[Parameter(Mandatory=$true,HelpMessage="Please enter your PVWA address (For example: https://pvwa.mydomain.com)")]
should read [Parameter(Mandatory=$true,HelpMessage="Please enter your PVWA address (For example: https://pvwa.mydomain.com/passwordvault)")]
to eliminate confusion.

Hi,

I have updated one account to change the NAME property. I have removed RemoteMachineAddress and RestrictMachinesAccesstoList fileds in the CSV File. Now all accounts are updated with Limit Domain Access TO and unable to remove the property. Please advise.

Even after creating the extra pass values in the platform, we are unable to associate extrapass1 and extrapass3 values to the account.

Also, let us know what are the mandatory parameters to update any property in the account.

Thanks,
Sudhakar

I am having a problem with Update Limit Domain Access To property.

Scenario 1:

Account onboarded to CyberArk with Windomain Platform but didn't check the BOX limit domain access to

By running an update command, I am unable to activate the parameter Limit Domain Access to and also unable to add IP address

Scenario 2:

Account onboarded to CyberArk with Windomain Platform and enabled checkbox limit domain access to
without any addresses in the limit domain access to.

By running an update command, I am unable to update IP address

Scenario 3:

Account onboarded to CyberArk with Windomain Platform but didn't include any addresses in the limit domain access to. But enabled the option Limit Domain Access To and added dummy value

By running an update command, I am ABLE to UPDATE the Limit Domain Access to with UPDATED IP ADDRESSES

In the last scenario, the value update but showing an error message as below:

PS C:\Temp> .\Untitled2.ps1 -PVWAURL https://10.247.54.28/PasswordVault -CsvPath .\test-3.csv -DisableSSLVerify -NoSafeCreation -AuthType cyberark -Update -Verbose -Debug

=======================================

Welcome to Accounts Onboard Utility

WARNING: It is not Recommended to disable SSL verification

DEBUG: Trying to validate URL: https://10.247.54.28/PasswordVault

VERBOSE: HEAD https://10.247.54.28/PasswordVault with 0-byte payload

Getting PVWA Credentials to start Onboarding Accounts

VERBOSE: {

"password":  "Cyberark1",

"username":  "sudhakar"

}

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/auth/cyberark/Logon -Method Post -Header -ContentType "appl

ication/json" -Body {

"password":  "****",

"username":  "sudhakar"

} -TimeoutSec 36000

VERBOSE: POST https://10.247.54.28/PasswordVault/api/auth/cyberark/Logon with -1-byte payload

VERBOSE: received 182-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: YWNiZWE2NmQtY2NjYy00NWI5LWI5ZTAtNzM0NmVkZDVjNzhhOzc4NTE2QkNCNTM0OEZERTI7MDAwMDAwMDJFNUExRjg5Qjc3ODc5

RTgzMzEyMUIxNkFEMjEyRjc5RDgyRjQ4Qjc5MzZBQTZEREM0OTJDRjY2REY0NTg5RDIxMDAwMDAwMDA7

Starting to Onboard 1 accounts

4

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/WebServices/PIMServices.svc/Safes/DC1-Prod-Win-Bucket -Method Ge

t -Header System.Collections.Generic.Dictionary`2[System.String,System.String] -ContentType "application/json" -TimeoutSec 36000

VERBOSE: GET https://10.247.54.28/PasswordVault/WebServices/PIMServices.svc/Safes/DC1-Prod-Win-Bucket with 0-byte payload

VERBOSE: received 180-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{GetSafeResult=}

Safe DC1-Prod-Win-Bucket exists

DEBUG: Returning URL Encode of DC1-Prod-Win-Bucket

DEBUG: Returning URL Encode of pamwinadm1 07.07.07.07

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/Accounts?filter=safename eq DC1-Prod-Win-Bucket&search=pamwi

nadm1+07.07.07.07 -Method Get -Header System.Collections.Generic.Dictionary`2[System.String,System.String] -ContentType "applicatio

n/json" -TimeoutSec 36000

VERBOSE: GET https://10.247.54.28/PasswordVault/api/Accounts?filter=safename eq DC1-Prod-Win-Bucket&search=pamwinadm1+07.07.07.07 w

ith 0-byte payload

VERBOSE: received 538-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{value=System.Object[]; count=1}

Account pamwinadm1 exist

DEBUG: Returning URL Encode of DC1-Prod-Win-Bucket

DEBUG: Returning URL Encode of pamwinadm1 07.07.07.07

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/Accounts?filter=safename eq DC1-Prod-Win-Bucket&search=pamwi

nadm1+07.07.07.07 -Method Get -Header System.Collections.Generic.Dictionary`2[System.String,System.String] -ContentType "applicatio

n/json" -TimeoutSec 36000

VERBOSE: GET https://10.247.54.28/PasswordVault/api/Accounts?filter=safename eq DC1-Prod-Win-Bucket&search=pamwinadm1+07.07.07.07 w

ith 0-byte payload

VERBOSE: received 538-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{value=System.Object[]; count=1}

VERBOSE: Inspecting Account Property id

VERBOSE: Inspecting Account Property name

VERBOSE: Inspecting Account Property address

VERBOSE: Inspecting Account Property userName

VERBOSE: Inspecting Account Property platformId

VERBOSE: Inspecting Account Property safeName

VERBOSE: Inspecting Account Property secretType

VERBOSE: Inspecting Account Property platformAccountProperties

VERBOSE: Inspecting Account Property Location

VERBOSE: Inspecting Account Property Hostname

VERBOSE: Inspecting Account Property Environment

VERBOSE: Inspecting Account Property secretManagement

VERBOSE: Inspecting Account Property automaticManagementEnabled

VERBOSE: Since Account Automatic management is off, adding the Manual management reason

VERBOSE: Inspecting Account Property manualManagementReason

VERBOSE: Updating Account Property @{automaticManagementEnabled=False; manualManagementReason=[No Reason]; lastModifiedTime=1584959

