This Access Denied problem is driving me crazy. I have a simple Powershell script to remove a specific user from all groups he is a member of. The Powershell is run from a CustomActivity. I can modify AD attributes and read Group data but it seems something prevents me when I try a remove. I have added the FIMService AD account to Organizational Management (for Exchange mods) and given this Group Full control over the OU where the FIM managed security groups My ps script cant be much simpler: Param($id) $ErrorActionPreference = "stop" if ($id -eq $null) { $x= "A username parameter must be provided." $x exit } $dsd = New-Object System.DirectoryServices.DirectoryEntry $ds = new-object directoryServices.directorySearcher $ds.filter = "(&(objectCategory=person)(objectClass=user)(samAccountName=$id))" $dn = $ds.findOne() if ($dn -eq $null -or $dn.count -eq 0) { $x= "No user found with username=" + $id $x exit } $output = "" $userDN = $dn.path $user = [ADSI]$userDN $output = $output + "User DN is: " + $userDN foreach ($group in $user.memberof) { $output = $output + " Modifying Group: " + $group $groupDE = [ADSI]"LDAP://$group" $output = $output + " Removing: " + $userDN + " from Group " + $group $groupDE.remove($userDN) } $output BUT. no matter what I try to fiddle with FIMservice and its permissions I get an exception thrown: Powershell script exited with error: Exception calling "remove" with "1" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))" Lots of questions: Is it a FIM Service related problem? Is it an AD problem? Has anyone gotten this sort of thing to work, if so, how? *HH

Since you're using the ADSI object model, I think from memory you need to call a commit() after each remove. I think these days using the .Net DirectoryObject class is considered more mainstream.Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

[ADSI] in PwerShell constructs a DirectoryEntry on the fly for you. Bob is correct that you need to add a CommitChanges() call at the end, though. As to your permissions issue, the FIM service service account needs Write Property on the member attribute of the groups in question. The Exchange Org Mgmt group does not give you this access. My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

sorry to be a Powershell/C# dummy but for the past 15 years we develop in Java. ADSI seemed the natural way to go (for me). My guess is that the Directory object is just ADO/ADSI in an ugly wrapper. Thanks for the tip about member attribute write right being needed. Something to investigate.

sorry to be a Powershell/C# dummy but for the past 15 years we develop in Java. ADSI seemed the natural way to go (for me). My guess is that the Directory object is just ADO/ADSI in an ugly wrapper. The way you're doing this is fine.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

sorry.. but you answered me (or pointed me in right direction) making the FIMService account a member of the Account Operators group solved my rights issue.