Deligation of AD Permissions to modify user details using powershell and remote powershell issues with AD commands

asked 2021-04-26T13:14:08.16+00:00
Aka_daryl 1 Reputation point

We are currently in the process of creating a script to allow the HR department to update specific details of a user account: job title, department, ect. without having to go via the servicedesk.

The script is written however there are a couple of issues we are seeing

1) when run by a non-domain admin the set-ADUser command fails despite the user group having RW on all users General, Public, and Personal information

2) when running the script against a remote target Using Enter-PSSession the following error is recieved

Get-ADUser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it
does not have the Active Directory Web Services running.
At C:\Modify User Details.ps1:67 char:20
+ ... ray]$User = Get-ADUser -Filter {(GivenName -like $FirstName) -and (Su ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser

The same script works if you run it on the machine in question however

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,599 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,616 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2021-04-27T09:47:39.04+00:00
    Ian Xue (Shanghai Wicresoft Co., Ltd.) 18,351 Reputation points Microsoft Employee

    Hi,

    I'm not sure what you mean by " all users General, Public, and Personal information". To enable a user group to set a property of AD users in an OU, the group should be allowed to write the property and the permission should be applied to the descendant user objects. As to the issue 2,
    it could be the second-hop problem.
    https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/

    Best Regards,
    Ian Xue

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.