Hi,

when a user with delegated rights run a script to change an specific field he gets the message access denied.

If he changes the value over the ADUC snapin, he can change the field where he has the rights.  

if ($objext2txtbox.text -ne "") {set-aduser -Identity $user.DistinguishedName[0] -Replace @{employeeNumber=@($objext2txtbox.text)}} else {$user.employeeNumber.clear()}

Above the codesnip where the change will be set. If the complete code is required i can post that one too.

Best regards

Malte

if ($objext2txtbox.text -ne ""){
    set-aduser -Identity $user.DistinguishedName[0] -Replace @{employeeNumber=$($objext2txtbox.text)}
}else{
    # this won't work.
    $user.employeeNumber.clear()
}

I changed the part wich you said wich doesn't work

if ($objext2txtbox.text -ne "") {set-aduser -Identity 
$user.DistinguishedName[0] -Replace @{employeeNumber=@
($objext2txtbox.text)}} else
 {set-aduser -Identity $user.DistinguishedName[0] -employeeNumber 
$null}

But the delegated useraccount still can't change the given field

I used the code from this one https://gallery.technet.microsoft.com/scriptcenter/Getting-Users-ALL-7417b71d and changed some small things. Like the shown codesnip

• Edited by Malte_EP Friday, April 10, 2015 11:21 AM

You changed it wrong. Go back and look at the example.

You cannot set a value to $null.

Forget about the form. Try to do it at a command prompt first.  When you finally understand the CmdLet then you cantry to do it in a form.

So then you can explain me why i can run the same script with domainadmin rights and set the value to $null. And on the offical site from Microsoft for set-aduser the way to empty the value is to set the value $null

ServicePrincipalNames


Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values.
Syntax:
To add values:
-ServicePrincipalNames @{Add=value1,value2,...}
To remove values:
-ServicePrincipalNames @{Remove=value3,value4,...}
To replace values:
-ServicePrincipalNames @{Replace=value1,value2,...}
To clear all values:
-ServicePrincipalNames $null

That is not emplyeenumber.

The rest of the code is not what I posted.  Look at the difference.  You replaces $ with a @ which won't work.

You also fail to say what error you are getting which should tell you what the issue is.  Look closely at the error.

Doing this under a forms designer makes seeing the error a bit difficult.

Thank you for your help. First of all, the erros says "exception calling with 0 argument(s) Access denied" But at the point in the form $user.setinfo(). The data is written to the account, but will not be updated directly. Only after i click again on select. If i run it with domadmin rights it works like a charm.

To empty an attribute you has to use $null in powershell  https://technet.microsoft.com/de-de/library/ee617215.aspx

The commands only run in powershell onl ywithout any Problems.

OK - I will try this once more:

At a PowerShell prompt (CLI) type this command:

set-aduser -Identity username -Replace @{employeeNumber='122345'}

If you correctly delegated the rights it will work.  After you can make it work at a prompt then you can try to do it in a form.