Permission problem with Powershell v2 Active Directory commands
Paul Gibson
and I had a permission problem. I resolved it with a easy fix, but it
took a while to figure it out. I thought I'd post my experience in
case others had the same problem.
I started writing a script using PS1 and the Quest AD cmdlets and it
worked with Windows 2008, and now I'm trying to convert it to PS 2 and
Windows 2008 R2. My network is running W2K3, so I'm doing all of my
testing with virtual machines in a new forest called w2k8.test; I've
got 1 DC with the operations masters and 1 DC running server core. I'm
logged on to the server which holds all of the operations masters.
I quickly found out that I couuld query AD using PowerShell, but I
couldn't make any changes or create new objects. The account I'm using
is in the Domain Admins group, which I had assumed would be
sufficient.
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
PS C:\Users\paul.gibson> Import-Module ActiveDirectory
PS C:\Users\paul.gibson> New-ADUser Paul
New-ADUser : Access is denied
At line:1 char:11
+ New-ADUser <<<< Paul
+ CategoryInfo : PermissionDenied:
(CN=Paul,CN=Users,DC=w2k8,DC=test:String) [New-ADUser],
UnauthorizedAccessException
+ FullyQualifiedErrorId : Access is
denied,Microsoft.ActiveDirectory.Management.Commands.NewADUser
PS C:\Users\paul.gibson> New-ADOrganizationalUnit Test
New-ADOrganizationalUnit : Access is denied
At line:1 char:25
+ New-ADOrganizationalUnit <<<< Test
+ CategoryInfo : PermissionDenied:
(OU=Test,DC=w2k8,DC=test:String) [New-ADOrganizationalUnit],
UnauthorizedAccessException
+ FullyQualifiedErrorId : Access is
denied,Microsoft.ActiveDirectory.Management.Commands.NewADOrganizationalUnit
If I logged on using the real Administrator account, these work. Out
of desperation, I added my account to all the same groups the
Administrator account is in, but it still didn't work. I made sure to
run load PowerShell with Administrator permissions (using Shift-Right
Click to start it) to make sure it wasn't a UAC issue. Still no go. I
explicitly added my account to the root of AD and gave it full
control. Success! Horrible configuration!
I eventually realized I had to create my own security group, put my
account in that group and give that group the appropriate permissions.
Voila! This is how I do it on my live network, but I didn't see a need
to do it on a test network.
I'm still surprised being in the Domain Admins group didn't work,
since it has the correct permissions in the OU. Maybe this is common
knowledge, or is it something that's changed since 2003? I spent a lot
of time looking at logs and searching the Internet. I couldn't find
much on the errors above, so I thought I'd post my experience in the
hopes it'd help others.
Stephane Poirier
Stephane Poirier
> On Monday, October 26, 2009 9:34 PM Paul Gibson wrote:
> I have been trying to use the new Powershell 2 Active Directory commands
> and I had a permission problem. I resolved it with a easy fix, but it
> took a while to figure it out. I thought I'd post my experience in
> case others had the same problem.
>
> I started writing a script using PS1 and the Quest AD cmdlets and it
> worked with Windows 2008, and now I am trying to convert it to PS 2 and
> Windows 2008 R2. My network is running W2K3, so I am doing all of my
> testing with virtual machines in a new forest called w2k8.test; I have
> got 1 DC with the operations masters and 1 DC running server core. I am
> logged on to the server which holds all of the operations masters.
>
> I quickly found out that I couuld query AD using PowerShell, but I
> could not make any changes or create new objects. The account I am using
> Administrator account is in, but it still did not work. I made sure to
> run load PowerShell with Administrator permissions (using Shift-Right
> Click to start it) to make sure it was not a UAC issue. Still no go. I
> explicitly added my account to the root of AD and gave it full
> control. Success! Horrible configuration!
>
> I eventually realized I had to create my own security group, put my
> account in that group and give that group the appropriate permissions.
> Voila! This is how I do it on my live network, but I did not see a need
> to do it on a test network.
>
> I am still surprised being in the Domain Admins group did not work,
> since it has the correct permissions in the OU. Maybe this is common
> knowledge, or is it something that is changed since 2003? I spent a lot
> of time looking at logs and searching the Internet. I could not find
> much on the errors above, so I thought I'd post my experience in the
> hopes it'd help others.
> Submitted via EggHeadCafe
> Microsoft LINQ Query Samples For Beginners
> http://www.eggheadcafe.com/training-topic-area/LINQ-Standard-Query-Operators/33/LINQ-Standard-Query-Operators.aspx
Paul Gibson
> Paul, I have exactly the same problem you describe in this post... and am having the same issues dealing with it. You've indicated that you eventually had to create a new security group and give it the right permissions. Can you provide a description of which permissions you had to give this group? thanks much,
>
> Stephane Poirier
>
> > On Monday, October 26, 2009 9:34 PMPaul Gibsonwrote:
> > and I had a permission problem. I resolved it with a easy fix, but it
> > took a while to figure it out. I thought I'd post my experience in
> > case others had the same problem.
>
> > I started writing a script using PS1 and the Quest AD cmdlets and it
> > worked with Windows 2008, and now I am trying to convert it to PS 2 and
> > Windows 2008 R2. My network is running W2K3, so I am doing all of my
> > testing with virtual machines in a new forest called w2k8.test; I have
> > got 1 DC with the operations masters and 1 DC running server core. I am
> > logged on to the server which holds all of the operations masters.
>
> > Click to start it) to make sure it was not a UAC issue. Still no go. I
> > explicitly added my account to the root of AD and gave it full
> > control. Success! Horrible configuration!
>
> > I eventually realized I had to create my own security group, put my
> > account in that group and give that group the appropriate permissions.
> > Voila! This is how I do it on my live network, but I did not see a need
> > to do it on a test network.
>
> > I am still surprised being in the Domain Admins group did not work,
> > since it has the correct permissions in the OU. Maybe this is common
> > knowledge, or is it something that is changed since 2003? I spent a lot
> > of time looking at logs and searching the Internet. I could not find
> > much on the errors above, so I thought I'd post my experience in the
> > hopes it'd help others.
> > Submitted via EggHeadCafe
> > Microsoft LINQ Query Samples For Beginners
In Active Directory Users and Computers, go to the Security Tab of the
OU you need to add accounts to (you may need to go to the View menu
and select Advanced Features to even see the security tab). From
there, add a security group your account is in (I'd suggest creating a
new one to indicate what it does), and give it permissions to create/
modify/delete the types of accounts you need. I used Full Control
because we're a small shop and we don't delegate administrative
responsibilities to different people. If you have different people
with different responsibilities, you may want to go to the Advanced
section and allow "Create User Objects", "Delete User Objects" (or
Computer objects or whatever you're trying to delegate).
HTH. This is what worked in my environment.