Using a Function inside the Script Resource


I am trying to write a script that will Test for local group membership. The issue is that the group members are in a different, trusted domain, which the Group Resource won’t handle.

I have a function the pulls up the Group Members, I have added it to the beginning of my DSC script. However the TestScript does not see the function. Do I have to put my function inside every test script that uses it or can I declare it in such a way that the TestScript can find it?

I tried $Using:Get-LocalGroupMembers and I get this error:

At D:\Scripts\iAPPWebRole.ps1:454 char:26

  •             $members = $Using:Get-LocalGroupMembers $localGroupName
  •                                  ~~~~~~~~~~~~~~~~~~

Unexpected token ‘-LocalGroupMembers’ in expression or statement.
At D:\Scripts\iAPPWebRole.ps1:454 char:45

  •             $members = $Using:Get-LocalGroupMembers $localGroupName
  •                                                     ~~~~~~~~~~~~~~~

Unexpected token ‘$localGroupName’ in expression or statement.
+ CategoryInfo : ParserError: (:slight_smile: , ParseException
+ FullyQualifiedErrorId : UnexpectedToken

Any ideas or if there is a better way to test for Group Membership.



You’ll need to put your function into a module and deploy it to each machine before your Script resource gets invoked by the LCM.

I would check if the issues has been fixed in the experimental resource of the xPSDesiredStateConfiguration module ( or fork the original Group resource provided by Microsoft and add your function, and share it with us via a GitHub contribution


Hi, I downloaded the xPSDesiredStateConfiguration module and found the xGroup resource

The xGroup resource extends the in-box Group resource by supporting cross-domain account lookup where a valid trust relationship exists.
In addition, limited support for UPN-formatted names are supported for identifying user, computer, and group domain-based accounts.
The properties of the xGroup resource are identical to the in-box resource and include the following:

•GroupName: The name of the group for which you want to ensure a specific state
•Ensure: An enumeration stating if the group should be Present (default)or Absent.
•Description: Description of the group.
•Members: The members that form the group. •Important …If the group already exists, the listed items in this property replaces what is in the Group.

•MembersToInclude: List of users to add to the group. •Important …This property is ignored if ‘Members’ is specified.

•MembersToExclude: List of users you want to ensure are not members of the group. •Important …This property is ignored if ‘Members’ is specified.

•Credential: Indicates the credentials required to access remote resources. •Important …This account must have the appropriate Active Directory permissions to add all non-local accounts to the group; otherwise, an error will occur.

Local accounts may be specified in one of the following ways:
•The simple name of the account of the group or local user.
•The account name scoped to the explicit machine name; such as myserver\users or myserver\username
•The account name scoped using the explicit local machine qualifier; such as .\users or .\username

Domain members may be specified using domain\name or Universal Principal Name (UPN) formatting. The following illustrates the various formats
•Domain joined machines: mydomain\myserver or
•Domain user accounts: mydomain\username or
•Domain group accounts: mydomain\groupname or

I have tried to input a user with Members and MembersToInclude, If I put in a local user it works fine. If I put in a Domain User I get this error:

You cannot call a method on a null-valued expression.
+ CategoryInfo : InvalidOperation: (:slight_smile: , CimException
+ FullyQualifiedErrorId : InvokeMethodOnNull

Here is how I set it up:

xGroup wm_rsc_iis_apppools {
GroupName = “wm_rsc_iis_apppools”
Ensure = “Present”
MembersToInclude = @(‘michael.felkins@corp.local’) # also tried “corp\michael.felkins” and “corp.local\michael.felkins”
Description = “wm_rsc_iis_apppools”
Credential = $cred

I figured it out. It did not like my Credentials. I was not putting corp\ in front of my user name.

So the new and improved xGroup does in fact work and it is letting me add cross domain users.

Yea !!!


Great. Thanks for testing the xGroup resource. I’ll need to use that resource soon as well.