UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Absent Member.
Absent Member.
1431 views

AD driver remote powershell cmdlet not firing

Hi,

Can anyone assist with this?

We have a requirement to delete all leaf objects in AD when a user is deleted. We have the below which is working correctly and setting the "psexecute" attribute which is being fired.

However the log shows the below when it fires. We have verified that the PSExec service is running on the Remote Loader:

<modify class-name="user" event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703" qualified-src-dn="OU=IDV\OU=STUDENTS\CN=User1" src-dn="\IDV\STUDENTS\User1" src-entry-id="510594">
<association>e646e61101e89c47b4ea6309160822b7</association>
<modify-attr attr-name="psexecute">
<remove-all-values/>
<add-value>
<value type="string">Remove-ADObject -Identity (Get-ADUser User1) -Recursive</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[01/25/19 15:09:54.137]:UNI Local ST: Remote Interface Driver: Document sent.
[01/25/19 15:09:55.250]:UNI Local :Remote Interface Driver: Received.
[01/25/19 15:09:55.250]:UNI Local :
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\IDV_TREE\UNI\IDM\UNI Driver Set\UNI Local" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703" level="error" text1="Exchange 2010" type="exchange">Exchange 2010 Exception. code:0x0000274d Connnection Error. Make sure service is Running</status>
<status event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703" level="success"/>
</output>
</nds>
[01/25/19 15:09:55.251]:UNI Local :Remote Interface Driver: Received document for subscriber channel
[01/25/19 15:09:55.251]:UNI Local :Remote Interface Driver: Waiting for receive...
[01/25/19 15:09:55.251]:UNI Local ST: SubscriptionShim.execute() returned:
[01/25/19 15:09:55.251]:UNI Local ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\IDV_TREE\UNI\IDM\UNI Driver Set\UNI Local" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703" level="error" text1="Exchange 2010" type="exchange">Exchange 2010 Exception. code:0x0000274d Connnection Error. Make sure service is Running</status>
<status event-id="sllv-idm02#20190125150954#2#1:c4cfa4e1-0307-4c3a-8c5a-e1a4cfc40703" level="success"/>
</output>

We've tested the powershell directly and that seems to be correct, but the driver is unable to execute it directly.

Has anyone got any idea?

Thanks in advance
John
Labels (1)
0 Likes
15 Replies
Admiral
Admiral

On 29.01.19 18:14, dgersic wrote:
>
> Jevans78;2494492 Wrote:
>> Hi,
>>
>> Yes, I actually just removed the domain name in the trace for security.
>> It is a valid DN as I ran the command directly on the Domain Controller
>> and it dutifully deleted the user and its leaf objects.
>>
>> Thanks
>> John

>
> Ok, just making sure on that one then. The PowerShell service runs as
> system or as a user. Is it running as a user? Does that user have
> sufficient rights to run this script successfully?
>
>


Question; is this the Exchange 2010 Service, or the Powershell Service -
there is a bit of difference in how they behave.



Casper
0 Likes
Absent Member.
Absent Member.

Hi Casper,

To give a bit of background the driver was trying to use the Exchange 2010 service at first and the error in the driver log was that the exchange 2010 service wasn't running.

The driver was set to use Exchange Management interface type (use-cdoexm/use-exch-2007/use-exch-2010) as EXCH 2010, so we changed this to EXCH 2016 and then set the Allow Exchange mailbox move & Allow Exchange mailbox delete to "no"

We removed the Exchange 2010 service and installed the IDMPowershell.exe service and the driver seems to be using the IDMPowershell.exe but it doesn't fire so not sure if that's the case.

I'm presuming the above is a probably cause?
0 Likes
Admiral
Admiral

On 30.01.19 10:56, Jevans78 wrote:
>
> Hi Casper,
>
> To give a bit of background the driver was trying to use the Exchange
> 2010 service at first and the error in the driver log was that the
> exchange 2010 service wasn't running.
>
> The driver was set to use *Exchange Management interface type
> (use-cdoexm/use-exch-2007/use-exch-2010)* as EXCH 2010, so we changed
> this to EXCH 2016 and then set the Allow Exchange mailbox move & Allow
> Exchange mailbox delete to "no"
>
> We removed the Exchange 2010 service and installed the IDMPowershell.exe
> service and the driver seems to be using the IDMPowershell.exe but it
> doesn't fire so not sure if that's the case.
>
> I'm presuming the above is a probably cause?
>
>


There is a difference in how the 2010 Service function and how the
PowerShell service function.