645} value from: '[No Reason]' to: ''

VERBOSE: Inspecting Account Property lastModifiedTime

VERBOSE: Inspecting Account Property remoteMachinesAccess

VERBOSE: Inspecting Account Property remoteMachines

VERBOSE: Updating Account Property @{remoteMachines=dummy; accessRestrictedToRemoteMachines=True} value from: 'dummy' to: 'FINAPP02

.exFinance.com;FINAPP03.exFinance.com;FINAPP04.exFinance.com;FINAPP05.exFinance.com;FINAPP06.exFinance.com'

VERBOSE: Inspecting Account Property accessRestrictedToRemoteMachines

VERBOSE: Inspecting Account Property createdTime

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/Accounts/51_29 -Method PATCH -Header System.Collections.Gene

ric.Dictionary`2[System.String,System.String] -ContentType "application/json" -Body [

{

    "op":  "add",

    "path":  "/secretManagement/manualManagementReason",

    "value":  "[No Reason]"

},

{

    "op":  "replace",

    "path":  "/secretManagement/manualManagementReason",

    "value":  ""

},

{

    "op":  "replace",

    "path":  "/remoteMachinesAccess/remoteMachines",

    "value":  "FINAPP02.exFinance.com;FINAPP03.exFinance.com;FINAPP04.exFinance.com;FINAPP05.exFinance.com;FINAPP06.exFinance.c

om"

}

] -TimeoutSec 36000

VERBOSE: PATCH https://10.247.54.28/PasswordVault/api/Accounts/51_29 with -1-byte payload

VERBOSE: received 625-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{id=51_29; name=07.07.07.07-pamwinadm1; address=07.07.07.07; userName=pamwinadm1; platformId=WinDom

ain; safeName=DC1-Prod-Win-Bucket; secretType=password; platformAccountProperties=; secretManagement=; remoteMachinesAccess=; creat

edTime=1584959645}

Account properties Updated Successfully

DEBUG: Updating Account Secret...

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/Accounts/51_29/Password/Update -Method POST -Header System.C

ollections.Generic.Dictionary`2[System.String,System.String] -ContentType "application/json" -Body {

"NewCredentials":  ""

} -TimeoutSec 36000

VERBOSE: POST https://10.247.54.28/PasswordVault/api/Accounts/51_29/Password/Update with -1-byte payload

**Error Message: {"Details":[{"ParameterName":"NewCredentials","ErrorCode":"PASWS011E","ErrorMessage":"Missing mandatory parameter [N

ewCredentials]."}],"ErrorCode":"PASWS167E","ErrorMessage":"There are some invalid parameters"}

Exception Message: The remote server returned an error: (400) Bad Request.**

Status Code: 400

Status Description: Bad Request

VERBOSE: Invoke-REST Response:

[1/1] Updated [email protected] successfully.

Logoff Session...

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/auth/Logoff -Method Post -Header System.Collections.Generic.

Dictionary`2[System.String,System.String] -ContentType "application/json" -TimeoutSec 36000

VERBOSE: POST https://10.247.54.28/PasswordVault/api/auth/Logoff with 0-byte payload

VERBOSE: received 16-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{LogoffUrl=}

Vaulted 1 out of 1 accounts successfully.

=======================================

LogoffUrl

Hello Assaf,

Found the following line needs to be added to the script to force the use of TLS 1.2 in PowerShell: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

The section of code testing to see if SSL verification should be disabled does not set the use of any TLS. The PVWA hardening script and manual process disables all versions of SSL and TLS other than 1.2.

Create a way to automatically download the latest script from GitHub

I've submitted a couple issues not long ago. Thanks for the quick turn around on those by the way. It lead me to thinking there was something not right with the update functionality of the script. It doesn't seem to have been tested.

Thus now that I have a bit of time to dig in I've discovered there's an issue with the below foreach loop and the $sProp variable. $sProp.Key doesn't exist. Seems like it should be $sProp.Name in this case. That should then match it up with the WebServices SDK guide of supplying the attribute name in the Path value.

A nice to have while in this loop would be a check against list of supported properties that can be updated per the SDK guide. Error updating property X not supported logged to file\console.

Foreach($sProp in $s_Account.PSObject.Properties)
{
"sProp name: $($sProp.Name)" | Write-Host -ForegroundColor Red
"sProp value: $($sProp.Value)" | Write-Host -ForegroundColor Red
"objAccount value: $($objAccount.($sProp.Name))" | Write-Host -ForegroundColor Red
If($objAccount.$($sProp.Name) -ne $sProp.Value)
{
$_bodyOp = "" | select "op", "path", "value"
$_bodyOp.op = "replace"
$_bodyOp.path = "/"+$sProp.Key
$_bodyOp.value = $objAccount.$($sProp.Key)
$s_AccountBody += $_bodyOp
}
"************" | Write-Host
}

Hi,

When I try to run the utility get adhoc access we are getting the following error. I have set the power shell execution policy to unrestricted. please find the below error details for your review.

PS C:\CyberarkScripts> .\Get-AdHocAccess.ps1

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\CyberarkScripts\Get-AdHocAccess.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
At C:\CyberarkScripts\Get-AdHocAccess.ps1:143 char:19

•           Sign up
  

•               ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\CyberarkScripts\Get-AdHocAccess.ps1:170 char:190

• ... ata-ga-click="(Logged out) Header, go to Features">Features <span cla ...

•                                                             ~
  

The '<' operator is reserved for future use.
At C:\CyberarkScripts\Get-AdHocAccess.ps1:170 char:261

• ... ="Bump-link-symbol float-right text-normal text-gray-light">→</s ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\CyberarkScripts\Get-AdHocAccess.ps1:184 char:255

• ... ogged out) Header, go to Customer stories">Customer stories <span cla ...

