none
How to give FIMService account required permissions to remove users from AD security groups?

    שאלה

  • This Access Denied problem is driving me crazy.

    I have a simple Powershell script to remove a specific user from all groups he is a member of. The Powershell is run from a CustomActivity.

    I can modify AD attributes and read Group data but it seems something prevents me when I try a remove.

    I have added the FIMService AD account to Organizational Management (for Exchange mods) and given this Group Full control over the OU where the FIM managed security groups

    My ps script cant be much simpler:

    Param($id)

    $ErrorActionPreference = "stop"

    if ($id -eq $null) {

        $x= "A username parameter must be provided."
        $x
        exit
    }

    $dsd = New-Object System.DirectoryServices.DirectoryEntry
    $ds = new-object directoryServices.directorySearcher
    $ds.filter = "(&(objectCategory=person)(objectClass=user)(samAccountName=$id))"
    $dn = $ds.findOne()
    if ($dn -eq $null -or $dn.count -eq 0) {

        $x= "No user found with username=" + $id
        $x
        exit
    }
    $output = ""
    $userDN = $dn.path
    $user = [ADSI]$userDN
    $output = $output + "User DN is: " + $userDN
    foreach ($group in $user.memberof)
    {
        $output = $output + " Modifying Group: " + $group
        $groupDE = [ADSI]"LDAP://$group"
        $output = $output + " Removing: " + $userDN + " from Group " + $group
        $groupDE.remove($userDN)
    }
    $output    

    BUT. no matter what I try to fiddle with FIMservice and its permissions I get an exception thrown:

    Powershell script exited with error: Exception calling "remove" with "1" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"

    Lots of questions:

    Is it a FIM Service related problem?

    Is it an AD problem?

    Has anyone gotten this sort of thing to work, if so, how?

    *HH

    יום שישי 15 יוני 2012 09:46

תשובות

  • [ADSI] in PwerShell constructs a DirectoryEntry on the fly for you.

    Bob is correct that you need to add a CommitChanges() call at the end, though.

    As to your permissions issue, the FIM service service account needs Write Property on the member attribute of the groups in question. The Exchange Org Mgmt group does not give you this access.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • סומן כתשובה על-ידי HaroldHare שבת 30 יוני 2012 17:21
    יום שישי 15 יוני 2012 18:48
    מנחה דיון

כל התגובות

  • Since you're using the ADSI object model, I think from memory you need to call a commit() after each remove.  I think these days using the .Net DirectoryObject class is considered more mainstream.

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    יום שישי 15 יוני 2012 14:39
  • [ADSI] in PwerShell constructs a DirectoryEntry on the fly for you.

    Bob is correct that you need to add a CommitChanges() call at the end, though.

    As to your permissions issue, the FIM service service account needs Write Property on the member attribute of the groups in question. The Exchange Org Mgmt group does not give you this access.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • סומן כתשובה על-ידי HaroldHare שבת 30 יוני 2012 17:21
    יום שישי 15 יוני 2012 18:48
    מנחה דיון
  • sorry to be a Powershell/C# dummy but for the past 15 years we develop in Java. ADSI seemed the natural way to go (for me). My guess is that the Directory object is just ADO/ADSI in an ugly wrapper.

    Thanks for the tip about member attribute write right being needed. Something to investigate.

    יום שישי 15 יוני 2012 19:34
  • sorry to be a Powershell/C# dummy but for the past 15 years we develop in Java. ADSI seemed the natural way to go (for me). My guess is that the Directory object is just ADO/ADSI in an ugly wrapper.


    The way you're doing this is fine.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    יום שישי 15 יוני 2012 19:35
    מנחה דיון
  • sorry.. but you answered me (or pointed me in right direction) making the FIMService account a member of the Account Operators group solved my rights issue.

    שבת 30 יוני 2012 17:21