Acces Denied when running set-aduser and delegated rights

All replies

• 

  

  0

  Sign in to vote

  if ($objext2txtbox.text -ne ""){
      set-aduser -Identity $user.DistinguishedName[0] -Replace @{employeeNumber=$($objext2txtbox.text)}
  }else{
      # this won't work.
      $user.employeeNumber.clear()
  }

  
  

  ---

  ¯\_(ツ)_/¯

  
  
  
  

  • Edited by jrv Wednesday, March 25, 2015 1:39 PM
  • Proposed as answer by AnnaWY Tuesday, April 7, 2015 11:04 AM
  • Unproposed as answer by Malte_EP Friday, April 10, 2015 11:16 AM

  Wednesday, March 25, 2015 1:37 PM
• 

  

  0

  Sign in to vote

  I changed the part wich you said wich doesn't work

  if ($objext2txtbox.text -ne "") {set-aduser -Identity 
  $user.DistinguishedName[0] -Replace @{employeeNumber=@
  ($objext2txtbox.text)}} else
   {set-aduser -Identity $user.DistinguishedName[0] -employeeNumber 
  $null}

  
  But the delegated useraccount still can't change the given field

  I used the code from this one https://gallery.technet.microsoft.com/scriptcenter/Getting-Users-ALL-7417b71d and changed some small things. Like the shown codesnip
  
  

  • Edited by Malte_EP Friday, April 10, 2015 11:21 AM

  Friday, April 10, 2015 11:18 AM
• 

  

  0

  Sign in to vote

  You changed it wrong. Go back and look at the example.

  You cannot set a value to $null.

  Forget about the form. Try to do it at a command prompt first.  When you finally understand the CmdLet then you cantry to do it in a form.

  ---

  \_(ツ)_/

  Friday, April 10, 2015 11:31 AM
• 

  

  0

  Sign in to vote

  So then you can explain me why i can run the same script with domainadmin rights and set the value to $null. And on the offical site from Microsoft for set-aduser the way to empty the value is to set the value $null

  ServicePrincipalNames
  
  
  Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values.
  Syntax:
  To add values:
  -ServicePrincipalNames @{Add=value1,value2,...}
  To remove values:
  -ServicePrincipalNames @{Remove=value3,value4,...}
  To replace values:
  -ServicePrincipalNames @{Replace=value1,value2,...}
  To clear all values:
  -ServicePrincipalNames $null
  

  
  

  Friday, April 10, 2015 11:46 AM
• 

  

  0

  Sign in to vote

  That is not emplyeenumber.

  The rest of the code is not what I posted.  Look at the difference.  You replaces $ with a @ which won't work.

  You also fail to say what error you are getting which should tell you what the issue is.  Look closely at the error.

  Doing this under a forms designer makes seeing the error a bit difficult.

  ---

  \_(ツ)_/

  Friday, April 10, 2015 2:30 PM
• 

  

  0

  Sign in to vote

  Thank you for your help. First of all, the erros says "exception calling with 0 argument(s) Access denied" But at the point in the form $user.setinfo(). The data is written to the account, but will not be updated directly. Only after i click again on select. If i run it with domadmin rights it works like a charm.

  To empty an attribute you has to use $null in powershell  https://technet.microsoft.com/de-de/library/ee617215.aspx

  The commands only run in powershell onl ywithout any Problems.

  Monday, April 13, 2015 7:25 AM
• 

  

  0

  Sign in to vote

  OK - I will try this once more:

  At a PowerShell prompt (CLI) type this command:

  set-aduser -Identity username -Replace @{employeeNumber='122345'}

  If you correctly delegated the rights it will work.  After you can make it work at a prompt then you can try to do it in a form.

  
  

  ---

  \_(ツ)_/

  Monday, April 13, 2015 7:31 AM
• 

  

  0

  Sign in to vote

  The commands run in powershell without problems under the delegated account. Had forgotten to add that in the last sentence i had written previously. The form itselfs works under the delegated user when i comment out $user.SetInfo(), wich causes the error.

  Monday, April 13, 2015 7:44 AM
• 

  

  1

  Sign in to vote

  Why are you using SetInfo.  Set-AfUser does not need that.  We don't use it with the AD CmdLets.

  ---

  \_(ツ)_/

  • Proposed as answer by jrv Friday, April 17, 2015 1:58 PM
  • Unproposed as answer by jrv Friday, April 17, 2015 1:58 PM
  • Proposed as answer by jrv Friday, April 17, 2015 1:58 PM
  • Unproposed as answer by jrv Friday, April 17, 2015 1:58 PM
  • Proposed as answer by jrv Friday, April 17, 2015 1:58 PM
  • Marked as answer by Malte_EP Monday, April 20, 2015 6:44 AM

  Monday, April 13, 2015 7:48 AM
• 

  

  0

  Sign in to vote

  I used the form from this script and modified it for my use, and he uses Setinfo

  https://gallery.technet.microsoft.com/scriptcenter/GUI-for-AD-User-Attribute-b6ac7251

  I comment it out for the user, so everything works

  • Marked as answer by Malte_EP Friday, April 17, 2015 11:52 AM

  Monday, April 13, 2015 7:54 AM