•                                                             ~
  

The '<' operator is reserved for future use.
At C:\CyberarkScripts\Get-AdHocAccess.ps1:184 char:326

• ... ="Bump-link-symbol float-right text-normal text-gray-light">→</s ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\CyberarkScripts\Get-AdHocAccess.ps1:185 char:231

• ... ata-ga-click="(Logged out) Header, go to Security">Security <span cla ...

•                                                             ~
  

The '<' operator is reserved for future use.
At C:\CyberarkScripts\Get-AdHocAccess.ps1:185 char:302

• ... ="Bump-link-symbol float-right text-normal text-gray-light">→</s ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\CyberarkScripts\Get-AdHocAccess.ps1:205 char:222

• ... a-click="(Logged out) Header, go to Explore">Explore GitHub <span cla ...

•                                                             ~
  

The '<' operator is reserved for future use.
At C:\CyberarkScripts\Get-AdHocAccess.ps1:205 char:293

• ... ="Bump-link-symbol float-right text-normal text-gray-light">→</s ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\CyberarkScripts\Get-AdHocAccess.ps1:208 char:107

• ... text-normal text-mono f5 mb-2 border-lg-top pt-lg-3">Learn & con ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : AmpersandNotAllowed

Thanks & Regards
Karthik Raja

What string is required to run the 'GetAccounts.ps1' script? I have tried the following to get a list of accounts in a safe:

Get-Accounts.ps1 -PVWAURL https://115-pvwa001.south.local -List -SafeName TestSafe001

But get the following errors:

Get-Accounts.ps1 -PVWAURL https://115-pvwa001.south.local -List -SafeName _TestSafe001
Retrieving accounts...
C:\users\nathan.SOUTH\Desktop\epv-api-scripts-master\Get Accounts\Get-Accounts.ps1 : Exception of type 'Microsoft.PowerShell.Commands.WriteErrorException' was thrown.
At line:1 char:1

• .\Get-Accounts.ps1 -PVWAURL https://115-pvwa001.south.local -List -Sa ...

•   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-Accounts.ps1
  
  

Showing up to 50 accounts
Logoff Session...
Invoke-RestMethod : Specified value has invalid CRLF characters.
Parameter name: value
At C:\users\nathan.SOUTH\Desktop\epv-api-scripts-master\Get Accounts\Get-Accounts.ps1:296 char:5

• Invoke-RestMethod -Method Post -Uri $URL_CyberArkLogoff -Headers  ...
  

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Invoke-RestMethod], ArgumentException
  • FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Whilst test updating accounts using the AOU script the values for some FC's are not getting updated as expected.

For testing purposes these headers were used in the csv and the values for the three 'ExtraPassXSafe' values were changed:

name,safe,ExtraPass1Safe,ExtraPass2Safe,ExtraPass3Safe

When running the script for the first time only the value for the 'ExtraPass3Safe' was updated, running the script for the second time only updated the value for the 'ExtraPass2Safe' and running it for the 3rd time then updates the value for the 'ExtraPass1Safe'. Using -verbose and -debug for each time the script was ran here is the output:

1st time running:

VERBOSE: Updating Account Property @{ExtraPass1Folder=root; ExtraPass1Name=Operating System-_LogonAccounts-10.10.10.222-Logon001; ExtraPass1Safe=002; ExtraPass2Folder=root; ExtraPass2Name=Operating System-_EnableAccounts-10.10.10.222-enable001; ExtraPass2Safe=002; ExtraPass3Folder=root; ExtraPass3Name=Operating System-_ReconcileAccounts-10.10.10.222-reconcile005; ExtraPass3Safe=002} value from: '002' to: '001' VERBOSE: Inspecting Account Property ExtraPass2Folder VERBOSE: Inspecting Account Property ExtraPass2Name VERBOSE: Inspecting Account Property ExtraPass2Safe VERBOSE: Updating Account Property @{ExtraPass1Folder=root; ExtraPass1Name=Operating System-_LogonAccounts-10.10.10.222-Logon001; ExtraPass1Safe=002; ExtraPass2Folder=root; ExtraPass2Name=Operating System-_EnableAccounts-10.10.10.222-enable001; ExtraPass2Safe=002; ExtraPass3Folder=root; ExtraPass3Name=Operating System-_ReconcileAccounts-10.10.10.222-reconcile005; ExtraPass3Safe=002} value from: '002' to: '001' VERBOSE: Inspecting Account Property ExtraPass3Folder VERBOSE: Inspecting Account Property ExtraPass3Name VERBOSE: Inspecting Account Property ExtraPass3Safe VERBOSE: Updating Account Property @{ExtraPass1Folder=root; ExtraPass1Name=Operating System-_LogonAccounts-10.10.10.222-Logon001; ExtraPass1Safe=002; ExtraPass2Folder=root; ExtraPass2Name=Operating System-_EnableAccounts-10.10.10.222-enable001; ExtraPass2Safe=002; ExtraPass3Folder=root; ExtraPass3Name=Operating System-_ReconcileAccounts-10.10.10.222-reconcile005; ExtraPass3Safe=002} value from: '002' to: '001'

2nd time running:

VERBOSE: Updating Account Property @{ExtraPass1Folder=root; ExtraPass1Name=Operating System-_LogonAccounts-10.10.10.222-Logon001; ExtraPass1Safe=002; ExtraPass2Folder=root; ExtraPass2Name=Operating System-_EnableAccounts-10.10.10.222-enable001; ExtraPass2Safe=002; ExtraPass3Folder=root; ExtraPass3Name=Operating System-_ReconcileAccounts-10.10.10.222-reconcile005; ExtraPass3Safe=001} value from: '002' to: '001' VERBOSE: Inspecting Account Property ExtraPass2Folder VERBOSE: Inspecting Account Property ExtraPass2Name VERBOSE: Inspecting Account Property ExtraPass2Safe VERBOSE: Updating Account Property @{ExtraPass1Folder=root; ExtraPass1Name=Operating System-_LogonAccounts-10.10.10.222-Logon001; ExtraPass1Safe=002; ExtraPass2Folder=root; ExtraPass2Name=Operating System-_EnableAccounts-10.10.10.222-enable001; ExtraPass2Safe=002; ExtraPass3Folder=root; ExtraPass3Name=Operating System-_ReconcileAccounts-10.10.10.222-reconcile005; ExtraPass3Safe=001} value from: '002' to: '001'

