Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
1430 views

AD driver remote powershell cmdlet not firing

Hi,

Can anyone assist with this?

We have a requirement to delete all leaf objects in AD when a user is deleted. We have the below which is working correctly and setting the "psexecute" attribute which is being fired.

However the log shows the below when it fires. We have verified that the PSExec service is running on the Remote Loader:

<modify class-name="user" event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703" qualified-src-dn="OU=IDV\OU=STUDENTS\CN=User1" src-dn="\IDV\STUDENTS\User1" src-entry-id="510594">
<association>e646e61101e89c47b4ea6309160822b7</association>
<modify-attr attr-name="psexecute">
<remove-all-values/>
<add-value>
<value type="string">Remove-ADObject -Identity (Get-ADUser User1) -Recursive</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[01/25/19 15:09:54.137]:UNI Local ST: Remote Interface Driver: Document sent.
[01/25/19 15:09:55.250]:UNI Local :Remote Interface Driver: Received.
[01/25/19 15:09:55.250]:UNI Local :
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\IDV_TREE\UNI\IDM\UNI Driver Set\UNI Local" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703" level="error" text1="Exchange 2010" type="exchange">Exchange 2010 Exception. code:0x0000274d Connnection Error. Make sure service is Running</status>
<status event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703" level="success"/>
</output>
</nds>
[01/25/19 15:09:55.251]:UNI Local :Remote Interface Driver: Received document for subscriber channel
[01/25/19 15:09:55.251]:UNI Local :Remote Interface Driver: Waiting for receive...
[01/25/19 15:09:55.251]:UNI Local ST: SubscriptionShim.execute() returned:
[01/25/19 15:09:55.251]:UNI Local ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\IDV_TREE\UNI\IDM\UNI Driver Set\UNI Local" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703" level="error" text1="Exchange 2010" type="exchange">Exchange 2010 Exception. code:0x0000274d Connnection Error. Make sure service is Running</status>
<status event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703" level="success"/>
</output>

We've tested the powershell directly and that seems to be correct, but the driver is unable to execute it directly.

Has anyone got any idea?

Thanks in advance
John
Labels (1)
0 Likes
15 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

On 1/25/2019 10:44 AM, Jevans78 wrote:
>
> Hi,
>
> Can anyone assist with this?
>
> We have a requirement to delete all leaf objects in AD when a user is
> deleted. We have the below which is working correctly and setting the
> "psexecute" attribute which is being fired.
>
> However the log shows the below when it fires. We have verified that the
> PSExec service is running on the Remote Loader:
>
> <modify class-name="user"
> event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703"
> qualified-src-dn="OU=IDV\OU=STUDENTS\CN=User1"
> src-dn="\IDV\STUDENTS\User1" src-entry-id="510594">
> <association>e646e61101e89c47b4ea6309160822b7</association>
> <modify-attr attr-name="psexecute">
> <remove-all-values/>
> <add-value>
> <value type="string">*Remove-ADObject -Identity (Get-ADUser
> User1) -Recursive*</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> [01/25/19 15:09:54.137]:UNI Local ST: Remote Interface Driver: Document
> sent.
> [01/25/19 15:09:55.250]:UNI Local :Remote Interface Driver: Received.
> [01/25/19 15:09:55.250]:UNI Local :
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20170106_120000"
> instance="\IDV_TREE\UNI\IDM\UNI Driver Set\UNI Local"
> version="4.0.2.1">AD</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <output>
> <status
> event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703"
> level="error" text1="Exchange 2010" type="exchange">Exchange 2010
> Exception. code:0x0000274d Connnection Error. Make sure service is
> Running</status>
> <status
> event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703"
> level="success"/>
> </output>
> </nds>
> [01/25/19 15:09:55.251]:UNI Local :Remote Interface Driver: Received
> document for subscriber channel
> [01/25/19 15:09:55.251]:UNI Local :Remote Interface Driver: Waiting for
> receive...
> [01/25/19 15:09:55.251]:UNI Local ST: SubscriptionShim.execute()
> returned:
> [01/25/19 15:09:55.251]:UNI Local ST:
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20170106_120000"
> instance="\IDV_TREE\UNI\IDM\UNI Driver Set\UNI Local"
> version="4.0.2.1">AD</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <output>
> <status
> event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703"
> level="error" text1="Exchange 2010" type="exchange">*Exchange 2010
> Exception. code:0x0000274d Connnection Error. Make sure service is
> Running*</status>
> <status
> event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703"
> level="success"/>
> </output>
>
> We've tested the powershell directly and that seems to be correct, but
> the driver is unable to execute it directly.


