User credentials cannot be used for local connections

brandonwilson · ‎05-16-2016

I am new to ITOM and I wanted to create a simple PowerShell script using the PowerShell activity to remove a user from a group. Since for some reason there is an activity built to add a user to a group, but none to remove a user. The script is below:

Remove-ADGroupMember -Identity "Share" -Members "tuser1" -confirm:$false -credential $cred

Where $cred uses the credential table for user information. When I run the workflow, I get the following error: "User credentials cannot be used for local connections". Maybe I do not understand how SN carries out the script, if it is conducted via a remote script or something else. If I don't use the credential table and use the mid server service user, it works fine, in the dev instance, since the dev user has privileges for this, the prod user does not.

I have tried to use Set-ExecutionPolicy Bypass -force to bypass this but still not luck. There is no documentation advising what is the best practice way of doing this or how SN carries out this task. I have a lot of orchestration stuff coming down the pipeline soon, so I will need to figure this out as soon as possible to create documentation on the best way to do this.

I few key points that are still up in the air:

How does SN carry about PowerShell?
What should the MID Server Services user be (should it be a domain admin or just have the privileges needed to carry out tasks)?
How is the credentials from the credential table passed to the MID server?

Dead Blade · ‎03-16-2018

Here's the weird thing, we have no problem using the OOB AD Activity Add user to Group and applying to an Orchestration Workflow. But when we attempt to user the OOB AD Activity Remove user from group within a workflow we receive authentication failed. If we run the Activity TEST by itself it works fine, or if I create a custom powershell activity similar to your powershell above it works fine. But as soon as I apply it to a workflow it fails. Even to a simple Begin - Custom Powershell - End workflow. So in short, we are getting authentication problems when we use the Orch Workflow with OOB activity or custom powershell activity.

---------------------------------------------------------------------------------------------------------

$AdminGroup= "DEN-DEL-"+$Groupname+"-ADM";
Import-Module ActiveDirectory;

Remove-ADGroupMember -Identity $AdminGroup -Member $Username -Confirm:$false

--------------------------------------------------------------------------------------------------------------

This works when "Test Inputs" from activity. Fails when added to workflow.

A_Nelson · ‎04-11-2018

I am experiencing the same issue. Were you able to figure what was barring the credentials?

Mike225 · ‎01-11-2019

So the answer is if you run the powershell activity on the same server as the default mid server you need to set the hostname to '127.0.0.1'. Other wise you need to have the workflow activity itself point to a different mid server then your primary mid server.

Carsten Bengaar · ‎09-07-2020

Just logged in to give you a big thank you for this tip..

Daniel Evans · ‎09-23-2021

Same. Thank you Mike!