IDMPowershell service errors but returns success

Marcus Tornberg · ‎2019-01-30

Hi!

I have a strange issue with the AD driver and IDMPowershell service.

OS: Windows 2012 R2
IDM: 4.7.1
AD driver version: 4.1.1.0
IDMPowershellService: 4.1.1.0

First a successful execution

DirXML: [01/30/19 10:16:47.48]: Loader: Received 'subscriber execute' document
DirXML: [01/30/19 10:16:47.48]: Loader: XML Document:
DirXML: [01/30/19 10:16:47.48]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>		
<input>
<modify class-name="User" event-id="0">
<association>823f0bc8ac5d3e458e8b72476cd5dc07</association>
<modify-attr attr-name="PSExecute">
<remove-all-values/>
<add-value>
<value>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Enable-DistributionGroup -AllowClobber;
Enable-DistributionGroup -Identity "dummydomain\OurTestGroup"  -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/30/19 10:16:47.48]: Loader: Calling subscriptionShim->execute()
DirXML: [01/30/19 10:16:47.48]: Loader: XML Document:
DirXML: [01/30/19 10:16:47.48]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>		
<input>
<modify class-name="User" event-id="0">
<association>823f0bc8ac5d3e458e8b72476cd5dc07</association>
<modify-attr attr-name="PSExecute">
<remove-all-values/>
<add-value>
<value>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Enable-DistributionGroup -AllowClobber;
Enable-DistributionGroup -Identity "dummydomain\OurTestGroup"  -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/30/19 10:16:47.48]: ADDriver: parse command

  className    User
  destDN       
  eventId      0
  association  823f0bc8ac5d3e458e8b72476cd5dc07
DirXML: [01/30/19 10:16:47.48]: ADDriver: parse modify class = User
DirXML: [01/30/19 10:16:47.48]: ADDriver:   association
DirXML: [01/30/19 10:16:47.48]: ADDriver:     823f0bc8ac5d3e458e8b72476cd5dc07
DirXML: [01/30/19 10:16:47.48]: ADDriver:   modify-attr
DirXML: [01/30/19 10:16:47.48]: ADDriver:     remove-all-values
DirXML: [01/30/19 10:16:47.48]: ADDriver:     add-value
DirXML: [01/30/19 10:16:47.48]: ADDriver:       value
DirXML: [01/30/19 10:16:47.48]: ADDriver:         $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Enable-DistributionGroup -AllowClobber;
Enable-DistributionGroup -Identity "dummydomain\OurTestGroup"  -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession
DirXML: [01/30/19 10:16:47.48]: ADDriver: ldap_modify User CN=OurTestGroup,OU=Distribution,OU=Groups,DC=dummydomain,DC=no
LDAPMod operations:
DirXML: [01/30/19 10:16:47.48]: ADDriver: Executing Power Shell Command:
DirXML: [01/30/19 10:16:47.48]: ADDriver: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Enable-DistributionGroup -AllowClobber;
Enable-DistributionGroup -Identity "dummydomain\OurTestGroup"  -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession
DirXML: [01/30/19 10:16:49.10]: ADDriver: PowerShell: IDM PowerShell Service Response SUCCESS : 
tmp_t1pqaptq.u1p
DL-ADMN-Externe (Administrasjon)
DirXML: [01/30/19 10:16:49.10]: Loader: subscriptionShim->execute() returned:
DirXML: [01/30/19 10:16:49.10]: Loader: XML Document:
DirXML: [01/30/19 10:16:49.10]: <nds ndsversion="8.7" dtdversion="1.1">
	<source>
		<product version="4.1.1.0" asn1id="" build="20180125_120000" instance="\IDM-TEST-TREE\system\driverset1\AD-dummydomain">AD</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<output>
		<status level="success" event-id="0" type="powershell"/>
		<status level="success" event-id="0"/>
	</output>
</nds>
DirXML: [01/30/19 10:16:49.10]: 
DirXML Log Event -------------------
    Driver  = \IDM-TEST-TREE\system\driverset1\AD-dummydomain
    Thread  = Subscriber Channel
    Level   = success
DirXML: [01/30/19 10:16:49.10]: 
DirXML Log Event -------------------
    Driver  = \IDM-TEST-TREE\system\driverset1\AD-dummydomain
    Thread  = Subscriber Channel
    Level   = success

