PowerShell Script executed as Service account - not domain account

Question

Hi team,

we have two accounts for Adaxes in our AD

• Service account (running services) named "service-adaxes"
• Service Domain account (to connect to AD) named "service-adaxesdomain"

Setup of our managed Domain

If I now run a PowerShell script, it will always run as "service-adaxes", no? This user has no permissions to AD, and therefor operations will fail. Do I need to specify "Run as" and use the Credentials inside the script? Or do I need to grant permissions to "service-adaxes" to manage AD?

Answer 1

Hello,

If I now run a PowerShell script, it will always run as "service-adaxes", no?

That is correct. By default, scripts are executed using the credentials of the Adaxes service account.

Do I need to specify "Run as" and use the Credentials inside the script? Or do I need to grant permissions to "service-adaxes" to manage AD?

It depends on the operations and code in a script. If you are going to always use Adaxes functionality (e.g. $Context variable and related methods/properties), the credentials of the service account will be used to execute the script operations in Adaxes, but in AD, the domain service account (service-adaxesdomain). If you are going to perform operations directly in AD or elsewhere using a script, then you will need to either specify a different account in the Run as section and use the credentials in the script or grant the Adaxes service account required permissions.

Comments

My script does

Set-ADMUser $sam -Add @{extensionName="%param-default-area%"} -ErrorAction Stop

From outcome it looks like the "service-adaxes" account is used, as access is denied.

I see two options now, no?

• change from Set-ADMUser to $Context User update
• Use run as credentials in script and remain using Set-ADMUser

Would you be so kind and share both options with me? I dont find the relevant code for option 2 at least

---

Hello,

I see two options now, no? change from Set-ADMUser to $Context User update

It depends on what exactly you need to achieve. Are you updating the target user? Please, share the entire script you have or describe the desired behavior in all the possible details with live examples.

Use run as credentials in script and remain using Set-ADMUser

Currently, you script performs the update directly in AD. You can add the -AdaxesService and -Server parameters so that it goes through Adaxes and there is no need to change anything else.

---

It depends on what exactly you need to achieve. Are you updating the target user? Please, share the entire script you have or describe the desired behavior in all the possible details with live examples.

Exactly, only update the User and add/remove extensionName

You can add the -AdaxesService and -Server parameters so that it goes through Adaxes and there is no need to change anything else.

I just added this and now its working fine... easy! Thanks!

-AdaxesService localhost

---

Hello,

Exactly, only update the User and add/remove extensionName

In this case, you do not need scripts at all. You can use the Update the user action: