0

I'm trying to use this script below in jenkins but i'm getting an error:

Error:

Running as SYSTEM
Building in workspace C:\Program Files (x86)\Jenkins\workspace\Move_Disable_Inactive_Computers
[Move_Disable_Inactive_Computers] $ powershell.exe -NonInteractive -ExecutionPolicy Bypass -File C:\Windows\TEMP\jenkinsxxxxxxxxxxxxxxx.ps1
Disable-ADAccount : Insufficient access rights to perform the operation
At C:\Windows\TEMP\jenkins8240077775170239915.ps1:14 char:19
+ $StaleComputers | Disable-ADAccount
+                   ~~~~~~~~~~~~~~~~~

The Script:

Import-Module ActiveDirectory

$ErrorActionPreference = 'Stop'
$Password = $env:Password | ConvertTo-SecureString -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $env:UserName, $Password

$DaysInactive = 45
$DestinationOU = "OU=test,OU=test,DC=test,DC=test"
$time = (Get-Date).Adddays(-($DaysInactive))

$StaleComputers = Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties LastLogonTimeStamp 
$StaleComputers | Export-CSV C:\Inactive_Disabled_Computers_list_$((Get-Date).ToString('MM-dd-yyyy')).csv -NoTypeInformation -Encoding UTF8
$StaleComputers | Disable-ADAccount
$StaleComputers | %{ Move-ADObject -Identity $_.DistinguishedName -TargetPath $DestinationOU }

If i comment the 2 last commands line, the script is working but still missing to do what exactly i need, disabled and move.

Improve this question
5
  • virtually every account in a domain has read access to the AD. so the Get-* stuff can usually be run by any recognized account. the cmdlets that make changes, however, normally require specific perms ... and the account running that code apparently does not have those perms. Commented Jul 9, 2020 at 17:40
  • Sorry but i still don't understand why i can't run from jenkins "Disable-ADAccount" command. I wrote another script and still same issue with only this command, but directly on AD server the script is working. Commented Jul 9, 2020 at 20:12
  • are you using the EXACT SAME ACCOUNT for both runs? that is not what usually happens ... normally, Jenkins will use a service account with strictly limited privs. Commented Jul 9, 2020 at 21:53
  • I am using the String Parameter options in my Jenkins Build with the AD user credentials to connect to the AD server. The String parameters that i am using is HostName,UserName and Password. May the problem be that my build is running as System user and not as AD user? And how can i run it with AD user? Commented Jul 12, 2020 at 7:24
  • if the same account is NOT used OR the accounts have different privs, then you will likely get the results you report. you must have the same effective privs to get the same access. ///// it seems you found a way to get the needed privs ... good! glad to see that you found and fixed the problem ... [grin] Commented Jul 12, 2020 at 13:43

1 Answer 1

Reset to default
1

Ok, i'm not sure this will be the most correct way to explain but i solved it with the steps below: I installed the plugin "Authorize Project" In Configuration Global Security/Security Realm, i selected Active Directory ( insert all the options for my AD). Then at "Access Control for builds" i selected "Run as User who triggered build".

Then i changed my script, now it looks like this and everything is working.

    Import-Module ActiveDirectory
    
    $ErrorActionPreference = 'Stop'
    $Password = $env:Password | ConvertTo-SecureString -AsPlainText -Force
    $credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $env:UserName, $Password
    
    Invoke-Command -ComputerName $env:HostName -Credential $credentials -ScriptBlock {
    $ou = "DC=domain,DC=com"
    $DestinationOU = "OU=test,DC=domain,DC=com"
    $DaysInactive = 45
    $time = (Get-Date).Adddays(-($DaysInactive))

# path to the log file
$logpath = "C:\test_$((Get-Date).ToString('MM-dd-yyyy')).csv"
$findcomputers = Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties LastLogonTimeStamp
# Create a CSV containg all the Stale Computer Information
$findcomputers | export-csv $logpath
# Disable the Stale Computer Accounts
#$findcomputers | set-adcomputer -Description $description –passthru | Disable-ADAccount
$findcomputers | Disable-ADAccount
# Find all the Stale Computer Accounts we just disabled
$disabledAccounts = Search-ADAccount -AccountDisabled -ComputersOnly -SearchBase $ou
# Move the Disabled accounts to $disabledOU
$disabledAccounts | Move-ADObject -TargetPath $DestinationOU
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.