Problems adding users to local group


I am trying to build a web server with several users placed in some local groups.
I am using the User function in DSC. Here is the error I get.

ConvertTo-MOFInstance : System.InvalidOperationException error processing property ‘Password’ OF TYPE ‘User’:
Converting and storing an encrypted password as plaintext is allowed only if PSDscAllowPlainTextPassword is set to
At D:\Scripts\WebRole.ps1:572 char:5

I am setting the Credentials early on in the script lile this:

$SecurePassword = ConvertTo-SecureString “xyz**************”’ -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential(“`$theusername”,$SecurePassword)

I then try to set up the user like this:

Create Local User Accounts

User Theusername    {
  UserName = '$theusername'
  Description = 'Service Account'
  Disabled = $False
  Ensure = 'Present'
  FullName = '$theusername'
  Password =  $Credentials
  PasswordChangeNotAllowed = $True
  PasswordChangeRequired = $False
  PasswordNeverExpires = $True

I found one example that says I have to set PSDscAllowPlainTextPassword=$true

But it is unclear where I would put this in my code.

Any help would be great.


Have you looked at The DSC Book? There’s an example.

Yes I have, I am using the example in my script. However it does not seem to make any difference.
I have tried it in the begining of the script and at the end with no luck. It just seems to ignore it.

I am using the “The Easier, Less-Right Way”

I inherited this script from someone who started it, but did not finish. It has many issues that I am trying to solve one at a time.

Thanks for taking the time to answer my question.


The “allow unencrypted” needs to go in a global configuration block that gets passed into the configuration when you run it. That’s shown at the bottom of page 44. It doesn’t go IN the configuration, you’ll notice. It’s a little difficult to troubleshoot further without seeing what you’re doing (notice that file attachments must have a .txt extension).


Thanks for the quick response. I re-read the section on “The Easier, Less-Right Way” and I realized I wasn’t calling the global configuration block when I was running the script.

That seemed to fix that problem. One down 27 to go.