Permissions to connect to ARS service w/ Quest AD cmdlets

I'm attempting to get permissions delegated to an Active Directory service account for some automated bulk operations that will need to be done. However, the team that manages rights, roles and permissions within ARS seems to be having some difficulty. When attempting to connect to the ars service with my AD ID, I issue the following command, and get the following output:

PS C:\> $conn = Connect-QADService -Service 'some.corp.com' -Proxy 
PS C:\> $conn
DefaultNamingContext                  Type
--------------------                              ----
CN=Active Directory                     ARS

When I issue the same command while logged in to a workstation with the service account, I get an error:

Connect-QADService : Server not exist or could not be contacted

However, when I don't use the -Proxy switch, I'm able to connect directly to an Active Directory domain controller. I've been told that our Security team wants everyone to use Active Roles for auditing purposes. Without the -Proxy switch, I can't meet that requirement.

While the error message is not the most exact, given that I can connect with my ID, but not with the service ID, even when logged on locally to a workstation with that ID and even when using the same command to connect to the Active Roles Adminsitration Service, I'm left to assume that this is a permissions problem with the service account. Can anyone tell me the minimum permissions needed for an Active Directory account to connect and authenticate to the Active Roles Admin Service using the Quest AD cmdlets?

  • Hi John,

    my suggestions to troubleshoot this issue:

    - please ensure that your account and the service account are in the same domain. It isn't obligatory, but it may help you to undestand the issue.

    - please compare group membership for your account and the service account.

    - please compare delegation within ARS for your account and the service account (Access Templates, Links)

    And:

    - please check DCOM security settinngs for ActiveRoles service (arssvc.exe). I guess your service account have no DCOM permissions to activate the DCOM-connection to ARS

  • I have the same problem. Unfortunately, the Dell answer is not helpful. OP - did you ever solve the problem?
  • 1. by default ARS does not allow anyone Read/Browse/View AD objects, exempt DSAdministrators (ARS ADmin group) and ARS-SVC account got FC over ARS (w/Read/Write)
    2. Permissions must work *the same* via any client (MMC, WI, PS1 script etc...)

  • There is another potential dimension to this and it has to do with the visibility of the ActiveRoles service itself.

    The -proxy switch searches AD's System container for a published instance of the AR service.

    The AR service publishes a service connection point in each of the domains it manages. If the workstation you are on is not a member of an AR managed domain you may not be able to see the service connection point for the service.

    I also agree with Aidar's reply in that your account may not have been granted default view permissions to AD via Active Roles.