Last time running

VERBOSE: Updating Account Property @{ExtraPass1Folder=root; ExtraPass1Name=Operating System-_LogonAccounts-10.10.10.222-Logon001; ExtraPass1Safe=002; ExtraPass2Folder=root; ExtraPass2Name=Operating System-_EnableAccounts-10.10.10.222-enable001; ExtraPass2Safe=001; ExtraPass3Folder=root; ExtraPass3Name=Operating System-_ReconcileAccounts-10.10.10.222-reconcile005; ExtraPass3Safe=001} value from: '002' to: '001'

A similar experience is seen when running the script against a csv that has all nine ExtraPass properties, the script has to be run several times in order to make all the required changes.

No errors are seen when running the script, perhaps an optional validation could be added at the end of the script to confirm if all the properties have been changed as per the csv?

Thanks

If EPV is configured with a differently-named CPM user (rather than PasswordManager) the script will error even if that CPM is defined in the csv.

The default parameters on lines 338 & 278 seem to affect this. I've not dug into this much more than that. See attached error.

I'm currently testing bulk upload of safes with Safe-Management.ps1 and encountered a problem. My input for the script is a comma delimited csv file in the format of safes-sample.csv and the command is ".\Safe-Management.ps1 -url 'pvwa url' -add -FilePath 'csv input' ".

The script encounters a 404 error with any rows in the csv file where the "Safename" contains a white space, such as "Test Safe". Safe creation seems to work as I can verify in the pvwa that the safe was created with the correct name. However setting safe membership produces a "404 - File or directory not found." error.

The issue seems to have some relations with the Encode-URL function, specifically line 137 "return [System.Web.HttpUtility]::UrlEncode($sText)", as when I replaced it with "return [uri]::EscapeDataString($sText)" in my local code the 404 error disappeared.

For my usecase I am trying to change the CPM that manages a couple safes, so I am using a csv for this only contains 1) the safe name, and 2) ManagingCPM.

When only using two two values in a one liner I am able to update the single safe but when I try to do this from a csv this is working, it looks like the script is assuming that I want to update the members of the safe. As there are no columns/headers in the csv for these fields a default value of 'False' is being used.

As values are now entered in for these permission fields when the call is made back to the vault it now also expects the 'MemberName' to be part of the call as we have included information about the permissions that need to be set.

Ideally when importing the csv and setting values, if the 'MemberName' is empty them the other values should be ignored. and not added to the call with default values.

In the safe management ps1 the following has a misspelling for NumberOfVersionsRetention

"NumberOfVersionsRtention"=$updateRetVersions;

This does not result in an error in the script but it cannot be set via the add command safe and with either go to your default value or will select Numberofretention days instead.

I add the e in my local code and it resolved.

Hi All,

Was trying to figure out how to generate temporary access_token using username, password with OTP based login, so can run different API calls. I went through the documentation in CyberArk but unable to find one. Basically the idea is to get output of user locked accounts and do further automation.

Wrote below python script to make API call, however seems i am missing something. Any help would be greatly appreciated.

import requests
url = "https://pam.example.com/PasswordVault/API/Auth/radius/Logon"
payload = "{
	"username": "user1",
	"Password": "pass1",
	"useRadiusAuthentication":"yes"
}"
headers = {
  'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, data = payload)
print(response.text.encode('utf8'))

Above API call is failing with:

{
    "ErrorCode": "ITATS542I",
    "ErrorMessage": "Enter the current code displayed in the Multi-Factor Authentication or Azure Authenticator mobile app to complete your authentication."
}

On line 566 of Safe-Management.ps1 the incorrect rest method is used to retrieve Safe Members, it is POST when it should be GET, there is also a missing space between $accSafeMembersURL and -Method.

$_safeMembers = $(Invoke-RestMethod -Uri $accSafeMembersURL-Method POST -Headers $g_LogonHeader -ContentType "application/json" -TimeoutSec 3600000 -ErrorAction "SilentlyContinue")

Should be:

$_safeMembers = $(Invoke-RestMethod -Uri $accSafeMembersURL -Method "Get" -Headers $g_LogonHeader -ContentType "application/json" -TimeoutSec 3600000 -ErrorAction "SilentlyContinue")

Dear Author,

I would like to say "Much Thanks" for your wonderful contribution.

While onboarding using the below script,

& .\Accounts_Onboard_Utility.ps1 -PVWAURL "http://X.X.X.X/PasswordVault" -CsvPath .\accounts1.csv -Create -NoSafeCreation

I am getting Warning message, but it is added successfully in the safe.

WARNING: The Account Exists, Creating the same account twice will cause duplications

I am getting below error message while onboarding a test account using an EPV account.

ContentType "appl

ication/json" -Body {

"password":  "****",

"username":  "sudhakar"

} -TimeoutSec 36000

VERBOSE: POST https://10.247.54.28/PasswordVault/api/auth/cyberark/Logon with -1-byte payload

VERBOSE: received 182-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: ZGU3MTYwMzgtNTg2Yi00NWUxLWI4NGMtNmQyMjQ4NGM5MWQ2OzhGNzhCNjM0NzFCOUIyQkM7MDAwMDAwMDI0OTBCMjI2QjJFQTQ0

ODMzMTM4RDcyQzREMEQyMkRCQzZDRDhCQjY5MzgwQTNCM0RGNTMxMEM3MkFFMUYxQkExMDAwMDAwMDA7

Starting to Onboard 1 accounts

Skipping onboarding account into the Password Vault. Error: Source:System.Management.Automation; Message: You cannot call a method

on a null-valued expression.

