0 votes

Hi team,

we have two accounts for Adaxes in our AD

  • Service account (running services) named "service-adaxes"
  • Service Domain account (to connect to AD) named "service-adaxesdomain"

Setup of our managed Domain image.png

If I now run a PowerShell script, it will always run as "service-adaxes", no? This user has no permissions to AD, and therefor operations will fail. Do I need to specify "Run as" and use the Credentials inside the script? Or do I need to grant permissions to "service-adaxes" to manage AD?

by (1.5k points)

1 Answer

0 votes
by (287k points)

Hello,

If I now run a PowerShell script, it will always run as "service-adaxes", no?

That is correct. By default, scripts are executed using the credentials of the Adaxes service account.

Do I need to specify "Run as" and use the Credentials inside the script? Or do I need to grant permissions to "service-adaxes" to manage AD?

It depends on the operations and code in a script. If you are going to always use Adaxes functionality (e.g. $Context variable and related methods/properties), the credentials of the service account will be used to execute the script operations in Adaxes, but in AD, the domain service account (service-adaxesdomain). If you are going to perform operations directly in AD or elsewhere using a script, then you will need to either specify a different account in the Run as section and use the credentials in the script or grant the Adaxes service account required permissions.

0

My script does

Set-ADMUser $sam -Add @{extensionName="%param-default-area%"} -ErrorAction Stop

From outcome it looks like the "service-adaxes" account is used, as access is denied.

I see two options now, no?

  • change from Set-ADMUser to $Context User update
  • Use run as credentials in script and remain using Set-ADMUser

Would you be so kind and share both options with me? I dont find the relevant code for option 2 at least

0

Hello,

I see two options now, no? change from Set-ADMUser to $Context User update

It depends on what exactly you need to achieve. Are you updating the target user? Please, share the entire script you have or describe the desired behavior in all the possible details with live examples.

Use run as credentials in script and remain using Set-ADMUser

Currently, you script performs the update directly in AD. You can add the -AdaxesService and -Server parameters so that it goes through Adaxes and there is no need to change anything else.

0

It depends on what exactly you need to achieve. Are you updating the target user? Please, share the entire script you have or describe the desired behavior in all the possible details with live examples.

Exactly, only update the User and add/remove extensionName

You can add the -AdaxesService and -Server parameters so that it goes through Adaxes and there is no need to change anything else.

I just added this and now its working fine... easy! Thanks!

-AdaxesService localhost
+1

Hello,

Exactly, only update the User and add/remove extensionName

In this case, you do not need scripts at all. You can use the Update the user action: image.png

Related questions

0 votes
1 answer

Hi team, I need to update users extensionAttribute6 after adding or removing them from a specific group. This is my setup: Group is updated based on rule set within Adaxes ... would like to update users after they were added or removed from this group. Thanks!

asked Sep 25, 2023 by wintec01 (1.5k points)
0 votes
1 answer

Hello I'm trying to run a custom PowerShell script to request a Workspace ONE Access Sync when I change something in our users or groups. Here is the script: $ClientId = "api ... of having to create 6 independent rules with each of them a copy of the script)?

asked Sep 25, 2021 by ygini (240 points)
0 votes
1 answer

I've adapted a RegEx to normalize phone numbers, source: http://www.regexplanet.com/cookbook/pho ... index.html. Import-Module Adaxes $identity = "%sAMAccountName%" $mobileNumber = ' ... 555-5555, adaxes returned +1+1 (888) 555-5555. Any guidance on this?

asked Dec 20, 2014 by polley (1.2k points)
0 votes
0 answers

Whether I try to run a script or manually run the commands to enroll users, users remain unenrolled. Example of a basic script: Import-Module ... ` -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost Adaxes version 2021

asked Mar 27, 2023 by gwadmin (80 points)
0 votes
1 answer

Hi, is there any guide what to do if the service account is not a domain admin? Especially what rights does the account need for the Exchange connection? The event log is ... LDAP (Permission denied). And what is need for the Exchange servers (WinRM?). Thanks!

asked Sep 11, 2018 by ahanil (200 points)
3,526 questions
3,217 answers
8,197 comments
547,625 users