ADGroup: Cannot set Standalone/Group Managed Service Account Members

[JohnCardenas]

Details of the scenario you tried and the problem that is occurring

We're using cross-forest service accounts, and we want to represent the configuration in PowerShell DSC. However, it looks like msDS-GroupManagedServiceAccount and msDS-ManagedServiceAccount are not supported in the Add-ADCommonGroupMember function in the ActiveDirectoryDsc.Common module.

Verbose logs showing the problem

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' =
MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SHASTALOCALDC with user sid S-1-5-21-3472425590-1118686215-1165301856-500.
VERBOSE: [SHASTALOCALDC]: LCM:  [ Start  Set      ]
VERBOSE: [SHASTALOCALDC]: LCM:  [ Start  Resource ]  [[ADGroup]dl1]
VERBOSE: [SHASTALOCALDC]: LCM:  [ Start  Test     ]  [[ADGroup]dl1]
VERBOSE: [SHASTALOCALDC]:                            [[ADGroup]dl1] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [SHASTALOCALDC]:                            [[ADGroup]dl1] Group membership is NOT in the desired state. (ADG0002)
VERBOSE: [SHASTALOCALDC]: LCM:  [ End    Test     ]  [[ADGroup]dl1]  in 0.1720 seconds.
VERBOSE: [SHASTALOCALDC]: LCM:  [ Start  Set      ]  [[ADGroup]dl1]
VERBOSE: [SHASTALOCALDC]:                            [[ADGroup]dl1] Group membership objects are in '1' different AD Domains. (ADG0013)
VERBOSE: [SHASTALOCALDC]:                            [[ADGroup]dl1] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [SHASTALOCALDC]:                            [[ADGroup]dl1] Updating AD Group 'MallardPermissions'. (ADG0006)
VERBOSE: [SHASTALOCALDC]:                            [[ADGroup]dl1] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [SHASTALOCALDC]:                            [[ADGroup]dl1] Adding '1' member(s) to AD group 'MallardPermissions'. (ADG0003)
Cannot validate argument on parameter 'Members'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
    + CategoryInfo          : InvalidData: (:) [], CimException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
    + PSComputerName        : localhost

VERBOSE: [SHASTALOCALDC]: LCM:  [ End    Set      ]  [[ADGroup]dl1]  in 1.1070 seconds.
The PowerShell DSC resource '[ADGroup]dl1' with SourceInfo 'C:\Users\Administrator\desktop\Test.ps1::31::9::ADGroup' threw one or more non-terminating errors while
running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

VERBOSE: [SHASTALOCALDC]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.984 seconds

Suggested solution to the issue

Add msDS-GroupManagedServiceAccount and msDS-ManagedServiceAccount object types to the Add-ADCommonGroupMember function in ActiveDirectoryDsc.Common:

...

if ($memberObjectClass -eq 'computer')
{
    $memberObject = Get-ADComputer @commonParameters
}
elseif ($memberObjectClass -eq 'group')
{
    $memberObject = Get-ADGroup @commonParameters
}
elseif ($memberObjectClass -eq 'user')
{
    $memberObject = Get-ADUser @commonParameters
}
elseif ($memberObjectClass -eq 'msDS-ManagedServiceAccount')
{
    $memberObject = Get-ADServiceAccount @commonParameters
}
elseif ($memberObjectClass -eq 'msDS-GroupManagedServiceAccount')
{
    $memberObject = Get-ADServiceAccount @commonParameters
}

...

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration ADGroup_NewGroupMultiDomainMembers_Config
{
    Import-DscResource -ModuleName ActiveDirectoryDsc

    node localhost
    {
        ADGroup 'dl1'
        {
            GroupName           = 'MallardPermissions'
            GroupScope          = 'DomainLocal'
            Path                = 'OU=Groups,OU=LocalDomain,DC=shasta,DC=local'
            MembershipAttribute = 'DistinguishedName'
            Members             = @(
                'CN=srv-mallard,CN=Managed Service Accounts,DC=shasta,DC=cloud'
            )
        }
    }
}

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.771
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.771
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

4.2.0.0

[johlju]

Would be great to have this in. Would you be interested in sending in a PR?

[JohnCardenas]

Working on a PR now.