Logoff Session...

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/auth/Logoff -Method Post -Header System.Collections.Generic.

Dictionary`2[System.String,System.String] -ContentType "application/json" -TimeoutSec 36000

VERBOSE: POST https://10.247.54.28/PasswordVault/api/auth/Logoff with 0-byte payload

VERBOSE: received 16-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{LogoffUrl=}

Also, how do we login using radius authentication? the token will be sent to the mobile phone after the LDAP login. is it possible to integrate with Radius functionality to enter the pin code after login to the system?

I would like to request a feature added to Account Onboard Utility that allows the executor to configure X number of threads using concurrency introduced in v11.3 in the script as an example of how to tackle bulk actions using multiple threads.

When attempting to onboard accounts the following error is being seen:

Error Message: {"Details":[{"ParameterName":"remoteMachinesAccess.accessRestrictedToRemoteMachines","ErrorCode":"PASWS168E","ErrorMessage":"Input parameter for [remoteMachinesAccess.accessRestrictedToRemoteMachines] value is 
invalid"}],"ErrorCode":"PASWS167E","ErrorMessage":"There are some invalid parameters"}
Exception Message: The remote server returned an error: (400) Bad Request.
Status Code: 400
Status Description: Bad Request

My CSV has the following:

username,address,safe,platformID,password,EnableAutoMgmt,ManualMgmtReason
AOU-User014,Target011.south.local,_AOU-NewSafe001,AOU-WinServers001,kS$47.po,Yes,,

When I comment out the following lines I do not get the error:

#	$_Account.remoteMachinesAccess = "" | select "remoteMachines", "accessRestrictedToRemoteMachines"
#	$_Account.remoteMachinesAccess.remoteMachines = $AccountLine.remoteMachineAddresses
#	$_Account.remoteMachinesAccess.accessRestrictedToRemoteMachines = Convert-ToBool $AccountLine.restrictMachineAccessToList

However by doing this I believe I possibly causing other issues which I am currently working through, I am not quite sure how to work around this issue currently. I have tried to add additional FC's in to the CSV with no luck.

Hi there, is the -Delete option no longer working? Placing the -Delete parameter at various locations in the string, the scipt does not - attempt - to delete the account in the csv file.....

kr,
Chris

Tested and resolved in Powershell 5.1. The issue is in line 176: Get-ChildItem results in a string which contains a header the filename with file path. When it is later parsed by line 191, it fails to properly test the paths. This can be corrected by changing the line from:

$arrConCompToImport += (Get-ChildItem -Path $ConnectionComponentFolderPath -Filter "*.zip")

To

$arrConCompToImport += (Get-ChildItem -Path $ConnectionComponentFolderPath -Filter "*.zip" | Select-Object -ExpandProperty FullName)

The URL variable on line 701 (below) has a typo. Should be $URLAccountSDetails

$urlUpdateAccount = $URL_AccountDetails -f $s_Account.id

Thanks for helping in resolving my earlier problem. The script working as expected. However, I am not able to associate Logon and Reconcile Accounts.

Also, the account name is configured as "Operating System-PlatformID-Address-Username" Due to this, duplicate accounts will be created. Is it possible to customize the name IPAddress-Username or Hostname-Username?

Also, the update function is not updating the properties of LimitDomainAccessTo is not adding the values to an existing account.

PS C:\Temp> .\Untitled2.ps1 -PVWAURL https://10.247.54.28/PasswordVault -AuthType cyberark -CsvPath .\test1.csv -update -Debug -Verbose -DisableSSLVerify -NoSafeCreation

=======================================

Welcome to Accounts Onboard Utility

WARNING: It is not Recommended to disable SSL verification

DEBUG: Trying to validate URL: https://10.247.54.28/PasswordVault

VERBOSE: HEAD https://10.247.54.28/PasswordVault with 0-byte payload

Getting PVWA Credentials to start Onboarding Accounts

VERBOSE: {

"password":  "Cyberark1",

"username":  "sudhakar"

}

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/auth/cyberark/Logon -Method Post -Header -ContentType "appl

ication/json" -Body {

"password":  "****",

"username":  "sudhakar"

} -TimeoutSec 36000

VERBOSE: POST https://10.247.54.28/PasswordVault/api/auth/cyberark/Logon with -1-byte payload

VERBOSE: received 182-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: Njc4NmJkMTktYTYyMC00MzMwLThhYjAtNzY2YTE1NTBjZmVlOzU4MUY3REZCMjZBOTRBREQ7MDAwMDAwMDJFMzZBRjE0N0U1QTND

NjhENjM0MjBBM0NBRTc2NDFCMTFFMjI1N0U3RTc5MUNGNjhEQTQyMzA2RkNDMjA5QTNBMDAwMDAwMDA7

Starting to Onboard 1 accounts

4

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/WebServices/PIMServices.svc/Safes/DC1-Prod-Win-Bucket -Method Ge

t -Header System.Collections.Generic.Dictionary`2[System.String,System.String] -ContentType "application/json" -TimeoutSec 36000

VERBOSE: GET https://10.247.54.28/PasswordVault/WebServices/PIMServices.svc/Safes/DC1-Prod-Win-Bucket with 0-byte payload

VERBOSE: received 180-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{GetSafeResult=}

Safe DC1-Prod-Win-Bucket exists

DEBUG: Returning URL Encode of DC1-Prod-Win-Bucket

DEBUG: Returning URL Encode of pamwinread1 10.216.39.21

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/Accounts?filter=safename eq DC1-Prod-Win-Bucket&search=pamwi

nread1+10.216.39.21 -Method Get -Header System.Collections.Generic.Dictionary`2[System.String,System.String] -ContentType "applicat

ion/json" -TimeoutSec 36000

VERBOSE: GET https://10.247.54.28/PasswordVault/api/Accounts?filter=safename eq DC1-Prod-Win-Bucket&search=pamwinread1+10.216.39.21

with 0-byte payload

VERBOSE: received 460-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{value=System.Object[]; count=1}

