question

Akadaryl-2023 avatar image
0 Votes"
Akadaryl-2023 asked Akadaryl-2023 commented

Deligation of AD Permissions to modify user details using powershell and remote powershell issues with AD commands

We are currently in the process of creating a script to allow the HR department to update specific details of a user account: job title, department, ect. without having to go via the servicedesk.

The script is written however there are a couple of issues we are seeing

1) when run by a non-domain admin the set-ADUser command fails despite the user group having RW on all users General, Public, and Personal information

2) when running the script against a remote target Using Enter-PSSession the following error is recieved

 Get-ADUser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it
 does not have the Active Directory Web Services running.
 At C:\Modify User Details.ps1:67 char:20
 + ... ray]$User = Get-ADUser -Filter {(GivenName -like $FirstName) -and (Su ...
 +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
     + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser

The same script works if you run it on the machine in question however



windows-server-powershellwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered Akadaryl-2023 commented

Hi,

I'm not sure what you mean by " all users General, Public, and Personal information". To enable a user group to set a property of AD users in an OU, the group should be allowed to write the property and the permission should be applied to the descendant user objects. As to the issue 2,
it could be the second-hop problem.
https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Iain, thats what we have, the HR group has R/W permissions delegated on all descendant user objects on the domain, the effective access calculator shows these permissions correctly applied.

I havent heard of the second hop problem before but I am looking into that just now and will get back to you

0 Votes 0 ·