This is my problem. If I get an error executing my Powershell command, I can see that the IDMPowershell service returns an error:

ADDriver: PowerShell: IDM PowerShell Service Response ERROR :  Cannot process argument transformation on parameter 'MemberDepartRestriction'. Cannot convert value "Closed2" to type "Microsoft.Exchange.Data.Directory.Recipient.MemberUpdateType". Error: "Unable to match the identifier name Closed2 to a valid enumerator name. Specify one of the following enumerator names and try again:
Closed, Open, ApprovalRequired"

But the status message to the engine is success:

<status level="success" event-id="0" type="powershell"/>

Below is a remote loader trace:

DirXML: [01/30/19 10:16:49.17]: Loader: Received 'subscriber execute' document
DirXML: [01/30/19 10:16:49.17]: Loader: XML Document:
DirXML: [01/30/19 10:16:49.17]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>		
<input>
<modify class-name="User" event-id="0">
<association>823f0bc8ac5d3e458e8b72476cd5dc07</association>
<modify-attr attr-name="PSExecute">
<remove-all-values/>
<add-value>
<value>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Set-DistributionGroup -AllowClobber;
Set-DistributionGroup -Identity "dummydomain\OurTestGroup" -MemberDepartRestriction Closed2 -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/30/19 10:16:49.17]: Loader: Calling subscriptionShim->execute()
DirXML: [01/30/19 10:16:49.17]: Loader: XML Document:
DirXML: [01/30/19 10:16:49.17]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>		
<input>
<modify class-name="User" event-id="0">
<association>823f0bc8ac5d3e458e8b72476cd5dc07</association>
<modify-attr attr-name="PSExecute">
<remove-all-values/>
<add-value>
<value>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Set-DistributionGroup -AllowClobber;
Set-DistributionGroup -Identity "dummydomain\OurTestGroup"  -MemberDepartRestriction Closed2 -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/30/19 10:16:49.17]: ADDriver: parse command