Account pamwinread1 exist

DEBUG: Returning URL Encode of DC1-Prod-Win-Bucket

DEBUG: Returning URL Encode of pamwinread1 10.216.39.21

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/Accounts?filter=safename eq DC1-Prod-Win-Bucket&search=pamwi

nread1+10.216.39.21 -Method Get -Header System.Collections.Generic.Dictionary`2[System.String,System.String] -ContentType "applicat

ion/json" -TimeoutSec 36000

VERBOSE: GET https://10.247.54.28/PasswordVault/api/Accounts?filter=safename eq DC1-Prod-Win-Bucket&search=pamwinread1+10.216.39.21

with 0-byte payload

VERBOSE: received 460-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{value=System.Object[]; count=1}

VERBOSE: Inspecting Account Property id

VERBOSE: Inspecting Account Property name

VERBOSE: Inspecting Account Property address

VERBOSE: Inspecting Account Property userName

VERBOSE: Inspecting Account Property platformId

VERBOSE: Inspecting Account Property safeName

VERBOSE: Inspecting Account Property secretType

VERBOSE: Inspecting Account Property platformAccountProperties

VERBOSE: Inspecting Account Property LogonDomain

VERBOSE: Inspecting Account Property Location

VERBOSE: Inspecting Account Property Hostname

VERBOSE: Inspecting Account Property Environment

VERBOSE: Inspecting Account Property secretManagement

VERBOSE: Inspecting Account Property automaticManagementEnabled

VERBOSE: Since Account Automatic management is on, removing the Manual management reason

VERBOSE: Inspecting Account Property lastModifiedTime

VERBOSE: Inspecting Account Property createdTime

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/Accounts/51_90 -Method PATCH -Header System.Collections.Gene

ric.Dictionary`2[System.String,System.String] -ContentType "application/json" -Body [

{

    "op":  "remove",

    "path":  "/secretManagement/manualManagementReason",

    "value":  ""

}

] -TimeoutSec 36000

VERBOSE: PATCH https://10.247.54.28/PasswordVault/api/Accounts/51_90 with -1-byte payload

VERBOSE: received 438-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{id=51_90; name=Operating System-WinDomain-10.216.39.21-pamwinread1; address=10.216.39.21; userName

=pamwinread1; platformId=WinDomain; safeName=DC1-Prod-Win-Bucket; secretType=password; platformAccountProperties=; secretManagement

=; createdTime=1593072294}

Account properties Updated Successfully

[1/1] Updated [email protected] successfully.

Logoff Session...

VERBOSE: Invoke-RestMethod -Uri https://10.247.54.28/PasswordVault/api/auth/Logoff -Method Post -Header System.Collections.Generic.

Dictionary`2[System.String,System.String] -ContentType "application/json" -TimeoutSec 36000

VERBOSE: POST https://10.247.54.28/PasswordVault/api/auth/Logoff with 0-byte payload

VERBOSE: received 16-byte response of content type application/json; charset=utf-8

VERBOSE: Invoke-REST Response: @{LogoffUrl=}

Vaulted 1 out of 1 accounts successfully.

=======================================

LogoffUrl

PS C:\Temp> .\Untitled2.ps1 -PVWAURL https://10.247.54.28/PasswordVault -AuthType cyberark -CsvPath .\test1.csv -update -Debug -Verbose -DisableSSLVerify -NoSafeCreation

=======================================

Welcome to Accounts Onboard Utility

WARNING: It is not Recommended to disable SSL verification

I think it would be beneficial to add the '-AuthType' option to all scripts in a standardized way. The way it is done in the Account Onboarding scripts seems perfect.

It would be ideal if 'CyberArk' were the default for all scripts, but with the option to pass other -AuthType options.

Example: I am doing some testing with the Safe Management scripts in a development environment and it doesn't allow Radius auth type, which is needed.

We have a number of accounts stored in KeePass. Exporting to CSV and using Accounts_Onboard_Utility.ps1 has be great. We have run into an issue where there are some accounts that we would like to maintain the password history. KeePass offers a XML export that includes the password history.

1. Do the rest APIs support importing an account's Password History?
2. Is there any future plans for accepting XML input?

We are attempting to utilize the Safe Management Utility and receiving two different error messages when attempting to use two different PVWA URL's.

URL 1: as stated in the ReadMe - PVWAURL "https://myPVWA.myDomain.com/PasswordVault"
Error Message: Cannot validate argument on parameter 'PVWAURL'. Unable to connect to remote server

URL 2: with addition on end - PVWAURL "https://myPVWA.myDomain.com/PasswordVault/v10/logon/Cyberark"
Steps: I enter the url 2 as mentioned above in the powershell script and am able to enter the Username and Password. See Error below.
Error Message: Logon Token is empty - Cannot logon.

Hello Team
Just in case anybody runs into this issue with running the script
The underlying connection was closed: An unexpected error occurred on a send.
At line:1 char:1

• .\Safe-Management.ps1

•   + CategoryInfo          : InvalidData: (:) [Safe-Management.ps1], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Safe-Management.ps1
  
  

The issue is related to TLS. When the script runs against a hardened PVWA it does not negotiate TLS at all. You will need to force the computer where running the script to use TLSv1.2. FWIW, we were running .net4.7.2 on Windows 2016 and it would only connect on TLSv1.0)

Using Powershell

set strong cryptography on 64 bit .Net Framework (version 4 and above)

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type Dword

set strong cryptography on 32 bit .Net Framework (version 4 and above)

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

Thanks and great work!

This would work as simply a hash table instead of requiring the need to pipe to ConvertTo-Json.

I don't think this warrants any real changes in the examples within this repository. I am just making the general knowledge known.

