Administrator role appears to not work

corynjam · October 20, 2021, 8:48pm

I’ve spent hours today trying to figure this one out. I am logging in correct to Admin, I can see it in the top right, however, My settings and security Tab is gone and I am no longer able to use admin functions. Has anyone seen this? is my code wrong?

please and thank you!

Set-PSUAuthenticationMethod -ScriptBlock {
param(
    [PSCredential]$Credential
)

    
    $domain = $env:USERDOMAIN
    $username = $Credential.UserName
    $password = $Credential.GetNetworkCredential().password
    
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext $ct,$domain
    if($pc.ValidateCredentials($username,$password))
    {

        if(get-adgroupmember "ACL-APP-PSUniversal-Admin" -Recursive | where {$_.samaccountname -eq $username})
        {
            New-PSUAuthenticationResult -Success -UserName "Admin"
        }
        elseif (get-adgroupmember "wksgrp-lockscreens-users" -Recursive | where {$_.samaccountname -eq $username})
        {
            New-PSUAuthenticationResult -success -username 'LS_Admin'
        }
        elseif (get-adgroupmember "wksgrp-Audit-users" -Recursive | where {$_.samaccountname -eq $username})
        {
            New-PSUAuthenticationResult -success -username 'Audit_Admin'
        }
        elseif (get-adgroupmember "wksgrp-Query-users" -Recursive | where {$_.samaccountname -eq $username})
        {
            New-PSUAuthenticationResult -success -username 'Query_admin'
        }
        else {
            New-PSUAuthenticationResult -ErrorMessage 'User not part of allowed group. Contact administrator'

        }
    }
    else 
    {
        New-PSUAuthenticationResult -ErrorMessage 'Bad username or password1'    
    }


}

New-PSURole -Name “Administrator” -Policy {

param(

$User

)

       

#

# Policies should return $true or $false to determine whether the user has the particular

# claim that require them for that role.

$user.identity.Name -eq "Admin"

}

adam · October 21, 2021, 2:15pm

Are you using git sync at all?

corynjam · October 21, 2021, 2:17pm

Yes. I just checked it again and the scripts are identical and correct.

I don’t have a license yet ( sent a support question about that), so I’m a little confused.

Thanks for fast response!

adam · October 21, 2021, 2:19pm

If you have One-Way git sync enabled, this is currently expect, while not ideal, behavior.

It’s effectively removing the admin role. This has been resolved in the 2.5 builds: Adjust One-Way Git Sync Behavior · Issue #589 · ironmansoftware/issues · GitHub

We have made a lot of improvements to one-way git sync in 2.5: PowerShell Universal 2.5.0 Milestone · GitHub

corynjam · October 21, 2021, 2:22pm

Good to know I’m not crazy! Should I enable TwoWay to resolve this?

What is best practice and I can change my behavior based on that.

adam · October 21, 2021, 2:28pm

Changing to two-way will resolve this as we won’t mess with the roles at all. That said, users will be able to edit things in the console so you will need to set execute\readonly role if you want to limit what people can do in the console.

corynjam · October 21, 2021, 2:28pm

Awesome, thanks so much Adam. Love the product.

Topic		Replies	Views
Authentication and Roles PowerShell Universal	14	1094	July 18, 2021
Tried to set a password for the admin account and now I can't login! Help! PowerShell Universal	5	549	April 29, 2022
Permission Issue - RBAC - Policy not working Universal Dashboard	4	236	June 15, 2023
Windows Authentication PowerShell Universal	3	497	September 13, 2021
AD authentication and authorization once again PowerShell Universal	5	801	June 1, 2023

Administrator role appears to not work

Related topics