  className    User
  destDN       
  eventId      0
  association  823f0bc8ac5d3e458e8b72476cd5dc07
DirXML: [01/30/19 10:16:49.17]: ADDriver: parse modify class = User
DirXML: [01/30/19 10:16:49.17]: ADDriver:   association
DirXML: [01/30/19 10:16:49.17]: ADDriver:     823f0bc8ac5d3e458e8b72476cd5dc07
DirXML: [01/30/19 10:16:49.17]: ADDriver:   modify-attr
DirXML: [01/30/19 10:16:49.17]: ADDriver:     remove-all-values
DirXML: [01/30/19 10:16:49.17]: ADDriver:     add-value
DirXML: [01/30/19 10:16:49.17]: ADDriver:       value
DirXML: [01/30/19 10:16:49.17]: ADDriver:         $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Set-DistributionGroup -AllowClobber;
Set-DistributionGroup -Identity "dummydomain\OurTestGroup"  -MemberDepartRestriction Closed2 -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession
DirXML: [01/30/19 10:16:49.19]: ADDriver: ldap_modify User CN=OurTestGroup,OU=Distribution,OU=Groups,DC=dummydomain,DC=no
LDAPMod operations:
DirXML: [01/30/19 10:16:49.19]: ADDriver: Executing Power Shell Command:
DirXML: [01/30/19 10:16:49.19]: ADDriver: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Set-DistributionGroup -AllowClobber;
Set-DistributionGroup -Identity "dummydomain\OurTestGroup"  -MemberDepartRestriction Closed2 -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession
DirXML: [01/30/19 10:16:49.66]: ADDriver: PowerShell: IDM PowerShell Service Response ERROR :  Cannot process argument transformation on parameter 'MemberDepartRestriction'. Cannot convert value "Closed2" to type "Microsoft.Exchange.Data.Directory.Recipient.MemberUpdateType". Error: "Unable to match the identifier name Closed2 to a valid enumerator name. Specify one of the following enumerator names and try again:
Closed, Open, ApprovalRequired"
DirXML: [01/30/19 10:16:49.66]: Loader: subscriptionShim->execute() returned:
DirXML: [01/30/19 10:16:49.66]: Loader: XML Document:
DirXML: [01/30/19 10:16:49.66]: <nds ndsversion="8.7" dtdversion="1.1">
	<source>
		<product version="4.1.1.0" asn1id="" build="20180125_120000" instance="\IDM-TEST-TREE\system\driverset1\AD-dummydomain">AD</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<output>
		<status level="success" event-id="0" type="powershell"/>
		<status level="success" event-id="0"/>
	</output>
</nds>
DirXML: [01/30/19 10:16:49.66]: 
DirXML Log Event -------------------
    Driver  = \IDM-TEST-TREE\system\driverset1\AD-dummydomain
    Thread  = Subscriber Channel
    Level   = success
DirXML: [01/30/19 10:16:49.66]: 
DirXML Log Event -------------------
    Driver  = \IDM-TEST-TREE\system\driverset1\AD-dummydomain
    Thread  = Subscriber Channel
    Level   = success

Any ideas to what is causing this?

Best regards
Marcus

dgersic · ‎2019-01-30

marcus_jonsson;2494538 wrote:
Hi!

I have a strange issue with the AD driver and IDMPowershell service.

OS: Windows 2012 R2
IDM: 4.7.1
AD driver version: 4.1.1.0
IDMPowershellService: 4.1.1.0

First a successful execution

DirXML: [01/30/19 10:16:47.48]: Loader: Received 'subscriber execute' document
DirXML: [01/30/19 10:16:47.48]: Loader: XML Document:
DirXML: [01/30/19 10:16:47.48]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>		
<input>
<modify class-name="User" event-id="0">
<association>823f0bc8ac5d3e458e8b72476cd5dc07</association>
<modify-attr attr-name="PSExecute">
<remove-all-values/>
<add-value>
<value>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Enable-DistributionGroup -AllowClobber;
Enable-DistributionGroup -Identity "dummydomain\OurTestGroup"  -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/30/19 10:16:47.48]: Loader: Calling subscriptionShim->execute()
DirXML: [01/30/19 10:16:47.48]: Loader: XML Document:
DirXML: [01/30/19 10:16:47.48]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>		
<input>
<modify class-name="User" event-id="0">
<association>823f0bc8ac5d3e458e8b72476cd5dc07</association>
<modify-attr attr-name="PSExecute">
<remove-all-values/>
<add-value>
<value>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Enable-DistributionGroup -AllowClobber;
Enable-DistributionGroup -Identity "dummydomain\OurTestGroup"  -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/30/19 10:16:47.48]: ADDriver: parse command