Hi All,

I previously used "Accounts_Onboard_Utility.ps1" script with version 9.10 and 10.1 as well, It was working fine.
However recently i migrated to 10.2 and it seems script is not working any longer, every time i get below error message :
Logon Token is empty : Cannot logon.

I have tried with Swagger UI with 10.2 and i am able to get token and perform further activities.
Has anyone tested this with version 10.2 yet ?
Any help will be much appreciated in this regard.

Below error comes up when executing the update command:

It seems to be some error in the get safe module. Any help would be appreciated.

Hi Assaf ,

How are you?

I want to ask you about PVWA url , what is it exactly?
Do i need any DLL for make the operation?

I try to create a safe in cyberark web in my company , with username and password .

Thank you ,
Best regards

Gidi

Good afternoon

I have used the PGU tool to generate a PSM web connector. Now according to the manual I need to import it into pvwa. I am using the script "Import-ConnectionComponents.ps1"

When I run the script with the necessary parameters in powershell to perform the import and then it asks me for credentials, I put the administrator credentials.

I get the following error : Logon token is empty - Cannot Login

PS C:\Users\jconchaz\Downloads> .\import.ps1 -PVWAURL https://pvwaaqp.cajaarequipa.pe/PasswordVault/v10/ -ConnectionComponentZipPath C:\Users\jconchaz\Downloads\PGU\ConnectionComponents\CiscoF
irePower.zip
Import Connection Component: Script Started

Logon Token is Empty - Cannot login

Please i need your help

Using the provide PS script to add safe, but getting an error as
"The remote server returned an error: (400) Bad request
Logon token is empty - Cannot login"

Hello,

I am facing forbidden issue error while running the onboard account utility in privilege cloud for my client:

.\account_onboard_utility.ps1 -PVWAURL https://xxx.privilegecloud.cyberark.com/PasswordVault -CsvPath .\Trial.csv -Create

Getting PVWA Credentials to start Onboarding Accounts
Exception Message: The remote server returned an error: (403) Forbidden.
Status Code: 403
Status Description: Forbidden
Logon Token is Empty - Cannot login

I am using Cyberark pvwa version 11.3.

Please suggest.

I am trying to import psm connection using powershell . Geting this error message when I ran it "import-connectioncomponents.ps1 : Error importing the connection ID, Error: Bad Request"
And error when it get to this the line below.
Invoke-RestMethod -Method Post -Uri $URL_CyberArkLogoff -Headers $logonHeader -ContentType "application/json" | Out-Null

My Cyberark version is V10.9.

Please help or advise, thanks.

It should also be noted that the secretManagement attribute will almost always attempt to update and fail. This is a result of it's object type. Sub-properties are not compared independently, but the entire value of the array shown below. The PVWA will almost always return a matching object with some additional properties within secretManagement such as the lastModifiedTime shown below which in turn causes the comparison to not match.

sProp name: secretManagement
sProp value: @{automaticManagementEnabled=False; manualManagementReason=No Reason; lastModifiedTime=1544813950}
objAccount value: @{automaticManagementEnabled=False; manualManagementReason=No Reason}

When secretManagement is added to the $s_AccountBody, the value is an array and the path is "/secretManagement". From what I've seen, each property should be specified in the path such as "/secretManagement/automaticManagementEnabled" and "/secretManagement/manualManagementReason" as separate changes.

More of an 'feature' than an 'issue'. Would be nice if the safe_management script had the option to disable SSL verification.

Run commnad as following
.\Import-ConnectionComponents.ps1 -PVWAURL https://PAS112/PasswordVault -ConnectionComponentZipPath "c:\source\SQL Server Mgmt Studio 2018-2.zip" -Verbose

But I always got the error message :
C:\Source\epv-api-scripts-master (1)\epv-api-scripts-master\Platforms\Import-ConnectionComponents.ps1 : Error importing the connection ID, Error: Internal Server Error
位於 Line:1 col:1

• .\Import-ConnectionComponents.ps1 -PVWAURL https://PAS112/PasswordVau ...

•   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Import-ConnectionComponents.ps1
  
  

Could anyone help me ?

The Documentation file README.md does not list one role defined in the code - Approver.

While the code does have this role defined on lines 1124-1128, the ValidateSet on line 79 does not have this role included.

Hello Assaf,

While running the script, a customer and I have found the script will not create any custom properties for an account.

The customer is wanting to add LognnDomain, ExtraPass3Folder, ExtraPass3Name, and ExtraPass3Folder properties.

In my lab, running the script without the extra properties, the account would be created properly. If I tried to run the script to create the account with the extra properties throws an error "Bad Request." I've included the verbose output from the script (removed the password and token values) in the attached text document and the .csv file I used and from the customer.

gl-csat-account1-corptest.txt
gl-csat-account1-corptest-update.txt
aou_verbose_txt.txt

Hi, Can this be used to update password? I tried but it appears to be not working

When making use of Export/Import Platform.ps1

managed to use the following command to get the token though:

C:\Users\Administrator\Desktop> Invoke-RestMethod -Method Post -Uri https://xx.xx.xxx.xxx/PasswordVault/API/Auth/Cyberark/Logon -Body '{"password": "Password", "username": "Username"} -ContentType "application/json"

However when i run the script as a whole
I encounter
C:\Users\Administrator\Desktop\ExportImportPlatform.ps1. : Unauthorized

• Category Info : Not Specified: (:) [Write-Error], WriteErrorException
• FullyQualifiedErrorId : Microsoft.Powershell.Commands.WriteErrorException,ExportImportPlatform.ps1

for get-platformdetails.ps1, getting

"Logon Token is Empty - Cannot login"

Hi,
we have error ampersand and operator, (&) and (<) is on script code.

