I am new to ITOM and I wanted to create a simple PowerShell script using the PowerShell activity to remove a user from a group. Since for some reason there is an activity built to add a user to a group, but none to remove a user. The script is below:

Remove-ADGroupMember -Identity "Share" -Members "tuser1" -confirm:$false -credential $cred

Where $cred uses the credential table for user information. When I run the workflow, I get the following error:   "User credentials cannot be used for local connections". Maybe I do not understand how SN carries out the script, if it is conducted via a remote script or something else. If I don't use the credential table and use the mid server service user, it works fine, in the dev instance, since the dev user has privileges for this, the prod user does not.

I have tried to use Set-ExecutionPolicy Bypass -force   to bypass this but still not luck. There is no documentation advising what is the best practice way of doing this or how SN carries out this task. I have a lot of orchestration stuff coming down the pipeline soon, so I will need to figure this out as soon as possible to create documentation on the best way to do this.

I few key points that are still up in the air:

1. How does SN carry about PowerShell?
2. What should the MID Server Services user be (should it be a domain admin or just have the privileges needed to carry out tasks)?
3. How is the credentials from the credential table passed to the MID server?