Troubleshooting AD Orchestration: "Powershell Execution Failed" Error When Removing AD Object
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 09:45 PM
Introduction:
Active Directory (AD) orchestration plays a crucial role in managing and maintaining an organization's directory service. However, encountering errors during operations can be frustrating. In this blog post, we will explore a specific issue where the removal of an AD object throws a "PowerShell execution failed" error, specifically stating "Script returned status 1 using the account user." We will delve into the root cause of this problem and provide a solution to resolve it.
Issue:
While working with AD orchestration, you may have noticed that the "Create AD Object" and "Update AD Object" functions are functioning correctly. However, when attempting to remove an AD object, an error occurs. This error is caused by the execution of the `deletetree()` method in the PowerShell script. The account being used lacks the necessary permissions for deleting subtrees in AD, as it requires the "Delete Subtree" permission rather than just the "Delete" permission.
Root Cause:
The issue stems from the specific account being used for AD object removal. The `deletetree()` method is designed to delete not only the object itself but also all its associated child objects, which requires the higher-level permission of "Delete Subtree." Without this permission, the PowerShell script encounters an error and fails to execute successfully.
Solution:
To resolve this issue and enable successful removal of AD objects, follow these steps:
1. Identify the user account that is executing the PowerShell script for object removal.
2. Log in to an account with administrative privileges in your AD environment.
3. Grant the "Delete Subtree" permission to the user account by performing the following steps:
a. Launch the "Active Directory Users and Computers" administrative tool.
b. Locate and right-click the container or organizational unit (OU) where the AD objects are stored.
c. Select "Properties" from the context menu and navigate to the "Security" tab.
d. Click the "Advanced" button to access advanced security settings.
e. In the "Permissions" tab, locate the user account and click "Edit."
f. In the "Permissions Entry" dialog, check the "Delete Subtree" permission.
g. Apply the changes and close all dialog boxes.
After granting the "Delete Subtree" permission to the user account, retry the AD object removal process. The PowerShell script should now execute successfully without encountering the "PowerShell execution failed" error.
