User credentials cannot be used for local connections

brandonwilson · ‎05-16-2016

I am new to ITOM and I wanted to create a simple PowerShell script using the PowerShell activity to remove a user from a group. Since for some reason there is an activity built to add a user to a group, but none to remove a user. The script is below:

Remove-ADGroupMember -Identity "Share" -Members "tuser1" -confirm:$false -credential $cred

Where $cred uses the credential table for user information. When I run the workflow, I get the following error: "User credentials cannot be used for local connections". Maybe I do not understand how SN carries out the script, if it is conducted via a remote script or something else. If I don't use the credential table and use the mid server service user, it works fine, in the dev instance, since the dev user has privileges for this, the prod user does not.

I have tried to use Set-ExecutionPolicy Bypass -force to bypass this but still not luck. There is no documentation advising what is the best practice way of doing this or how SN carries out this task. I have a lot of orchestration stuff coming down the pipeline soon, so I will need to figure this out as soon as possible to create documentation on the best way to do this.

I few key points that are still up in the air:

How does SN carry about PowerShell?
What should the MID Server Services user be (should it be a domain admin or just have the privileges needed to carry out tasks)?
How is the credentials from the credential table passed to the MID server?

brantgluth · ‎08-13-2020

Seems like this is a dead thread

Thought I'd share JIC anyone hits this, I seem to e'ry couple months.

I have multiple Powershell custom activities with running, and they typically run surprisingly flawlessly, even tho' I'm using credentials within the Powershell scripts and I writ them up.

Every now and then after a clone or upgrade I get the dreaded User credentials cannot be used for local connections message. Opened the ticket with servicenow support, problem resolved itself automagically before they could figure it out.

The thing that I found irritating is that if I switch from the mid server name to the IP address, everything works fine. DNS server is fine and everything proper, I've been unable to find anything else that makes any sense.

Sebastian Gonz2 · ‎01-25-2021

This is usually due to running a Powershell activity with a MID Server as the Target Host.

If you have multiple MID Servers then this would happen "once in a while" if the MID server being used is also the one running the script.

You can verify this in the ECC Queue

Fai Wong · ‎06-08-2021

I got the same issue recently. What should I do if I just have one MID server and I want to run the PowerShell activity on the MID server itself? I tried to set hostname field to localhost but still report the same error...

Sebastian Gonz2 · ‎01-12-2022

Not %100 sure but I think you can make it work with 127.0.0.1, the IP for local host

Robert McDonne1 · ‎01-12-2022

I am running into the error User credentials cannot be used for local connections for a different issue and I came across this thread.

The problem is that when running a PowerShell command against the localhost, you cannot use the -Credential switch. There are technical reason why you cannot do this but they are not related to this particular problem.

Your command Remove-ADGroupMember needs to be run against a Domain Controller using the -Server switch. Failure to include the -Server switch will default to running against the local computer which is causing the error.

Ex.

Remove-ADGroupMember -Identity "Share" -Members "tuser1" -confirm:$false -credential $cred -Server DC01

I know this is an old thread but I hope this helps someone who may also be having this issue.