Solved: What credentials are used when Powershell command goes against AD?

TABER_BRANDEN · ‎2013-04-11

I have created a command to create security groups within active directory. However when I test the command, I get access denied. How is WFA authenticated against active directory when I run commands such as this? Is it using the currently logged in user as the credentials? LDAP is set up and working in the configuration.

Specifically I am using the below command:

New-QADGroup -Name $ROGroupName -Description $Description -ParentContainer $parentContainer -SAMAccountName $ROGroupName -Email $manager.Email -ManagedBy $manager -GroupScope DomainLocal

Any ideas are greatly appreciated.

goodrum · ‎2013-04-11

The logged in user blog is not passed to the instance of powershell that WFA is using. The instance of PoSH is actually the Local Service account or the user that the NetApp WFA Server service is running as.

There is another way to do it using the native credential cache. In this case, you can create a 'bogus' IP address (eg 1.1.1.1) or you can add the valid IP address of a specific Domain Controller. I have used this option to modify and create DNS records for newly deployed virtual machines. In my case, the virtual machines were linux and used DHCP so I needed a simple way to update DNS on the fly. I was able to get the cache credentials and add them to my cmdlet. In your case, it would look something like this:

--------------------------------------------

$server = "Parameter or Static IP"

$cred = Get-NaCredentials -Host $server

New-QADGroup -Name $ROGroupName -Description $Description -ParentContainer $parentContainer -SAMAccountName $ROGroupName -Email $manager.Email -ManagedBy $manager -GroupScope DomainLocal -Credential $cred

--------------------------------------------

More information on using the credential cache:

https://communities.netapp.com/thread/27987

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

View solution in original post

goodrum · ‎2013-04-11

The logged in user blog is not passed to the instance of powershell that WFA is using. The instance of PoSH is actually the Local Service account or the user that the NetApp WFA Server service is running as.

There is another way to do it using the native credential cache. In this case, you can create a 'bogus' IP address (eg 1.1.1.1) or you can add the valid IP address of a specific Domain Controller. I have used this option to modify and create DNS records for newly deployed virtual machines. In my case, the virtual machines were linux and used DHCP so I needed a simple way to update DNS on the fly. I was able to get the cache credentials and add them to my cmdlet. In your case, it would look something like this:

--------------------------------------------

$server = "Parameter or Static IP"

$cred = Get-NaCredentials -Host $server

New-QADGroup -Name $ROGroupName -Description $Description -ParentContainer $parentContainer -SAMAccountName $ROGroupName -Email $manager.Email -ManagedBy $manager -GroupScope DomainLocal -Credential $cred

--------------------------------------------

More information on using the credential cache:

https://communities.netapp.com/thread/27987

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

TABER_BRANDEN · ‎2013-04-11

Thanks for the quick response, it was a huge help! For ease of making other commands work, I went with logging into the server hosting WFA and setting the WFA Server process to use an account known to have permissions to perform the commands within active directory.