The transition to NetApp MS Azure AD B2C is complete. If you missed the pre-registration, you will be invited to reigister at next log in.
Please note that access to your NetApp data may take up to 1 hour.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

What credentials are used when Powershell command goes against AD?

TABER_BRANDEN

I have created a command to create security groups within active directory. However when I test the command, I get access denied. How is WFA authenticated against active directory when I run commands such as this? Is it using the currently logged in user as the credentials? LDAP is set up and working in the configuration.

Specifically I am using the below command:

New-QADGroup -Name $ROGroupName -Description $Description -ParentContainer $parentContainer -SAMAccountName $ROGroupName -Email $manager.Email -ManagedBy $manager -GroupScope DomainLocal

Any ideas are greatly appreciated.

1 ACCEPTED SOLUTION

goodrum

The logged in user blog is not passed to the instance of powershell that WFA is using. The instance of PoSH is actually the Local Service account or the user that the NetApp WFA Server service is running as. 

There is another way to do it using the native credential cache. In this case, you can create a 'bogus' IP address (eg 1.1.1.1) or you can add the valid IP address of a specific Domain Controller.  I have used this option to modify and create DNS records for newly deployed virtual machines.  In my case, the virtual machines were linux and used DHCP so I needed a simple way to update DNS on the fly.  I was able to get the cache credentials and add them to my cmdlet.  In your case, it would look something like this:

--------------------------------------------

$server  = "Parameter or Static IP"

$cred     = Get-NaCredentials -Host $server

New-QADGroup -Name $ROGroupName -Description $Description -ParentContainer $parentContainer -SAMAccountName $ROGroupName -Email $manager.Email -ManagedBy $manager -GroupScope DomainLocal -Credential $cred

--------------------------------------------

More information on using the credential cache:

https://communities.netapp.com/thread/27987

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

View solution in original post

2 REPLIES 2

goodrum

The logged in user blog is not passed to the instance of powershell that WFA is using. The instance of PoSH is actually the Local Service account or the user that the NetApp WFA Server service is running as. 

There is another way to do it using the native credential cache. In this case, you can create a 'bogus' IP address (eg 1.1.1.1) or you can add the valid IP address of a specific Domain Controller.  I have used this option to modify and create DNS records for newly deployed virtual machines.  In my case, the virtual machines were linux and used DHCP so I needed a simple way to update DNS on the fly.  I was able to get the cache credentials and add them to my cmdlet.  In your case, it would look something like this:

--------------------------------------------

$server  = "Parameter or Static IP"

$cred     = Get-NaCredentials -Host $server

New-QADGroup -Name $ROGroupName -Description $Description -ParentContainer $parentContainer -SAMAccountName $ROGroupName -Email $manager.Email -ManagedBy $manager -GroupScope DomainLocal -Credential $cred

--------------------------------------------

More information on using the credential cache:

https://communities.netapp.com/thread/27987

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

View solution in original post

TABER_BRANDEN

Thanks for the quick response, it was a huge help! For ease of making other commands work, I went with logging into the server hosting WFA and setting the WFA Server process to use an account known to have permissions to perform the commands within active directory.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public