I am trying to get DSC to work with operations that require a domain account for access. For instance, I would like to add a domain group to the local administrators group.
First, you have to use a credential.
But when I specify one, I get the following exception “error processing property ‘Credential’ OF TYPE ‘LocalConfigurationManager’: Converting and storing an encrypted password as plaintext is
allowed only if PSDscAllowPlainTextPassword is set to true.”
I am unable to find where to set that variable, but I feel like I should be doing something to keep the password from being in plain text.
I looked in the source code for PSDesiredStatConfiguration and it looks like I should be able to set a CertificateID, but that did not work either.
Here is the code that I am trying:
$password = Get-Content .\securestring.txt | ConvertTo-SecureString
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "DOMAIN\dscuser",$password
$certificate = Get-ChildItem cert:\LocalMachine\My | where{ $_.Subject -eq "CN=$($env:COMPUTERNAME).domain.com" }
Configuration ServerProvisioning
{
Node "*"
{
LocalConfigurationManager
{
CertificateID = $certificate.Thumbprint
Credential =$credential
}
Group AdminGroup
{
Ensure ="Present"
GroupName = "Administrators"
MembersToInclude = "domain\admingroup"
}
}
}
ServerProvisioning
Does anyone have an example of using a domain credentials that works?