locked
I want to run it on every (User) workstation RRS feed

  • Question

  • Hi,

    I'm using the above script Method 1 (ADSI) to change rights of a user on a ADgroup (he is the owner and shall manage it).

    $SysManObj = [ADSI]("LDAP://CN=xx,OU=PROJECTS,OU=Accounts,DC=yy...") #get the OU object
    $user = get-aduser "zzz" -Credential $Cred
    $sid = [System.Security.Principal.SecurityIdentifier] $user.SID
    $identity = [System.Security.Principal.IdentityReference] $SID
    #$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
    $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
    $type = [System.Security.AccessControl.AccessControlType] "Allow"
    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
    $SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
    $SysManObj.psbase.commitchanges()

    It works fine, if I run it on a computer, on which Module ActiveDirectory is installed.

    But I want to run it on every (User) workstation without installing this module, so that every project-owner can manage his projects.

    Within PS i can import the server-session and with additional credentials the normal Powershell ADcommands work fine.

    But in this script the commit-statement ends with
    Exception calling "CommitChanges" with "0" argument(s): "A constraint violation occurred."

    So I believe, I have to "add" credentials. Invoke-cmd does not work too.

    Is there any chance to handle that?

    • Split by jrv Tuesday, December 24, 2019 7:12 PM New question
    Tuesday, December 24, 2019 4:11 PM

Answers

  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by HWint Friday, December 27, 2019 10:25 AM
    Thursday, December 26, 2019 8:15 AM

All replies

  • The code does not require AD module. It is ADSI and the Net ADSI components are installed on all versions of Windows.

    Do not use Get-AdUser.  The original code did not use that command.

    The code requires that a user must be an admin.  You would have to give admin rights to all users for this to work.  Proper understanding of AD and correct design of your AD layout will allow you to not need this code.  This is how we would normally do this.  You are just using something you found because you do not have sufficient knowledge of AD and how to manage it. 

    In AD create group for the project manager to be manager of and give it access to the OU and then just have the project leader add users to that group.  Adding a user to a group takes on command at any command prompt.

    To add user at command line:

    net group /?


    \_(ツ)_/

    Tuesday, December 24, 2019 7:23 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by HWint Friday, December 27, 2019 10:25 AM
    Thursday, December 26, 2019 8:15 AM