RODC I got an access denied.
$remotefolder = [scriptblock]::create("New-Item -Path d:\testfolder -type directory -Force ")
Invoke-Command -ComputerName server1 -ScriptBlock $remotefolder
I get this error:
[server1] Connecting to remote server server1 failed with the following error message : Access is denied.
For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (server1:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
As it's an RODC there's no local groups that I can add my users that need to run this script.
Is anybody know how I can stop getting this accessdenied ?
Update 12/12:
I tried the same script block on a domain member server only and I don't get the access denied message, the folder is created as it should. Any toughs on how I can get this script block running on a RODC without using a Domain admin user ?
You should probably read up on PSSessionConfiguration before you do this, so you understand the implications, starting with
help about_Session_Configurations
First, create a domain group called 'RODC PowerShell Users'. Put yourself in it, wait for replication, log off and on again. Check that you're in this group.
Second, from an elevated shell on the RODC, run this:
Set-PSSessionConfiguration microsoft.powershell -ShowSecurityDescriptorUI
(After the first, time you'll probably want to use -Force but it's useful to see what it's doing.) Hit Y when asked to confirm.
After a few seconds it will display the Permissions UI for http://schemas.microsoft.com/powershell/microsoft.powershell
Click Add, enter your group name in the dialog that appears, and click OK.
In the "Permissions for RODC PowerShell Remoting Access" box, start with Read and Execute. (You may need Write or Full Control, depending on what you want to do.)
Click OK.
Then enter Y in the PowerShell window to confirm you want to restart WinRM.
From your remote box, assuming you've already set up remoting on the RODC, you should now be able to run:
Invoke-Command -ComputerName server1 { $env:computername }