Add-ADGroupMember fails with Insufficient access rights to perform the operation error

Akshatha Ballal · ‎03-28-2022

Hi,

I have a custom PowerShell script run from flow designer to perform operations on the AD. It runs as an account which has admin access on the MID server and also it is the account that starts the windows MidServer Service (LogOn is as that admin account/Service account used in the script)

This script is able to create objects on the AD but is erroring out when I try to add the new ad object into a group.

The command I'm using is

Add-ADGroupMember -server <DC_name> -Credential <creds> -Identity <group_name> -members <samaccountname>

Also running this directly on the MID server powershell cmd prompt worked.

VivekSattanatha · ‎03-29-2022

Hi,

If you want to use the MID Server service account that should be used for running your script then you can remove that -credential parameter because you already running in a MID Server service account context.

If you want to use the credentials from the discovery_credentials table then you can pass the $cred in -credential parameter.

Regards,

Vivek

Alicia Haag · ‎03-29-2022

Therefore, the user is prompted for credentials. This works fine when I am signed into my domain account. However, I am presented with Insufficient access rights to perform the operation when I run the same command to add a user to a group from my non-admin account. Even when prompted as per the above code to input my domain credentials.

MyeClass Login

Akshatha Ballal · ‎03-29-2022

It turns out the Service account had access to only create objects in the AD, not to manage security groups. After the delegation of control to manage security groups in the OU, it worked fine.