PS C:\Users\user> .\Export-Import-Platform.ps1 -PVWAURL 'https://host/PasswordVault/' -Import -PlatformID 'F5BIGIP' -PlatformZipPath 'C:\Users\user\F5-BigIP.zip' -Verbose

At C:\Users\user\Export-Import-Platform.ps1:144 char:19
+               Sign up
+                   ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks
("&") to pass it as part of a string.
At C:\Users\user\Export-Import-Platform.ps1:171 char:190
+ ... ata-ga-click="(Logged out) Header, go to Features">Features <span cla ...
+                                                                 ~
The '<' operator is reserved for future use.
At C:\Users\user\Export-Import-Platform.ps1:171 char:261
+ ... ="Bump-link-symbol float-right text-normal text-gray-light">&rarr;</s ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks
("&") to pass it as part of a string.
At C:\Users\user\Export-Import-Platform.ps1:184 char:255
+ ... ogged out) Header, go to Customer stories">Customer stories <span cla ...
+                                                                 ~
The '<' operator is reserved for future use.
At C:\Users\user\Export-Import-Platform.ps1:184 char:326
+ ... ="Bump-link-symbol float-right text-normal text-gray-light">&rarr;</s ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks
("&") to pass it as part of a string.
At C:\Users\user\Export-Import-Platform.ps1:185 char:231
+ ... ata-ga-click="(Logged out) Header, go to Security">Security <span cla ...
+                                                                 ~
The '<' operator is reserved for future use.
At C:\Users\user\Export-Import-Platform.ps1:185 char:302
+ ... ="Bump-link-symbol float-right text-normal text-gray-light">&rarr;</s ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks
("&") to pass it as part of a string.
At C:\Users\user\Export-Import-Platform.ps1:208 char:222
+ ... a-click="(Logged out) Header, go to Explore">Explore GitHub <span cla ...
+                                                                 ~
The '<' operator is reserved for future use.
At C:\Users\user\Export-Import-Platform.ps1:208 char:293
+ ... ="Bump-link-symbol float-right text-normal text-gray-light">&rarr;</s ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks
("&") to pass it as part of a string.
At C:\Users\user\Export-Import-Platform.ps1:211 char:107
+ ...  text-normal text-mono f5 mb-2 border-lg-top pt-lg-3">Learn &amp; con ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks
("&") to pass it as part of a string.
Not all parse errors were reported.  Correct the reported errors and try again.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : AmpersandNotAllowed

Thanks

I am unable to run any variations of the script for SafeManagement.ps1. Below is the output from running -list.

.\SafeManagement.ps1 -List -PVWAURL "https://*pvwaurl/passwordvault"

=======================================
Starting script (v1.5)
Safe Management
Enter your User name and Password
User: ***********************
Password for user *************: ********************
Error Logging on. Error: Source:System.Management.Automation; Message: Cannot find an overload for "Add" and the argument count: "2".
Retrieving Safes...
Error retrieving safes. Error: Source:; Message: Get-Safes: There was an error retrieving the safes from the Vault.
->Source:System.Management.Automation; Message: Cannot bind parameter 'Headers'. Cannot convert the "" value of type "System.String" to type "System.Collections.IDictionary".
->Source:System.Management.Automation; Message: Cannot convert the "" value of type "System.String" to type "System.Collections.IDictionary".
Logoff Session...
Run-Logoff: Failed to logoff session
At C:******\CyberArk\SafeManagement\SafeManagement.ps1:361 char:3

•     Throw $(New-Object System.Exception ("Run-Logoff: Failed to l ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (:) [], Exception
  • FullyQualifiedErrorId : Run-Logoff: Failed to logoff session

Line 125 needs to be updated to read:

$logonHeader.Add("Authorization",$logonToken.CyberArkLogonResult)

Thanks!
Jake

In the Get-Account function, the search result variable $_accounts isn't correctly looped through in the foreach statement.

$_accounts | write-host shows @{value=System.Object[]; count=1} on the console
$item | write-host shows the same value @{value=System.Object[]; count=1} on the console.

With single result the foreach should be updated to the following line.
foreach ($item in $_accounts.value)

*I have not tested this with multiple account results, only single account results.

After much time spent digging into why account updates weren't working, it seems the below line is somewhat incorrect. Although the output looks almost identical, if there is only one operation in the $s_AccountBody array, the $restBody will be missing beginning and end [ ].

$restBody = $s_AccountBody | ConvertTo-Json -depth 5

{
"op": "replace",
"path": "/name",
"value": "OlderName"
}

Adjusting to this seems to work correctly even if there's only one object in the array.

$restBody = ConvertTo-Json @($s_AccountBody) -depth 5

[
{
"op": "replace",
"path": "/name",
"value": "OlderName"
}
]

Unable to the onboard dependent account using API. Below are the details.

PS C:\epv-api-scripts-master\Dependent Account onboard utility> .\Onboard-DependentAccountsFromCSV.ps1 -PVWAURL "https://pvwa.cyberark.com/PasswordVault/" -CsvPath .\dependentAccounts.csv -Debug -Verbose
DEBUG: Setting script to use TLS 1.2
DEBUG: Trying to validate URL: https://pvwa.cyberark.com/PasswordVault
VERBOSE: HEAD https://pvwa.cyberark.com/PasswordVault with 0-byte payload
VERBOSE: received 17-byte response of content type

Welcome to Accounts Dependencies Onboard Utility

Getting PVWA Credentials to start Onboarding Dependencies
VERBOSE: Invoke-RestMethod -Uri https://pvwa.cyberark.com/PasswordVault//api/auth/cyberark/Logon -Method Post -Header -ContentType "application/json" -Body {
"password": "****%gyDbWMfy",
"username": "cyberark"
} -TimeoutSec ****6000
VERBOSE: POST https://pvwa.cyberark.com/PasswordVault//api/auth/cyberark/Logon with -1-byte payload
Exception Message: The remote server returned an error: (409) Conflict.
Status Code: 409
Status Description: Conflict
VERBOSE: Invoke-REST Response:
Logon Token is Empty - Cannot login