If you use the Powershell Service and if your Exchange Server is remote
to your Remote Loader then you'll not be able to use AD cmdlets (Local
vs. Remote Runspace - ask google). The documentation is not really clear
on that (sorry for that).

Which could explain you specific predicament.

The 2010 Exchange Service does not use Remote Runspace for contacting
Exchange, which should allow it to do AD cmdlets also.



Casper
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Jevans78;2494465 wrote:
Hi,

Thanks for all the suggestions. @Alex I'll see if I can dig out Sebastijan's style sheet, but for now I've no idea why the psexecute command is not working.

It is sent correctly, and the RL log shows "success" but the object was not deleted.

As a test I ran the powershell command directly in Powershell and it removed the object children with no prompt.

Does anyone have any idea? Level 3 RL trace of the event being received is below:

<input>
<modify class-name="user" event-id="sllv-idm02#20190129084708#5#1:6426535e-f4f9-4881-b124-5e532664f9f4" qualified-src-dn="O=UNI\OU=IDV\OU=STUDENTS\CN=Student1" src-dn="\IDV_TREE\UNI\IDV\STUDENTS\Student1" src-entry-id="511708">
<association>e646e61101e89c47b4ea6309160822b7</association>
<modify-attr attr-name="psexecute">
<remove-all-values/>
<add-value>
<value type="string">Remove-ADObject -Identity "CN=Student1,OU=STUDENTS,OU=CSM,OU=UNI" -Recursive -Confirm:$false</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/29/19 08:47:08.99]: ADDriver: parse command

className user
destDN
eventId sllv-idm02#20190129084708#5#1:6426535e-f4f9-4881-b124-5e532664f9f4
association e646e61101e89c47b4ea6309160822b7
DirXML: [01/29/19 08:47:08.99]: ADDriver: parse modify class = user
DirXML: [01/29/19 08:47:08.99]: ADDriver: association
DirXML: [01/29/19 08:47:08.99]: ADDriver: e646e61101e89c47b4ea6309160822b7
DirXML: [01/29/19 08:47:08.99]: ADDriver: modify-attr
DirXML: [01/29/19 08:47:08.99]: ADDriver: remove-all-values
DirXML: [01/29/19 08:47:08.99]: ADDriver: add-value
DirXML: [01/29/19 08:47:08.99]: ADDriver: value
DirXML: [01/29/19 08:47:08.99]: ADDriver: Remove-ADObject -Identity "CN=Student1,OU=STUDENTS,OU=CSM,OU=UAL" -Recursive -Confirm:$false
DirXML: [01/29/19 08:47:08.99]: ADDriver: ldap_modify user CN=Student1,OU=STUDENTS,OU=CSM,OU=UAL
LDAPMod operations:
DirXML: [01/29/19 08:47:08.99]: Loader: subscriptionShim->execute() returned:
DirXML: [01/29/19 08:47:08.99]: Loader: XML Document:
DirXML: [01/29/19 08:47:08.99]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\IDV_TREE\UAL\IDM\UAL Driver Set\UAL ArtsLocal">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="success" event-id="sllv-idm02#20190129084708#5#1:6426535e-f4f9-4881-b124-5e532664f9f4"/>
</output>
</nds>
DirXML: [01/29/19 08:47:08.99]:
DirXML Log Event -------------------
Driver = \IDV_TREE\UAL\IDM\UAL Driver Set\UAL ArtsLocal
Thread = Subscriber Channel
Object = \IDV_TREE\UAL\IDV\STUDENTS\Student1
Level = success


I don't see that the remote loader here is actually trying to run your PowerShell command. There's no "ADDriver: Executing Power Shell Command" in this trace.

I don't recall if it matters, but a working example shows "PSExecute", where you have "psexecute". Maybe it's case sensitive? Try that, see what happens. Post the remote loader trace of the event being parsed and processed.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.