  className    User
  destDN       
  eventId      0
  association  823f0bc8ac5d3e458e8b72476cd5dc07
DirXML: [01/30/19 10:16:47.48]: ADDriver: parse modify class = User
DirXML: [01/30/19 10:16:47.48]: ADDriver:   association
DirXML: [01/30/19 10:16:47.48]: ADDriver:     823f0bc8ac5d3e458e8b72476cd5dc07
DirXML: [01/30/19 10:16:47.48]: ADDriver:   modify-attr
DirXML: [01/30/19 10:16:47.48]: ADDriver:     remove-all-values
DirXML: [01/30/19 10:16:47.48]: ADDriver:     add-value
DirXML: [01/30/19 10:16:47.48]: ADDriver:       value
DirXML: [01/30/19 10:16:47.48]: ADDriver:         $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Enable-DistributionGroup -AllowClobber;
Enable-DistributionGroup -Identity "dummydomain\OurTestGroup"  -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession
DirXML: [01/30/19 10:16:47.48]: ADDriver: ldap_modify User CN=OurTestGroup,OU=Distribution,OU=Groups,DC=dummydomain,DC=no
LDAPMod operations:
DirXML: [01/30/19 10:16:47.48]: ADDriver: Executing Power Shell Command:
DirXML: [01/30/19 10:16:47.48]: ADDriver: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Enable-DistributionGroup -AllowClobber;
Enable-DistributionGroup -Identity "dummydomain\OurTestGroup"  -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession
DirXML: [01/30/19 10:16:49.10]: ADDriver: PowerShell: IDM PowerShell Service Response SUCCESS : 
tmp_t1pqaptq.u1p
DL-ADMN-Externe (Administrasjon)
DirXML: [01/30/19 10:16:49.10]: Loader: subscriptionShim->execute() returned:
DirXML: [01/30/19 10:16:49.10]: Loader: XML Document:
DirXML: [01/30/19 10:16:49.10]: <nds ndsversion="8.7" dtdversion="1.1">
	<source>
		<product version="4.1.1.0" asn1id="" build="20180125_120000" instance="\IDM-TEST-TREE\system\driverset1\AD-dummydomain">AD</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<output>
		<status level="success" event-id="0" type="powershell"/>
		<status level="success" event-id="0"/>
	</output>
</nds>
DirXML: [01/30/19 10:16:49.10]: 
DirXML Log Event -------------------
    Driver  = \IDM-TEST-TREE\system\driverset1\AD-dummydomain
    Thread  = Subscriber Channel
    Level   = success
DirXML: [01/30/19 10:16:49.10]: 
DirXML Log Event -------------------
    Driver  = \IDM-TEST-TREE\system\driverset1\AD-dummydomain
    Thread  = Subscriber Channel
    Level   = success

This is my problem. If I get an error executing my Powershell command, I can see that the IDMPowershell service returns an error:

ADDriver: PowerShell: IDM PowerShell Service Response ERROR :  Cannot process argument transformation on parameter 'MemberDepartRestriction'. Cannot convert value "Closed2" to type "Microsoft.Exchange.Data.Directory.Recipient.MemberUpdateType". Error: "Unable to match the identifier name Closed2 to a valid enumerator name. Specify one of the following enumerator names and try again:
Closed, Open, ApprovalRequired"

But the status message to the engine is success:

<status level="success" event-id="0" type="powershell"/>

Below is a remote loader trace:

DirXML: [01/30/19 10:16:49.17]: Loader: Received 'subscriber execute' document
DirXML: [01/30/19 10:16:49.17]: Loader: XML Document:
DirXML: [01/30/19 10:16:49.17]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>		
<input>
<modify class-name="User" event-id="0">
<association>823f0bc8ac5d3e458e8b72476cd5dc07</association>
<modify-attr attr-name="PSExecute">
<remove-all-values/>
<add-value>
<value>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Set-DistributionGroup -AllowClobber;
Set-DistributionGroup -Identity "dummydomain\OurTestGroup" -MemberDepartRestriction Closed2 -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/30/19 10:16:49.17]: Loader: Calling subscriptionShim->execute()
DirXML: [01/30/19 10:16:49.17]: Loader: XML Document:
DirXML: [01/30/19 10:16:49.17]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>		
<input>
<modify class-name="User" event-id="0">
<association>823f0bc8ac5d3e458e8b72476cd5dc07</association>
<modify-attr attr-name="PSExecute">
<remove-all-values/>
<add-value>
<value>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Set-DistributionGroup -AllowClobber;
Set-DistributionGroup -Identity "dummydomain\OurTestGroup"  -MemberDepartRestriction Closed2 -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [01/30/19 10:16:49.17]: ADDriver: parse command

