I needed to create a large number of Domain Local security groups in AD, so wanted to script it with PoSH rather than manually create each one.
I am getting an Access Denied error if I try to create the groups in PoSH, but can create them in ADUC with no problem. Same thing happens when trying to add members.
What could the issue be? I've checked the event log, but all I get is Access Denied from DS events (4662), with no additional information.
I've tried it on multiple DCs, using the Powershell Modules for Active Directory shortcut, as well as a regular Powershell session using Import-Module Active-Directory.
EDIT: Below is an example error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 28/06/2011 11:57:54 AM
Event ID: 4662
Task Category: Directory Service Access
Level: Information
Keywords: Audit Failure
User: N/A
Computer: MYDC.mydomain.com
Description:
An operation was performed on an object.
Subject :
Security ID: mydomain\user
Account Name: user
Account Domain: mydomain
Logon ID: 0x8d81c809
Object:
Object Server: DS
Object Type: group
Object Name: CN=SERVERNAME-RDP-Users,OU=SQL Servers,OU=RDP,OU=Server Login Permissions,DC=mydomain,DC=com
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: Write Property
Access Mask: 0x20
Properties: ---
{bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
{bf9679c0-0de6-11d0-a285-00aa003049e2}
{bf967a9c-0de6-11d0-a285-00aa003049e2}
Additional Information:
Parameter 1: -
Parameter 2:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2011-06-28T01:57:54.401588800Z" />
<EventRecordID>261383903</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="684" />
<Channel>Security</Channel>
<Computer>DC1.mydomain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-1580943700-3625058406-2646640161-1105</Data>
<Data Name="SubjectUserName">User</Data>
<Data Name="SubjectDomainName">mydomain</Data>
<Data Name="SubjectLogonId">0x8d81c809</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a9c-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{29c4e057-b8d3-4fa2-9f91-8dd6336897b4}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%7685
</Data>
<Data Name="AccessMask">0x20</Data>
<Data Name="Properties">---
{bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
{bf9679c0-0de6-11d0-a285-00aa003049e2}
{bf967a9c-0de6-11d0-a285-00aa003049e2}
</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2">
</Data>
</EventData>
</Event>
Best Answer
Ok found the answer. There's a security feature in Win2K8 that prevents you from running these cmdlets locally on a DC. So basically you need to either run them from a workstation using PSRemoting, or just specify another DC using the
-Serverswitch.