Add-ADGroupMember fails with Insufficient access rights to perform the operation error
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-28-2022 11:24 AM
Hi,
I have a custom PowerShell script run from flow designer to perform operations on the AD. It runs as an account which has admin access on the MID server and also it is the account that starts the windows MidServer Service (LogOn is as that admin account/Service account used in the script)
This script is able to create objects on the AD but is erroring out when I try to add the new ad object into a group.
The command I'm using is
Add-ADGroupMember -server <DC_name> -Credential <creds> -Identity <group_name> -members <samaccountname>
Also running this directly on the MID server powershell cmd prompt worked.
- Labels:
-
Orchestration (ITOM)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-29-2022 03:15 AM
Hi,
If you want to use the MID Server service account that should be used for running your script then you can remove that -credential parameter because you already running in a MID Server service account context.
If you want to use the credentials from the discovery_credentials table then you can pass the $cred in -credential parameter.
Regards,
Vivek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-29-2022 04:16 AM
Therefore, the user is prompted for credentials. This works fine when I am signed into my domain account. However, I am presented with Insufficient access rights to perform the operation when I run the same command to add a user to a group from my non-admin account. Even when prompted as per the above code to input my domain credentials.
MyeClass Login
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-29-2022 09:03 AM
It turns out the Service account had access to only create objects in the AD, not to manage security groups. After the delegation of control to manage security groups in the OU, it worked fine.