How custom PowerShell activity works in OrchestrationIssue This article contains useful information about the functionality of custom PowerShell activities, and sample script commands. Where does the command/script run The command/script in the custom PowerShell activity is running on the local MID server under the MID server service account, instead of running on the target host. For example the command: hostname, will always show the hostname of the MID serverthe command: whoami, will always show the MID server's service account. Before the command/script runs, the MID server will test active windows credentials one by one against the target host, using the credential testing method. By default, the test method is a WMI query, which picks the credential that has WMI query permission on the target host. If the remote target is a domain controller, it makes more sense to change the test method to an AD query instead so that credential test will pick the credential that can do an AD query on port 389 on the target host, and does not need it to be able to run WMI query to the target host. Check Tip 2 below for more details. The first windows credential that succeeds the test method, will be stored in the $cred variable. You have to explicitly use -credential $cred in your command, otherwise the command is run as the MID server service account. The value of the "Target host" field is stored in PowerShell variable $computer, which can be used in the command/script. Sample Script 1 In the following command, $computer is from the value of the "Target host" field, and $cred is the windows credential that succeeds credential test: gwmi win32_operatingsystem -computer $computer -credential $cred Sample Script 2 add-adgroupmember -identity "testgroup" -member "testuser" #this line is run using MID server service account, and likely causes error "Insufficient access rights to perform the operation" add-adgroupmember -identity "testgroup" -member "testuser" -credential $cred #this line is run using the windows credential that succeeds credential test Tip 1 In certain situations, a credential should be picked without invoking the credential test method, in this case, please set the Target host to 127.0.0.1 If the Target host is set to 127.0.0.1, no credential test is carried out, and the Windows credential that has the lowest order is used. You can combine this with credential tagging to choose the credential you need. (the credential is also stored in variable $cred) (credential tag is renamed to credential alias from Kingston) Tip 2 If the Target host is a domain controller, you can create a Powershell Variable: Activity Designer > Execution Command > Powershell variables Specify Name as "credType", value as "AD". This way the credential test method will be an AD query to the Target host. For other credType options, please check MID Server PowerShell files. Running a command/script on a remote host If you would like to execute a command on the remote server, PowerShell remote has to be used.For example, if you have a batch script: c:\temp\test.bat on server server01.lab01.com, you can do as follows: Update Target host field to server01.lab01.comIn Command, type in: $s = New-PSSession -ComputerName $computer -credential $credInvoke-Command -Session $s -ScriptBlock {c:\temp\test.bat} (as the Target host above is a FQDN instead of an IP, it's recommended that a cmdb_ci_dns_name record is created for this FQDN)Related LinksMID Server: troubleshooting WMI/Powershell issues - CredentialsWindows Discovery - Troubleshooting WMI/Powershell issues on the remote machine