Active IQ Unified Manager Discussions
Active IQ Unified Manager Discussions
I have created a command to create security groups within active directory. However when I test the command, I get access denied. How is WFA authenticated against active directory when I run commands such as this? Is it using the currently logged in user as the credentials? LDAP is set up and working in the configuration.
Specifically I am using the below command:
New-QADGroup -Name $ROGroupName -Description $Description -ParentContainer $parentContainer -SAMAccountName $ROGroupName -Email $manager.Email -ManagedBy $manager -GroupScope DomainLocal
Any ideas are greatly appreciated.
Solved! See The Solution
The logged in user blog is not passed to the instance of powershell that WFA is using. The instance of PoSH is actually the Local Service account or the user that the NetApp WFA Server service is running as.
There is another way to do it using the native credential cache. In this case, you can create a 'bogus' IP address (eg 1.1.1.1) or you can add the valid IP address of a specific Domain Controller. I have used this option to modify and create DNS records for newly deployed virtual machines. In my case, the virtual machines were linux and used DHCP so I needed a simple way to update DNS on the fly. I was able to get the cache credentials and add them to my cmdlet. In your case, it would look something like this:
--------------------------------------------
$server = "Parameter or Static IP"
$cred = Get-NaCredentials -Host $server
New-QADGroup -Name $ROGroupName -Description $Description -ParentContainer $parentContainer -SAMAccountName $ROGroupName -Email $manager.Email -ManagedBy $manager -GroupScope DomainLocal -Credential $cred
--------------------------------------------
More information on using the credential cache:
https://communities.netapp.com/thread/27987
Jeremy Goodrum, NetApp
The Pirate
Twitter: @virtpirate
Blog: www.virtpirate.com
The logged in user blog is not passed to the instance of powershell that WFA is using. The instance of PoSH is actually the Local Service account or the user that the NetApp WFA Server service is running as.
There is another way to do it using the native credential cache. In this case, you can create a 'bogus' IP address (eg 1.1.1.1) or you can add the valid IP address of a specific Domain Controller. I have used this option to modify and create DNS records for newly deployed virtual machines. In my case, the virtual machines were linux and used DHCP so I needed a simple way to update DNS on the fly. I was able to get the cache credentials and add them to my cmdlet. In your case, it would look something like this:
--------------------------------------------
$server = "Parameter or Static IP"
$cred = Get-NaCredentials -Host $server
New-QADGroup -Name $ROGroupName -Description $Description -ParentContainer $parentContainer -SAMAccountName $ROGroupName -Email $manager.Email -ManagedBy $manager -GroupScope DomainLocal -Credential $cred
--------------------------------------------
More information on using the credential cache:
https://communities.netapp.com/thread/27987
Jeremy Goodrum, NetApp
The Pirate
Twitter: @virtpirate
Blog: www.virtpirate.com
Thanks for the quick response, it was a huge help! For ease of making other commands work, I went with logging into the server hosting WFA and setting the WFA Server process to use an account known to have permissions to perform the commands within active directory.