  className    User
  destDN       
  eventId      0
  association  823f0bc8ac5d3e458e8b72476cd5dc07
DirXML: [01/30/19 10:16:49.17]: ADDriver: parse modify class = User
DirXML: [01/30/19 10:16:49.17]: ADDriver:   association
DirXML: [01/30/19 10:16:49.17]: ADDriver:     823f0bc8ac5d3e458e8b72476cd5dc07
DirXML: [01/30/19 10:16:49.17]: ADDriver:   modify-attr
DirXML: [01/30/19 10:16:49.17]: ADDriver:     remove-all-values
DirXML: [01/30/19 10:16:49.17]: ADDriver:     add-value
DirXML: [01/30/19 10:16:49.17]: ADDriver:       value
DirXML: [01/30/19 10:16:49.17]: ADDriver:         $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Set-DistributionGroup -AllowClobber;
Set-DistributionGroup -Identity "dummydomain\OurTestGroup"  -MemberDepartRestriction Closed2 -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession
DirXML: [01/30/19 10:16:49.19]: ADDriver: ldap_modify User CN=OurTestGroup,OU=Distribution,OU=Groups,DC=dummydomain,DC=no
LDAPMod operations:
DirXML: [01/30/19 10:16:49.19]: ADDriver: Executing Power Shell Command:
DirXML: [01/30/19 10:16:49.19]: ADDriver: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange1.dummydomain.com/PowerShell/ -Authentication Kerberos -ErrorAction SilentlyContinue;
Import-PSSession $Session -CommandName Set-DistributionGroup -AllowClobber;
Set-DistributionGroup -Identity "dummydomain\OurTestGroup"  -MemberDepartRestriction Closed2 -DomainController dc1.dummydomain.com;
Get-PSSession | Remove-PSSession
DirXML: [01/30/19 10:16:49.66]: ADDriver: PowerShell: IDM PowerShell Service Response ERROR :  Cannot process argument transformation on parameter 'MemberDepartRestriction'. Cannot convert value "Closed2" to type "Microsoft.Exchange.Data.Directory.Recipient.MemberUpdateType". Error: "Unable to match the identifier name Closed2 to a valid enumerator name. Specify one of the following enumerator names and try again:
Closed, Open, ApprovalRequired"
DirXML: [01/30/19 10:16:49.66]: Loader: subscriptionShim->execute() returned:
DirXML: [01/30/19 10:16:49.66]: Loader: XML Document:
DirXML: [01/30/19 10:16:49.66]: <nds ndsversion="8.7" dtdversion="1.1">
	<source>
		<product version="4.1.1.0" asn1id="" build="20180125_120000" instance="\IDM-TEST-TREE\system\driverset1\AD-dummydomain">AD</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<output>
		<status level="success" event-id="0" type="powershell"/>
		<status level="success" event-id="0"/>
	</output>
</nds>
DirXML: [01/30/19 10:16:49.66]: 
DirXML Log Event -------------------
    Driver  = \IDM-TEST-TREE\system\driverset1\AD-dummydomain
    Thread  = Subscriber Channel
    Level   = success
DirXML: [01/30/19 10:16:49.66]: 
DirXML Log Event -------------------
    Driver  = \IDM-TEST-TREE\system\driverset1\AD-dummydomain
    Thread  = Subscriber Channel
    Level   = success

Any ideas to what is causing this?

Best regards
Marcus

If I recall correctly, that's how this works. The "success" is that it successfully launched the PowerShell command. It doesn't report back whether or not it actually worked. For that, you need the Scripting driver.

geoffc · ‎2019-01-31

>
> If I recall correctly, that's how this works. The "success" is that it
> successfully launched the PowerShell command. It doesn't report back
> whether or not it actually worked. For that, you need the Scripting
> driver.