The Shim's execution of Powershell is NOT done by the shim itself,
rather is handed off to the IDM Powershell (or in your case IDM Exch2010
Service) that make the calls. It auths as the Login user for the service.

So... do you have the Exchaneg 2010 service running? If you can change
over to the IDM PowerShell it is a better approach. But either one is
needed(Change the Shim config value to match the one in use). The O365
driver has yet another iteration of this service as well, and guess
what? It works different as well! Joy!


0 Likes
Absent Member.
Absent Member.

Thanks Geoff,

I switched off the Exchange config in then driver and it’s executing the power shell successfully now and I can see it in the RL log with “success”
The action hasn’t been done though and he user still remains. I’m wondering if the power shell I’m sending isn’t quite right.

I tried adding -comfirm$false but it doesn’t seem to delete them still.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

On 1/26/2019 4:44 AM, Jevans78 wrote:
>
> Thanks Geoff,
>
> I switched off the Exchange config in then driver and it�s executing the
> power shell successfully now and I can see it in the RL log with
> �success�
> The action hasn�t been done though and he user still remains. I�m
> wondering if the power shell I�m sending isn�t quite right.
>
> I tried adding -comfirm$false but it doesn�t seem to delete them still.


Watch in the Remote loader trace and you will get as much of an error as
it generates.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Another approach was posted a while back by sebastijan. This used a style
sheet that implemented recursion to delete child objects. This way you
don’t need PowerShell at all.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

We have a requirement to delete all leaf objects in AD when a user is deleted. We have the below which is working correctly and setting the "psexecute" attribute which is being fired.

What order of your operations?

Maybe you will need to change the default order
1. Run powershell
2. Delete AD object
0 Likes
Absent Member.
Absent Member.

Hi,

Thanks for all the suggestions. @Alex I'll see if I can dig out Sebastijan's style sheet, but for now I've no idea why the psexecute command is not working.

It is sent correctly, and the RL log shows "success" but the object was not deleted.

As a test I ran the powershell command directly in Powershell and it removed the object children with no prompt.

Does anyone have any idea? Level 3 RL trace of the event being received is below:

<input>
<modify class-name="user" event-id="sllv-idm02#20190129084708#5#1:6426535e-f4f9-4881-b124-5e532664f9f4" qualified-src-dn="O=UNI\OU=IDV\OU=STUDENTS\CN=Student1" src-dn="\IDV_TREE\UNI\IDV\STUDENTS\Student1" src-entry-id="511708">
<association>e646e61101e89c47b4ea6309160822b7</association>
<modify-attr attr-name="psexecute">
<remove-all-values/>
<add-value>
<value type="string">Remove-ADObject -Identity "CN=Student1,OU=STUDENTS,OU=CSM,OU=UNI" -Recursive -Confirm:$false</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/29/19 08:47:08.99]: ADDriver: parse command

className user
destDN
eventId sllv-idm02#20190129084708#5#1:6426535e-f4f9-4881-b124-5e532664f9f4
association e646e61101e89c47b4ea6309160822b7
DirXML: [01/29/19 08:47:08.99]: ADDriver: parse modify class = user
DirXML: [01/29/19 08:47:08.99]: ADDriver: association
DirXML: [01/29/19 08:47:08.99]: ADDriver: e646e61101e89c47b4ea6309160822b7
DirXML: [01/29/19 08:47:08.99]: ADDriver: modify-attr
DirXML: [01/29/19 08:47:08.99]: ADDriver: remove-all-values
DirXML: [01/29/19 08:47:08.99]: ADDriver: add-value
DirXML: [01/29/19 08:47:08.99]: ADDriver: value
DirXML: [01/29/19 08:47:08.99]: ADDriver: Remove-ADObject -Identity "CN=Student1,OU=STUDENTS,OU=CSM,OU=UAL" -Recursive -Confirm:$false
DirXML: [01/29/19 08:47:08.99]: ADDriver: ldap_modify user CN=Student1,OU=STUDENTS,OU=CSM,OU=UAL
LDAPMod operations:
DirXML: [01/29/19 08:47:08.99]: Loader: subscriptionShim->execute() returned:
DirXML: [01/29/19 08:47:08.99]: Loader: XML Document:
DirXML: [01/29/19 08:47:08.99]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\IDV_TREE\UAL\IDM\UAL Driver Set\UAL ArtsLocal">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="success" event-id="sllv-idm02#20190129084708#5#1:6426535e-f4f9-4881-b124-5e532664f9f4"/>
</output>
</nds>
DirXML: [01/29/19 08:47:08.99]:
DirXML Log Event -------------------
Driver = \IDV_TREE\UAL\IDM\UAL Driver Set\UAL ArtsLocal
Thread = Subscriber Channel
Object = \IDV_TREE\UAL\IDV\STUDENTS\Student1
Level = success
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Jevans78;2494465 wrote:
Hi,

Thanks for all the suggestions. @Alex I'll see if I can dig out Sebastijan's style sheet, but for now I've no idea why the psexecute command is not working.

