SOLVED Permission issue with SCCM and Active Directory

[ikkhatri]

Hi Guys,
Reaching out for some assistance.
I have created a config baseline/item where the discovery checks to see if a machine is part of the security group.
If the evaluation is true, it moves the device to another OU.
Problem:
Move-ADObject : Access is denied
At line:7 char:1
+ Move-ADObject -Identity "$Identity" -TargetPath $OUTargetPath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (CN=00155D01023C...inetwork,DC=com:ADObject) [Move-ADObject], Unauth
orizedAccessException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Man
agement.Commands.MoveADObject

start-transcript : Transcription cannot be started.
At line:10 char:1
+ start-transcript "C:\Windows\temp\remediationscript.log"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ) [Start-Transcript], PSInvalidOperationException
+ FullyQualifiedErrorId : CannotStartTranscription,Microsoft.PowerShell.Commands.StartTranscriptCommand

Focus:
Move-ADObject : Access is denied
I can confirm the SCCM Server$ Computer Account has full control on System Management container and also in AD (domain root level).
Network access account is using its own dedicated service account.
When I use my domain admin account and run the script it works fine, so I know this is a permission issue. But how do I fix this ?

Thanks.

 

[Garth]

Hi Guys,
Reaching out for some assistance.
I have created a config baseline/item where the discovery checks to see if a machine is part of the security group.
If the evaluation is true, it moves the device to another OU.
Move-ADObject : Access is denied
I can confirm the SCCM Server$ Computer Account has full control on System Management container and also in AD (domain root level).
Network access account is using its own dedicated service account.
When I use my domain admin account and run the script it works fine, so I know this is a permission issue. But how do I fix this ?

What do you mean the you are using a NAA? How are you expecting a CI to use it?
What does your CI look like?
Have you tested your CI using the local system account? https://www.recastsoftware.com/resources/how-to-access-the-local-system-account/

 

[ikkhatri]

What do you mean the you are using a NAA? How are you expecting a CI to use it?
What does your CI look like?
Have you tested your CI using the local system account? https://www.recastsoftware.com/resources/how-to-access-the-local-system-account/

Disregard the NAA part. Since I already had a package to run powershell in software center, I ran powershell (which uses the SYSTEM account) and then tested the script that way. I overlooked something, by granting my $SCCMSERVERCOMPUTER access to AD this was resolved.

Thanks