I sort of agree and disagree with David. This is a weakness of the
PSExecute approach. It really does not return much.

However I disagree ince i HAVE gotten errors back. Of course that could
comply with David's comment that the errors i have seen return are when
it fails to launch the command. But I cannot recall for certain.

They were trying to be helpful, not replace a scripting driver.

The Azure driver in some ways is better (newer PS service, that is REST
based) and worse (Since some of it is shown in RL trace but accessible
in policy).

dgersic · ‎2019-01-31

geoffc;2494623 wrote:
>
> If I recall correctly, that's how this works. The "success" is that it
> successfully launched the PowerShell command. It doesn't report back
> whether or not it actually worked. For that, you need the Scripting
> driver.

I sort of agree and disagree with David. This is a weakness of the
PSExecute approach. It really does not return much.

However I disagree ince i HAVE gotten errors back. Of course that could
comply with David's comment that the errors i have seen return are when
it fails to launch the command. But I cannot recall for certain.

They were trying to be helpful, not replace a scripting driver.

The Azure driver in some ways is better (newer PS service, that is REST
based) and worse (Since some of it is shown in RL trace but accessible
in policy).

I'd like to see better support for PSExecute with actual error handling / error return in the MAD driver. It doesn't, should not, replace the Scripting driver, but the way MS is making "everything" PowerShell enabled, we're going to see a lot more use of various PowerShell things needed, just to be able to do "everything" we need to do.

geoffc · ‎2019-02-03

On 1/31/2019 12:24 PM, dgersic wrote:
>
> geoffc;2494623 Wrote:
>>>
>>> If I recall correctly, that's how this works. The "success" is that
>> it
>>> successfully launched the PowerShell command. It doesn't report back
>>> whether or not it actually worked. For that, you need the Scripting
>>> driver.
>>
>> I sort of agree and disagree with David. This is a weakness of the
>> PSExecute approach. It really does not return much.
>>
>> However I disagree ince i HAVE gotten errors back. Of course that could
>> comply with David's comment that the errors i have seen return are when
>> it fails to launch the command. But I cannot recall for certain.
>>
>> They were trying to be helpful, not replace a scripting driver.
>>
>> The Azure driver in some ways is better (newer PS service, that is REST
>> based) and worse (Since some of it is shown in RL trace but accessible
>> in policy).
>
> I'd like to see better support for PSExecute with actual error handling
> / error return in the MAD driver. It doesn't, should not, replace the
> Scripting driver, but the way MS is making "everything" PowerShell
> enabled, we're going to see a lot more use of various PowerShell things
> needed, just to be able to do "everything" we need to do.

Agreed, and hardcoding a shim to map XDS events/attributes to PowerShell
is not a good plan either.

Marcus Tornberg · ‎2019-02-06

Hi.

I know 100% that I have seen errors returned back to the engine in the past. I just cannot recall what versions of AD-driver and IDMPowerShell service. So obviously something has changed to limit what is being returned from executing powershell commands.

I think this is really bad as executing Powershell commands from an Identity Manager solution should not be a premium function (require a licensed Scripting driver) in my opinion.

It makes me want to write an open source C# PowerShell driver that just can execute Powershell commands and return actual results. Lets see if that happens.

Best regards
Marcus

geoffc · ‎2019-02-07

On 2/6/2019 8:04 AM, marcus jonsson wrote:
>
> Hi.
>
> I know 100% that I have seen errors returned back to the engine in the
> past. I just cannot recall what versions of AD-driver and IDMPowerShell
> service. So obviously something has changed to limit what is being
> returned from executing powershell commands.
>
> I think this is really bad as executing Powershell commands from an
> Identity Manager solution should not be a premium function (require a
> licensed Scripting driver) in my opinion.
>
> It makes me want to write an open source C# PowerShell driver that just
> can execute Powershell commands and return actual results. Lets see if
> that happens.

Do it!!!!

Share it!!!

🙂

Engine-Drivers