Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADGroup: Fails into the wrong code path when ManagedBy identity cannot be resolved #493

Closed
johlju opened this issue Aug 31, 2019 · 0 comments · Fixed by #497
Closed

ADGroup: Fails into the wrong code path when ManagedBy identity cannot be resolved #493

johlju opened this issue Aug 31, 2019 · 0 comments · Fixed by #497
Labels
bug The issue is a bug.

Comments

@johlju
Copy link
Member

johlju commented Aug 31, 2019

Details of the scenario you tried and the problem that is occurring

If ManagedBy property cannot be resolved, then the code falls into the wrong path saying that the group does not exist.

Verbose logs showing the problem

    Context When using configuration MSFT_ADGroup_UpdateGroup1_Config
WARNING: It is not recommended to use domain credential for node 'localhost'. In order to suppress the warning, you can add a property named 'PSDscAllowDomainUser' with a value of $true to your DSC configuration data for node 'localhost'.
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DC01 with user sid S-1-5-21-530133819-3181352061-503517500-500.
VERBOSE: [DC01]: LCM:  [ Start  Set      ]
VERBOSE: [DC01]:                            [DSCEngine] Importing the module C:\source\ActiveDirectoryDsc\DscResources\MSFT_ADGroup\MSFT_ADGroup.psm1 in force mode.
VERBOSE: [DC01]: LCM:  [ Start  Resource ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]: LCM:  [ Start  Test     ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Importing the module MSFT_ADGroup in force mode.
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Retrieving group membership based on 'SamAccountName' property. (ADG0001)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] AD Group 'Description' is not correct. Expected 'A DSC description', actual ''. (ADG0011)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] AD Group 'DisplayName' is not correct. Expected 'DSC Group 1', actual ''. (ADG0011)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] AD Group 'ManagedBy' is not correct. Expected 'CONTOSO\Administrator', actual ''. (ADG0011)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] AD Group 'Notes' is not correct. Expected 'Notes for this group', actual ''. (ADG0011)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Group membership is NOT in the desired state. (ADG0002)
VERBOSE: [DC01]: LCM:  [ End    Test     ]  [[ADGroup]Integration_Test]  in 0.5150 seconds.
VERBOSE: [DC01]: LCM:  [ Start  Set      ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Importing the module MSFT_ADGroup in force mode.
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Updating AD Group 'DscGroup1'. (ADG0006)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Updating AD Group property 'Description' to 'A DSC description'. (ADG0012)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Updating AD Group property 'DisplayName' to 'DSC Group 1'. (ADG0012)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Updating AD Group property 'ManagedBy' to 'CONTOSO\Administrator'. (ADG0012)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] AD Group 'DscGroup1' was not found. (ADG00010)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Updating AD Group property 'Notes' to 'Notes for this group'. (ADG0012)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Adding '2' member(s) to AD group 'DscGroup1'. (ADG0003)
VERBOSE: [DC01]: LCM:  [ End    Set      ]  [[ADGroup]Integration_Test]  in 1.3750 seconds.
VERBOSE: [DC01]: LCM:  [ End    Resource ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]: LCM:  [ End    Set      ]
VERBOSE: [DC01]: LCM:  [ End    Set      ]    in  2.7040 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 3.189 seconds
      [+] Should compile and apply the MOF without throwing 3.52s
VERBOSE: An LCM method call arrived from computer DC01 with user sid S-1-5-21-530133819-3181352061-503517500-500.
VERBOSE: [DC01]:                            [DSCEngine] Importing the module C:\source\ActiveDirectoryDsc\DscResources\MSFT_ADGroup\MSFT_ADGroup.psm1 in force mode.
VERBOSE: [DC01]: LCM:  [ Start  Get      ]
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Importing the module MSFT_ADGroup in force mode.
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Retrieving group membership based on 'SamAccountName' property. (ADG0001)
VERBOSE: [DC01]: LCM:  [ End    Get      ]  [[ADGroup]Integration_Test]  in 0.4380 seconds.
VERBOSE: [DC01]: LCM:  [ End    Get      ]    in  0.8440 seconds.
      [+] Should be able to call Get-DscConfiguration without throwing 1.41s
      [-] Should have set the resource and all the parameters should match 111ms
        Expected 'CONTOSO\Administrator', but got $null.
        456:                 $resourceCurrentState.ManagedBy | Should -Be $ConfigurationData.AllNodes.AdministratorUserName
        at <ScriptBlock>, C:\source\ActiveDirectoryDsc\Tests\Integration\MSFT_ADGroup.Integration.Tests.ps1: line 456

