Well I tried running Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=$ADUserDN)" Through SCSM and outputting the result to a log file. Nothing is outputted. The same script has no issue reading and manipulating Users but seems to have trouble with Groups. It does sound like a permission problem but the Work Flow account and Service account can run the script through ISE. I also tried running procmon and filtering on "denied" results but nothing came up.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brandon Ryan Sent: Friday, January 9, 2015 12:01 PM To: servman@lists.myitforum.com Subject: [servman] RE: powershell script in SCSM 2010 workflow If all else fails, whenever I find an issue that has to do with context like this in PowerShell, sometimes I have gotten away with using New-PsSession and Invoke-Command to run the block of code in its own sandbox on the same machine or to run it remotely on a different machine. I'd save that for a last resort, but it may be something to keep in your toolbelt. Brandon Ryan From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Costello, Michael Sent: Friday, January 9, 2015 11:55 AM To: servman@lists.myitforum.com<mailto:servman@lists.myitforum.com> Subject: [servman] RE: powershell script in SCSM 2010 workflow The script does work in ISE as the workflow account. I also tried the service account just to be sure, and it also works in ISE for that user. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Brandon Ryan Sent: Friday, January 9, 2015 11:47 AM To: servman@lists.myitforum.com<mailto:servman@lists.myitforum.com> Subject: [servman] RE: powershell script in SCSM 2010 workflow One other thought, does the account you have defined as the Service Manager Workflow RunAs account have permissions on the active directory to get the groups of the user? Try running the script in the ISE as the workflow account user and see if it has the same behavior. Brandon Ryan Software Engineer ClearPointe From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Costello, Michael Sent: Friday, January 9, 2015 11:25 AM To: servman@lists.myitforum.com<mailto:servman@lists.myitforum.com> Subject: [servman] RE: powershell script in SCSM 2010 workflow Sorry, forgot to say that is the only parameter being passed to the activity. That part works. [cid:image001.png@01D02E42.E2883180] Michael Costello Nebraska Department of Roads IT Infrastructure Support Analyst 402-479-3827 From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Brandon Ryan Sent: Friday, January 9, 2015 11:09 AM To: servman@lists.myitforum.com<mailto:servman@lists.myitforum.com> Subject: [servman] RE: powershell script in SCSM 2010 workflow Where is $activity_id being set? Have you checked to see if it is blank in the script when running as part of the workflow? Do you have a param() statement at the beginning of the script to accept parameters from the workflow? You must also define parameters to send data from the workflow into the script. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Costello, Michael Sent: Friday, January 9, 2015 9:40 AM To: servman@lists.myITforum.com<mailto:servman@lists.myITforum.com> Subject: [servman] powershell script in SCSM 2010 workflow Hello all, I have a custom management pack created through the authoring tool. In the work flow all I have is a powershell script to run and a set activity status to completed, see below. [cid:image002.png@01D02E42.E2883180] The simplified script is as follows: Function GetGroups ($object) { Get-ADPrincipalGroupMembership $object | ForEach ` { $_ Get-ADPrincipalGroupMembership $_ } } Import-Module "C:\Program Files\Common Files\SMLets\SMLets.Module.dll" Import-Module ActiveDirectory -Force #Grab all the information from the activity $activity = get-scsmobject -class (get-scsmclass -name UARTerminationActivityClass) -filter "ID -eq $activity_id" $Username = $activity.Username $memberof = (GetGroups $Username | Select name).name The script is designed to find all the AD groups an inputted user is a member of recursively. When I run the script in ISE it works fine. But when executed through SCSM $memberof is blank, I verified by having it output $memberof to a log file. I have tried a couple different methods of finding the groups but each time the variable is returned blank. I have tried using Try/Catch for debugging, but no errors occur. I have been scouring the web for an explanation but I haven't found one yet. Can anyone help me understand what's happening? Thanks, Michael