Issue adding users to a group

DSC
1

Hi All,

I used the powershell DSC Ebook from this site to set up my DSC test, but I’m running into an issue adding people to a group. I’ve tried passing my credentials two different ways, both make it into the mof file and look fine, but neither method actually adds the users to the group. I am an admin on the box I’m trying to create the group on and I’ve tried two different sets of credentials in doing so - neither work.

I’ve run the Trace-cDscOperation and found some log info on it, which is shown below:

This event indicates that a non-terminating error was thrown when DSCEngine was executing Set-TargetResource on MSFT_GroupResource provider. FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling “FindByIdentity” with “2” argument(s): “Unknown error (0x80005000)”.
This event indicates that failure happens when LCM is processing the configuration. ErrorId is 0x1. ErrorDetail is The SendConfigurationApply function did not succeed… ResourceId is [Group]Administrators and SourceInfo is ::559::33::Group. ErrorMessage is The PowerShell provider MSFT_GroupResource threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details…
DSC Engine Error :
Error Message The SendConfigurationApply function did not succeed.
Error Code : 1

It says the same thing in Event Viewer. I’m not sure where to look for the ETW channel that it mentions.

If I manually make a local user on the machine and tell DSC to create the group, give it a description, and add that local guy then it works fine. However, it always fails if I try to pick a domain user. It creates the group, but doesn’t add anyone and doesn’t add the description.

I’m able to add a domain user without issue if I log into the machine and run a more traditional powershell script using ADSI to create the group and add the person. It just doesn’t like it when I try with DSC.

Here’s the pertinent pieces of my DSC script:

configuration test

{

$SuperUsers = "domain\randomguy1",
      "domain\randomguy2"

 $secpasswd = ConvertTo-SecureString "MYPASSWORD" -AsPlainText -Force
 $mycreds = New-Object System.Management.Automation.PSCredential ("MYUSERID",$secpasswd)

      node node1

               {

                                 Group SuperUsers

                                    {

                                        GroupName = "Super Users"
                                        Ensure = "Present"
                                        Credential = $mycreds
                                        Description = "test test"
                                        Members = @($SuperUsers)
                                        
                                    }

                }

}

I’ve also tried:

Configuration test

{ 

   param(
    [pscredential]$Credential

    )

$SuperUsers = "domain\randomguy1",
     "domain\randomguy2"

        node node1

                 {


                       Group SuperUsers

                                    {

                                        GroupName = "Super Users"
                                        Credential = $credential
                                        Description = "test test"
                                        Ensure = "Present"
                                        Members = @($SuperUsers)
                                                                                
                                    }

              }

}

test -ConfigurationData $configurationData -credential (get-credential)

At this point I’m stumped as to what it could be since it works fine if I run a script from the target node, or if I add a local user. It seems to be related to my credentials, but I’m not sure why. Can someone point me in the right direction on this?

Thanks,
Matt

2

Well, you’re not really testing apples-to-apples; DSC isn’t using ADSI internally, so testing it with ADSI doesn’t confirm anything about DSC.

The error indicates that whatever command DSC is running internally is not able to resolve the identity of the user you specified. If you look at MSFT_GroupResource.psm1, you can see the code it’s trying to execute. It might be useful to just try and run the same commands manually yourself, to follow the same logic DSC is attempting, so that you can see exactly where it goes wrong. My suspicion is that you’ll find your credential object, or the group object. aren’t properly resolving to an account.

For example, on line 851:

    $principal = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($PrincipalContext, $objectName);

That’s probably what’s breaking. Without being local on your system, I can’t say exactly why, but I’d test this by just running through the commands manually until something broke. Then I’d know specifically what broke.

3

OK! After having problems with this myself, I finally figured it out and got it working! Using your code as an example, your first code above was very close.

My 2 “minor” changes (not minor when your pulling your hair out) in BOLD:

configuration test

{

$SuperUsers = “domain\randomguy1”,
“domain\randomguy2”

$secpasswd = ConvertTo-SecureString “MYPASSWORD” -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential (“[b]DOMAIN[/b]MYUSERID”,$secpasswd)

  node node1

           {

                             Group SuperUsers

                                {

                                    GroupName = "Super Users"
                                    Ensure = "Present"
                                    Credential = $mycreds
                                    Description = "test test"
                                    Members[b]ToInclude[/b] = @($SuperUsers)

                                }

            }

}

4

You do need this:

test -ConfigurationData $configurationData -credential (get-credential)

and if doing plain text passwords instead of using secure certs you also need this, or credentials won’t work:

$configurationData = @{
AllNodes = @(
@{
NodeName = ‘*’
PSDscAllowPlainTextPassword = $True
}
@{
NodeName = ‘node1’
DomainName = ‘example.com
}
)
}