Hi All,

I have a task that's ran to read various properties for all users in the domain from Get-ADUser.  The issue is though task runs and completes in two seconds.  Of course nothing is exported. If I run the task under my domain admin account it works fine but on a normal domain user account it fails. Any idea what permissions are required to use the ActiveDirectory PowerShell module?

Unless you have added some arbitrary restrictions to your AD, all users should be able to examine the attributes of all AD objects.

When you say it works for an admin account but not for a normal domain user, are you running it interactively or as a scheduled task? To separate user access issues from task-related issues, I'd suggest you work on getting it to run interactively for a domain user.

When you do, are any errors produced? Where is the output exported? Perhaps this is to a location where domain users lack read/write access.

Also, if the machine is Server 2008 or Win 7 or greater, I would look in the event logs at Event Viewer --> Applications and Services --> Windows Powershell to see if there are any log entries that indicate what went wrong

This AD is heavily restricted however as you said any Domain User should be able to query AD.

I've created the task and been running it under my user account however switching to a non-admin account the task runs and stops straight away. As you said I need to try interactively but the service account I have been given is fairly restricted so it cannot logon interactively to servers.  

No errors. Nothing is exported (should be a CSV from the script).

I have checked the event logs but nothing helpful is logged.

I'll crack on creating a test domain to run this script and as you said logon interactively.  Thanks for the replies guys.

"As you said I need to try interactively but the service account I have been given is fairly restricted so it cannot logon interactively to servers"

you may need to apply a policy to the machine that the script will run, to allow this user to log on as batch job, under Computer Configuration --> Security Settings --> Local Policies --> User Rights Assignment, and add the user to the Log on as a batch job

This is working now.

Permission related yes but not what I thought.  The script creates some folders if they don't exist (typically don't upon first run).  As I had been running the script under my account the folder was restricted so that normal domain users didn't have access to that folder.  

Solution was to just delete the existing folders or set the permissions.  As it's not a live script yet I just let the script user recreate the folder structure!

Thanks guys!