DSC group resource can't remove domain user from local administrators group

I want to use DSC group resource keep few users [local users and domain users] in the local administrators group.

We have lost of Windows Server, each Windows Server has different domain users in local administrators group. We want to use PowerShell DSC to control the users in local administrators group in each different .MOF files that why I want to use PowerShell DSC to replace GPO setting.

But I found that I added another domain user which not in below script, the DSC can’t delete this domain user in local administrators group.

configuration dsc-node-config {

        [PSCredential] $DomainCredential

   Import-DscResource -ModuleName PSDesiredStateConfiguration

    Node test-server

     Group Administrators
       GroupName        = 'Administrators'   
       Ensure           = 'Present'             
       Members   = @(
       'testdomain\Domain Admins',
       Credential = $DomainCredential
       PsDscRunAsCredential = $DomainCredential


$cd = @{
    AllNodes = @(
            NodeName = 'test-server'
            PSDscAllowDomainUser = $true
            PSDscAllowPlainTextPassword = $true
            # CertificateFile = "C:\PublicKeys\server1.cer"

$cred = Get-Credential -UserName testdomain\vif12066 -Message "Password please"

dsc-node-config -DomainCredential $cred -ConfigurationData $cd -OutputPath 'C:\Program Files\WindowsPowerShell\DscService\Configuration'
New-DscChecksum 'C:\Program Files\WindowsPowerShell\DscService\Configuration\test-server.mof' -Force
Update-DscConfiguration -ComputerName test-server

Have you tried using “MembersToInclude” instead of “Members”? I haven’t tried it yet, but this look like it might do the trick

Thanks for your reply.

“MembersToInclude” just can add memebers into local groups, But can’t keep the members in local groups.

I have tried “MembersToInclude”, can’t meet my request to keep members.

EDIT Nevermind. That would remove the group. Checking.

There should be a MembersToExclude Option if you’re using PSDesiredStateConfiguration 1.1

PS C:\Users\lwinadmin> Get-DscResource Group -Syntax
Group [String] #ResourceName
    GroupName = [string]
    [Credential = [PSCredential]]
    [DependsOn = [string[]]]
    [Description = [string]]
    [Ensure = [string]{ Absent | Present }]
    [Members = [string[]]]
    [MembersToExclude = [string[]]]
    [MembersToInclude = [string[]]]
    [PsDscRunAsCredential = [PSCredential]]

Hi Will, Thanks for your reply.

From my view, MembersToExclude can specify the members which I don’t want to add to local administrators group. But can’t keep a member list in local administrators group.

About description of Parameters Members:

[String[]] Members (Write): The members the group should have. This property will replace all the current group members with the specified members. Members should be specified as strings in the format of their domain qualified name (domain\username), their UPN (username@domainname), their distinguished name (CN=username,DC=...), or their username (for local machine accounts). Using either the MembersToExclude or MembersToInclude properties in the same configuration as this property will generate an error.

From the word, the members Parameters should keep a member list which I want to keep.

Hi Allen,

I did a test on my side. The version of the Group resource shows as 1.1, so it’s the original version. I used this for the configuration:

Group RDP 
            GroupName = "Remote Desktop Users"
            Ensure = "Present"
            Members = 

Then I added some extra domain users in the group manually. Dsc was able to remove them without any problem

I then tried it with xGroup( and it worked fine too, it removed any extra users I add manually.

The only version I did not test is the one in the updated PSDscResources( as I’m having problem importing it.
Do you know which version you are using that has the problem?

Just for clarity, which of these statements meets your requirements? (or if none, can you explain further)

  • You need to add a list of members in machine local Administrators, without removing existing members
  • You need to set the list of members in machine local Administrators, and remove anyone not in the list, and remove any future accounts that are added using AutoCorrect
  • You need to set the list of members in machine local Administrators, without removing existing members, but remove any future accounts that are added using AutoCorrect

Hi Michael, thanks for your reply.

I mean as below

You need to set the list of members in machine local Administrators, without removing existing members, but remove any future accounts that are added using AutoCorrect

And I have set the LCM to ApplyAndAutoCorrect.

BTW: I got some information from Microsoft forums, one Goodman answer:

IF all of the members are present then nothing will ne changed. You are also missing the local administrator which must be included.

I don’t know whether this answer is helpful for this topic.

Hi Sylvain. thanks for your reply.

The module which I used Group resource in PSDesiredStateConfiguration with version 1.1,
And I also tried xGroup resource in xPSDesiredStateConfiguration with version 6.4.

Both Group resources are works for the non-local administrators group. I test them too.

But not working for the local administrators group. Do you try both resources on local administrators group?

I think I understand the issue. Please confirm this is correct.

In your ideal scenario the resource would:

  • Capture the list of members of the machine local Administrator group
  • Add new members based on the Configuration properties
  • Store a list containing a combination of accounts that were previously in the Administrators group, plus accounts that were added by the Configuration
  • Prevent future changes by comparing against that stored list

If this understanding is correct, then you would need to fork and modify the resource to add this behavior. Currently, the resource does not capture and store information in this way (it would be challenging to do this securely).

However, you mentioned you are switching from using Group Policy. Were you using “Restricted Groups”? The behavior of that policy is to effect inclusion and exclusion, so any accounts not listed in the policy would have been removed.

A good next step might be to run a script that remotely confirms membership of the machine local Administrators group across servers?