none
Error Invoking PowerShell script. Error: 'Exception calling "Invoke" with "2" argument(s): "Access is denied. RRS feed

  • Question

  • Just installed MIMWAL and receiving the following error running a script to reset password. 

    WAL (2.16.0320.0): 07/11/2016 08:34:24.3101: RunPowerShellScript : RunScript: Exception in 'RunPowerShellScript : RunScript'. Details: MicrosoftServices.IdentityManagement.WorkflowActivityLibrary.Exceptions.WorkflowActivityLibraryException: Error Invoking PowerShell script. Error: 'Exception calling "Invoke" with "2" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"' ---> System.Management.Automation.MethodInvocationException: Exception calling "Invoke" with "2" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))" ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

       --- End of inner exception stack trace ---

       at System.Management.Automation.DotNetAdapter.AuxiliaryMethodInvoke(Object target, Object[] arguments, MethodInformation methodInformation, Object[] originalArguments)

       at System.Management.Automation.DotNetAdapter.MethodInvokeDotNet(String methodName, Object target, MethodInformation[] methodInformation, Object[] arguments)

       at System.Management.Automation.Adapter.BaseMethodInvoke(PSMethod method, Object[] arguments)

       at System.Management.Automation.ParserOps.CallMethod(Token token, Object target, String methodName, Object[] paramArray, Boolean callStatic, Object valueToSet)

       at System.Management.Automation.MethodCallNode.InvokeMethod(Object target, Object[] arguments, Object value)

       at System.Management.Automation.MethodCallNode.Execute(Array input, Pipe outputPipe, ExecutionContext context)

       at System.Management.Automation.ParseTreeNode.Execute(Array input, Pipe outputPipe, ArrayList& resultList, ExecutionContext context)

       at System.Management.Automation.StatementListNode.ExecuteStatement(ParseTreeNode statement, Array input, Pipe outputPipe, ArrayList& resultList, ExecutionContext context)

       --- End of inner exception stack trace ---

       at MicrosoftServices.IdentityManagement.WorkflowActivityLibrary.Activities.RunPowerShellScript.RunScript(String script, IEnumerable scriptArguments, Dictionary`2 scriptParameters).

    Extended Properties:

    WorkflowInstanceId: f66eb0b3-9911-4c5b-a872-32a09a2f53c2

    TargetId: 2c3c2766-2a26-4b65-b9d2-e92064115ee6

    RequestId: d33378d0-e090-44f2-afe6-bb771dd5b414

    WorkflowDefinitionId: 6d25bf39-f9b7-4642-bc37-25e229099afd

    ActorId: 7fb2b853-24f0-4498-9534-4e10589723c4

    Monday, July 11, 2016 2:54 PM

All replies

  • Are you able to execute the script manually RunAs FIMService service account?
    Tuesday, July 12, 2016 6:00 AM
    Owner
  • Hi Nilesh,

       Can you please help me what rights need to be given to FIMService Account to run this script, as i also getting the same error. Also we don't have much control on AD but we do have local admin rights on the machines where MIM portal and MIM services are installed. Also if you can point to some link/blog/forum where this is described in much better way that will be helpful to prove our point incase we need some priveleged rights for this FIMService  Account.  I am posting this with some efforts already done from my side but not able to get something. Thanks in advance

    Tuesday, February 12, 2019 5:21 AM
  • What investigations you have done so far? Are you able to execute the script manually and RunAs FIMService service account? Can you post the bare minimum script that throws this error in your environment?
    Tuesday, February 12, 2019 7:27 AM
    Owner
  • Use case- Delegated password change by running powershell with help of MIMWAL

    Tried to- I had added the service account that is used to run FIMService in Administrators group, on the same box where the service is installed. When i try to run the following script as local administrator it works and does the password change. When it is run as FimService account it gives the error, so i suspect that it lacks some privileges that the MIM Admin account has and if we can point to the same privilege instead of all privileges we can present that with our AD team. please let me know incase some more information is needed 

    Exception calling "Invoke" with "2" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005
    (E_ACCESSDENIED))"
    At E:\mim\ResetPasswordBackup\TestPass.ps1:48 char:1
    + $user.psbase.invoke("SetPassword",$modifier)

    The following is the standard script that is used for password change

    $username ="xxxx"
    $modifier = "xxxx"
    $ErrorActionPreference = "stop"
    if ($username -eq "") {throw "Username parameter must be provided."}
    if ($modifier -eq "") {throw "Modifier parameter must be provided."}
    $searchDN = "xx"
    $BaseDN   = xxxxx" 
    $domAdmin = "xx"
    $domPass  = "xxxx"

    $objDomain = New-Object System.DirectoryServices.DirectoryEntry $BaseDN, $domAdmin, $domPass
    if ($objDomain.name -eq $null){ throw "Authentication failed - please verify your username and password." };
    $objDomain.RefreshCache()
    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.SearchRoot = $objDomain 
    $objSearcher.PageSize = 1000
    $objSearcher.Filter = "(&(objectClass=user)(sAMAccountName= $username))"
    $objSearcher.SearchScope = "Subtree"
    $user = $objSearcher.findone()
    if ($user.count -eq 0)
                    {throw "No user found with username=" + $username}
    $userDN = $user.path
    $user = [ADSI]$userDN
    $user.psbase.invoke("SetPassword",$modifier)
    #$user.Put("extensionAttribute1",$modifier)
    $user.SetInfo()

    Tuesday, February 12, 2019 12:15 PM
  • Well your AD team should know better what permissions are needed to reset a user's password as this is their home turf :) Anyways, to reset password, you'll need the guess what "Reset Password" permission in AD. If you enhance your script to unlock any locked account for bad password attempt, you'll need write permission on lockoutTime attribute and if you also make it require user must change password on the next logon, then you'd need write permission on pwdLastSet attribute as well.

    Tuesday, February 12, 2019 8:07 PM
    Owner
  • Well I hope i am not able to make myself clear, 

    We are connecting to AD particular server with username and password and this user have perfect rights to do the operation on user. This is confirmed by the fact when we run the above script by a user which has local admin rights (on the machine on which FIMService is installed) runs successfully and does the update. But when running the same script as FIMService account, it fails . So FIIMService needs some permissions (on the machine, powershell, AD api etc.) which we dont know and are able to figure out. If we can have some pointers in this direction then we can ask for the correct privileges for that user.

    Hope i am able to clear our ask this time

    Thursday, February 14, 2019 6:00 AM
  • So, the code snippet below (which is the only thing I focused on previously):

    $userDN = $user.path
    $user = [ADSI]$userDN
    $user.psbase.invoke("SetPassword",$modifier)

    does NOT use any alternate user credentials. Looking broadly now, the code that does use alternate user credentials is pretty unnecessay as even one in AD would have read permissions by default so no special rights are needed.

    BTW, what is the reason for using such an archaic code? Are you still not have 2012 DCs? If yes, you are better of using AD cmdlets to save tons of troubleshooting.

    Thursday, February 14, 2019 6:53 AM
    Owner