Suggested solution to the issue

Refactor Set-TargetResource to correct use Get-TargetResource, then the existing try-block might be unnecessary. Instead a try-block can be added around the Set-ADObject when setting the property ManagedBy.

When ManagedBy fails to resolve the following error is thrown

PS > Set-ADGroup  -Identity 'DscGroup1' -ManagedBy 'CONTOSO\Administrator'
Set-ADGroup : Identity info provided in the extended attribute: 'ManagedBy' could not be resolved. Reason: 'Cannot find
 an object with identity: 'CONTOSO\Administrator' under: 'DC=contoso,DC=com'.'.
At line:1 char:1
+ Set-ADGroup  -Identity 'DscGroup1' -Replace @{ Description = 'test';  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (DscGroup1:ADGroup) [Set-ADGroup], ADIdentityResolutionException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityResolutionException
   ,Microsoft.ActiveDirectory.Management.Commands.SetADGroup

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration MSFT_ADGroup_UpdateGroup1_Config
{
    Import-DscResource -ModuleName 'ActiveDirectoryDsc'

    node $AllNodes.NodeName
    {
        ADGroup 'Integration_Test'
        {
            Ensure                = 'Present'
            GroupName             = $Node.Group1_Name
            DisplayName           = 'DSC Group 1'
            Description           = 'A DSC description'
            Notes                 = 'Notes for this group'
            ManagedBy             = 'Administrator'
            Members               = @(
                'Administrator',
                'Guest'
            )

            Credential            = New-Object `
                -TypeName System.Management.Automation.PSCredential `
                -ArgumentList @(
                $Node.AdministratorUserName,
                (ConvertTo-SecureString -String $Node.AdministratorPassword -AsPlainText -Force)
            )
        }
    }
}

The operating system the target node is running

sName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.1
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.1
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

dev
@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels Aug 31, 2019
johlju added a commit to johlju/ActiveDirectoryDsc that referenced this issue Sep 1, 2019
@johlju
Fix issue dsccommunity#151, issue dsccommunity#189, issue dsccommunit…
184058a 
…y#493
@johlju johlju mentioned this issue Sep 1, 2019
Merged
10 tasks
johlju added a commit that referenced this issue Sep 2, 2019
@johlju
ADGroup: Fix issue #151, issue #189, issue #493 (#497)
b6d67dd 
- Changes to ActiveDirectoryDsc.Common
  - Update helper function `Add-ADCommonGroupMember` to reduce duplicated
    code, and add an evaluation if `Members` is empty.
  - Updated helper function `Restore-ADCommonObject` to write out a verbose
    message when no object was found in the recycle bin.
  - Updated helper function `Assert-MemberParameters` to not throw an error
    if the parameter `Members` is en empty array.
- Changes to ADGroup
  - Added a read-only property `DistinguishedName`.
  - Refactor the function `Set-TargetResource` to use the function
    `Get-TargetResource` so that `Set-TargetResource` can correctly throw
    an error when something goes wrong (issue #151, issue #166, issue #493).
  - It is now possible to enforce a group with no members by using
    `Members = @()` in a configuration (issue #189).
@johlju johlju removed the in progress The issue is being actively worked on by someone. label Sep 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ADGroup: Fix issue #151, issue #189, issue #493 johlju/ActiveDirectoryDsc
1 participant
@johlju