Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
Using PowerShell to Fix an ObjectSID on a Portal object

Discussion Using PowerShell to Fix an ObjectSID on a Portal object

  • Saturday, March 27, 2010 10:55 PM
     
      Has Code
    Sign In to Vote
    5
      Summary
     

    Sometimes the ObjectSID just isn't what you want it to be or it's been unintentionally recalled due to another action. :)
    This script should fix the portal object, just pass it the account name and domain on the command line and it will retrieve the SID, find the object by AccountName in the portal and then fix it if it is wrong.
    Based on earlier examples by Joe Schulman and Markus Vilcinskas.

     

    PARAM([string]$AccountName,[string]$Domain)
cls
#------------------------------------------------------------------------------------------------------
 set-variable -name URI    -value "http://localhost:5725/resourcemanagementservice"    -option constant
 
 function GetSidAsBase64
{
    PARAM($AccountName, $Domain)
    END
    {
        $sidArray = [System.Convert]::FromBase64String("AQUAAAAAAAUVAAAA71I1JzEyxT2s9UYraQQAAA==") # This sid is a random value to allocate the byte array
        $args = (,$Domain)
        $args += $AccountName
        $ntaccount = New-Object System.Security.Principal.NTAccount $args
        $desiredSid = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])
		write-host " -Account SID : ($Domain\$AccountName) $desiredSid"
        $desiredSid.GetBinaryForm($sidArray,0)
        $desiredSidString = [System.Convert]::ToBase64String($sidArray)
        $desiredSidString
    }
}
#------------------------------------------------------------------------------------------------------
 write-host "`nFix Account ObjectSID"
 write-host "=========================="
#------------------------------------------------------------------------------------------------------
#Retrieve the Base64 encoded SID for the referenced user
 $accountSid = GetSidAsBase64 $AccountName $Domain
#------------------------------------------------------------------------------------------------------
#Export the account configuration from the service:
 write-host " -Reading Account information"
 if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) 
 {add-pssnapin FIMAutomation}
 
 $exportObject = export-fimconfig -uri $URI `
                                -onlyBaseResources `
                                -customconfig ("/Person[AccountName='$AccountName']")
 if($exportObject -eq $null) {throw "Cannot find an account by that name"} 
 $objectSID = $exportObject.ResourceManagementObject.ResourceManagementAttributes | `
                 Where-Object {$_.AttributeName -eq "ObjectSID"}

 Write-Host " -New Value = $accountSid"
 Write-Host " -Old Value =" $objectSID.Value
 
 if($accountSid -eq $objectSID.Value)
 	{
	Write-Host "Existing value is correct!"
	}
 else
 	{
	$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
	$importChange.Operation = 1
	$importChange.AttributeName = "ObjectSID"
	$importChange.AttributeValue = $accountSid
	$importChange.FullyResolved = 1
	$importChange.Locale = "Invariant"
	$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
	$importObject.ObjectType = $exportObject.ResourceManagementObject.ObjectType
	$importObject.TargetObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier
	$importObject.SourceObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier
	$importObject.State = 1 
	$importObject.Changes = (,$importChange)
	write-host " -Writing Account information ObjectSID = $accountSid"
	$importObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue
	if($Err){throw $Err}
	Write-Host "Success!"
	}
#------------------------------------------------------------------------------------------------------
 trap
 { 
    Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
    Exit
 }
#------------------------------------------------------------------------------------------------------

     

      Go to the FIM ScriptBox
     

All Replies

  • Monday, November 29, 2010 3:16 AM
     
     
    Sign In to Vote
    0

    Hi Brad!

    I'm trying to run your script but I'm receiving this error:

    Some or all identity references could no be translated

    The instruction $ntaccount.Translate is near to the error.

    Any clue or suggestion?

    Regards

    Alejandro

     
  • Monday, November 29, 2010 8:04 AM
     
     
    Sign In to Vote
    0
    Did you provide the accountname and domain as parameters?
    http://setspn.blogspot.com
     
  • Monday, November 29, 2010 11:34 AM
     
     
    Sign In to Vote
    0

    Yes I do.

    In Powershell, I am running:

    >> BradScript.PS1  FimServiceAccount, MyDomain

    I also added some Write-Host lines to check the script, and the variables $AccountName $Domain are showing the rights values.

    But the script stops with error at:

    $desiredSid = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])

     

     

     

     
  • Monday, November 29, 2010 2:08 PM
     
     
    Sign In to Vote
    1

    If I'm correct the correct syntax is:

    >> BradScript.PS1  FimServiceAccount MyDomain

    So no "," is involved between those parameters.

    http://setspn.blogspot.com
     
  • Monday, November 29, 2010 5:11 PM
     
     
    Sign In to Vote
    0
    Thank you Thomas!!!.. the "," was my mistake. Now the script is running!!!!!
    Alejandro
     
  • Thursday, February 16, 2012 2:34 PM
     
     
    Sign In to Vote
    0

    When i run the script i get the following:


    Fix Account ObjectSID
    ==========================
     -Account SID : (mydomain\USERID) S-1-5-21-1314303383-2379350573-4036118543-289936
     -Reading Account information
     -New Value = AQUAAAAAAAUVAAAAl61WTi0C0o0PSJLwkGwEAA==
     -Old Value =
     -Writing Account information ObjectSID = AQUAAAAAAAUVAAAAl61WTi0C0o0PSJLwkGwEAA==


    SourceObjectIdentifier : urn:uuid:63f7201a-3fc4-465a-a678-2f1f9fed73e7
    TargetObjectIdentifier : urn:uuid:63f7201a-3fc4-465a-a678-2f1f9fed73e7
    ObjectType             : Person
    State                  : Put
    Changes                : {ObjectSID}
    AnchorPairs            :


    Error: Failure when making web service call.

    SourceObjectID = urn:uuid:63f7201a-3fc4-465a-a678-2f1f9fed73e7
    Error = Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: The request message contains errors that prevent processing the request.
       at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate(String synchronizationSequenceIdentifier)
       at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.Update()
       at Microsoft.ResourceManagement.Automation.ImportConfig.UnifiedClientPut(List`1 changeList, UniqueIdentifier objectIdentifier, String objectType, CultureInfo locale)
       at Microsoft.ResourceManagement.Automation.ImportConfig.ProcessLocaleBucket(String objectIdentifier, String objectType, Dictionary`2 localeBucket)
       at Microsoft.ResourceManagement.Automation.ImportConfig.Put(String objectIdentifier, String objectType, List`1 changeList)
       at Microsoft.ResourceManagement.Automation.ImportConfig.EndProcessing()

    Opper ...don't stop.

     
  • Monday, April 02, 2012 10:39 AM
     
     
    Sign In to Vote
    0
    Any help on this?  Please?  :)

    Opper ...don't stop.

     
  • Monday, April 02, 2012 3:38 PM
     
     
    Sign In to Vote
    0

    Is there anything in the request history or event viewer when you run this command that might shed a little more light on it?

     
  • Tuesday, April 03, 2012 10:50 AM
     
     
    Sign In to Vote
    0

    The event log has 2:

    1.

    Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException' was thrown.

    2.

    Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
    Microsoft.ResourceManagement: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException' was thrown.
       at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
       at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException)
       at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
       at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest(RequestType request)
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)

    Opper....