It is sent correctly, and the RL log shows "success" but the object was not deleted.

As a test I ran the powershell command directly in Powershell and it removed the object children with no prompt.

Does anyone have any idea? Level 3 RL trace of the event being received is below:

<input>
<modify class-name="user" event-id="sllv-idm02#20190129084708#5#1:6426535e-f4f9-4881-b124-5e532664f9f4" qualified-src-dn="O=UNI\OU=IDV\OU=STUDENTS\CN=Student1" src-dn="\IDV_TREE\UNI\IDV\STUDENTS\Student1" src-entry-id="511708">
<association>e646e61101e89c47b4ea6309160822b7</association>
<modify-attr attr-name="psexecute">
<remove-all-values/>
<add-value>
<value type="string">Remove-ADObject -Identity "CN=Student1,OU=STUDENTS,OU=CSM,OU=UNI" -Recursive -Confirm:$false</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/29/19 08:47:08.99]: ADDriver: parse command

className user
destDN
eventId sllv-idm02#20190129084708#5#1:6426535e-f4f9-4881-b124-5e532664f9f4
association e646e61101e89c47b4ea6309160822b7
DirXML: [01/29/19 08:47:08.99]: ADDriver: parse modify class = user
DirXML: [01/29/19 08:47:08.99]: ADDriver: association
DirXML: [01/29/19 08:47:08.99]: ADDriver: e646e61101e89c47b4ea6309160822b7
DirXML: [01/29/19 08:47:08.99]: ADDriver: modify-attr
DirXML: [01/29/19 08:47:08.99]: ADDriver: remove-all-values
DirXML: [01/29/19 08:47:08.99]: ADDriver: add-value
DirXML: [01/29/19 08:47:08.99]: ADDriver: value
DirXML: [01/29/19 08:47:08.99]: ADDriver: Remove-ADObject -Identity "CN=Student1,OU=STUDENTS,OU=CSM,OU=UAL" -Recursive -Confirm:$false
DirXML: [01/29/19 08:47:08.99]: ADDriver: ldap_modify user CN=Student1,OU=STUDENTS,OU=CSM,OU=UAL
LDAPMod operations:
DirXML: [01/29/19 08:47:08.99]: Loader: subscriptionShim->execute() returned:
DirXML: [01/29/19 08:47:08.99]: Loader: XML Document:
DirXML: [01/29/19 08:47:08.99]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\IDV_TREE\UAL\IDM\UAL Driver Set\UAL ArtsLocal">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="success" event-id="sllv-idm02#20190129084708#5#1:6426535e-f4f9-4881-b124-5e532664f9f4"/>
</output>
</nds>
DirXML: [01/29/19 08:47:08.99]:
DirXML Log Event -------------------
Driver = \IDV_TREE\UAL\IDM\UAL Driver Set\UAL ArtsLocal
Thread = Subscriber Channel
Object = \IDV_TREE\UAL\IDV\STUDENTS\Student1
Level = success


Is this a valid DN in your domain?

Remove-ADObject -Identity "CN=Student1,OU=STUDENTS,OU=CSM,OU=UAL"

Usually I see the root of MAD domains with something like dc=something,dc=org.
0 Likes
Absent Member.
Absent Member.

Hi,

Yes, I actually just removed the domain name in the trace for security. It is a valid DN as I ran the command directly on the Domain Controller and it dutifully deleted the user and its leaf objects.

Thanks
John
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Jevans78;2494492 wrote:
Hi,

Yes, I actually just removed the domain name in the trace for security. It is a valid DN as I ran the command directly on the Domain Controller and it dutifully deleted the user and its leaf objects.

Thanks
John


Ok, just making sure on that one then. The PowerShell service runs as system or as a user. Is it running as a user? Does that user have sufficient rights to run this script successfully?
0 Likes
Commodore
Commodore

The advice above is good. Additionally, have you looked at the trace logs on the Windows side? They're typically in the same directory as dirxml_remote.exe etc. You can turn on tracing through the Remote Loader Console--set it to 10 and set the file size to be fairly big. You'll get more detail about PowerShell operations from the trace logs.
0 Likes
Absent Member.
Absent Member.

I have tested with it running under the system account as well as using the Driver user (which is a domain Admin).

no error, but it just doesn't seem to fire when executed from the driver...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.