User credentials cannot be used for local connections

brandonwilson · ‎05-16-2016

I am new to ITOM and I wanted to create a simple PowerShell script using the PowerShell activity to remove a user from a group. Since for some reason there is an activity built to add a user to a group, but none to remove a user. The script is below:

Remove-ADGroupMember -Identity "Share" -Members "tuser1" -confirm:$false -credential $cred

Where $cred uses the credential table for user information. When I run the workflow, I get the following error: "User credentials cannot be used for local connections". Maybe I do not understand how SN carries out the script, if it is conducted via a remote script or something else. If I don't use the credential table and use the mid server service user, it works fine, in the dev instance, since the dev user has privileges for this, the prod user does not.

I have tried to use Set-ExecutionPolicy Bypass -force to bypass this but still not luck. There is no documentation advising what is the best practice way of doing this or how SN carries out this task. I have a lot of orchestration stuff coming down the pipeline soon, so I will need to figure this out as soon as possible to create documentation on the best way to do this.

I few key points that are still up in the air:

How does SN carry about PowerShell?
What should the MID Server Services user be (should it be a domain admin or just have the privileges needed to carry out tasks)?
How is the credentials from the credential table passed to the MID server?

Shannon Burns · ‎08-04-2017

Did you ever get an answer to this? I am having the same issue.

Shannon

brantgluth · ‎01-23-2018

I had all sorts of issues getting the custom Powershell activities to run, so I coded up my own credentials in the activity. I've been using the following code in PS activities for AD, Office 365, and PS Rest calls. Maybe you can bend it for getting your Remove-ADGroupMember to run, as lng as you keep the -credential $cred on the end

try

{

$username = "${activityInput.username}"

$password = convertto-securestring -String "${activityInput.passowrd}" -AsPlainText -Force

$secstr = New-Object -TypeName System.Security.SecureString

# $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}

$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

}

catch{

$returnError = "Issues setting security: " + $_

#exit

}

Dead Blade · ‎03-16-2018

Are you adding this to your Execution Command? Do you mind sharing the rest of the command? It seems that this is a common problem, HI Support has not been helpful in solving.

brantgluth · ‎03-16-2018

I may be misreading the question , but once I have the $cred initialized in the beginning of my execution script, for any AD methods where I need them, I just add -credentials $cred

e.g. from my clone ad user from template

Get-ADUser -Identity $userTemplateName -Properties memberof |
                Select-Object -ExpandProperty memberof |
                Add-ADGroupMember -Members $userName  –credential $cred

For overkill, JIC, here's the execution command I use for disabling ad users for terminations

cls
Import-Module activedirectory
#set defaults
$returnError=""
$acctDisabled = "false"
$UserName = [string]"${activityInput.adUserName}"

#set credentials
try{
   $username = "${activityInput.adminUserName}"
   $password = convertto-securestring -String "${activityInput.adminPassword}" -AsPlainText -Force
   $secstr = New-Object -TypeName System.Security.SecureString

   $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
}
catch{
   $returnError = "Issues setting security: " + $_
   #exit
   }

#disable user account
try{
    #reset password
    Set-ADAccountPassword -Identity $UserName -Reset `
        -NewPassword (ConvertTo-SecureString -AsPlainText "d0n3G0tG0n3"  + (Get-Random -Maximum 9999 -Minimum 1000) -Force) `
         –credential $cred 
    #disable account
    Disable-ADAccount -Identity $UserName –credential $cred 
  }
catch{
  $returnError += "`ndisable acct err: " + $_  `
    + "`nln:" + $_.InvocationInfo.ScriptLineNumber `
    + "`nil:" + $_.InvocationInfo.OffsetInLine
  } 

#remove groups
try{
  #get the user object
  $user = Get-ADUser -identity $UserName -properties memberof  –credential $cred
  #get the groups
  $userGroups = $user.memberof
  # for-each group remove
  $userGroups | %{get-adgroup $_ | Remove-ADGroupMember -Server lcgdc03 -confirm:$false -member $UserName –credential $cred}
  #clean up
  $userGroups = $null
  }
catch{
   $returnError += "`nFailed to remove group memberships ERR: " + $_ `
   + "`nln:" + $_.InvocationInfo.ScriptLineNumber `
   + "`nil:" + $_.InvocationInfo.OffsetInLine
  }

#BG for user termination, move to terminated folder
try{
    #move to terminated folder for 30 days
  Get-ADUser -identity   $UserName  | Move-ADObject -TargetPath 'OU=Terminated,OU=users,OU=IT,OU=county,DC=our,DC=gov' –credential $cred 
  #set success 
  $acctDisabled =  "true"
  }
catch{
     $returnError += "`nUser Disabled, BUT failed ou move to Entz.Users.Terminated ERR: " + $_ `
                  + "`nln:" + $_.InvocationInfo.ScriptLineNumber `
                  + "`nil:" + $_.InvocationInfo.OffsetInLine
  }                         

    
Write-Output "%%acctDisabled%%"
Write-Output "$($acctDisabled)"
Write-Output "%%"
Write-Output "%%returnError%%"
Write-Output "$($returnError)"
Write-Output "%%"

Then I parse out the tags based on other Community posts I've come across such as this

Dies that help?