Home / server / Questions / 284719
Accepted
Matt
Asked: 2011-06-28 17:45:26 +0800 CST

Access Denied when Adding or Modifying AD Groups in Powershell

  • 772

I needed to create a large number of Domain Local security groups in AD, so wanted to script it with PoSH rather than manually create each one.

I am getting an Access Denied error if I try to create the groups in PoSH, but can create them in ADUC with no problem. Same thing happens when trying to add members.

What could the issue be? I've checked the event log, but all I get is Access Denied from DS events (4662), with no additional information.

I've tried it on multiple DCs, using the Powershell Modules for Active Directory shortcut, as well as a regular Powershell session using Import-Module Active-Directory.

EDIT: Below is an example error:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          28/06/2011 11:57:54 AM
Event ID:      4662
Task Category: Directory Service Access
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MYDC.mydomain.com
Description:
An operation was performed on an object.

Subject :
    Security ID:        mydomain\user
    Account Name:       user
    Account Domain:     mydomain
    Logon ID:       0x8d81c809

Object:
    Object Server:      DS
    Object Type:        group
    Object Name:        CN=SERVERNAME-RDP-Users,OU=SQL Servers,OU=RDP,OU=Server Login Permissions,DC=mydomain,DC=com
    Handle ID:      0x0

Operation:
    Operation Type:     Object Access
    Accesses:       Write Property

    Access Mask:        0x20
    Properties:     ---
        {bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
            {bf9679c0-0de6-11d0-a285-00aa003049e2}
    {bf967a9c-0de6-11d0-a285-00aa003049e2}


Additional Information:
    Parameter 1:        -
    Parameter 2:        
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4662</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14080</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2011-06-28T01:57:54.401588800Z" />
    <EventRecordID>261383903</EventRecordID>
    <Correlation />
    <Execution ProcessID="520" ThreadID="684" />
    <Channel>Security</Channel>
    <Computer>DC1.mydomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1580943700-3625058406-2646640161-1105</Data>
    <Data Name="SubjectUserName">User</Data>
    <Data Name="SubjectDomainName">mydomain</Data>
    <Data Name="SubjectLogonId">0x8d81c809</Data>
    <Data Name="ObjectServer">DS</Data>
    <Data Name="ObjectType">%{bf967a9c-0de6-11d0-a285-00aa003049e2}</Data>
    <Data Name="ObjectName">%{29c4e057-b8d3-4fa2-9f91-8dd6336897b4}</Data>
    <Data Name="OperationType">Object Access</Data>
    <Data Name="HandleId">0x0</Data>
    <Data Name="AccessList">%%7685
                </Data>
    <Data Name="AccessMask">0x20</Data>
    <Data Name="Properties">---
        {bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
            {bf9679c0-0de6-11d0-a285-00aa003049e2}
    {bf967a9c-0de6-11d0-a285-00aa003049e2}
</Data>
    <Data Name="AdditionalInfo">-</Data>
    <Data Name="AdditionalInfo2">
    </Data>
  </EventData>
</Event>
powershell active-directory permissions

1 Answers

  1. Best Answer

    Ok found the answer. There's a security feature in Win2K8 that prevents you from running these cmdlets locally on a DC. So basically you need to either run them from a workstation using PSRemoting, or just specify another DC using the -Server switch.

    • 2