Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ActiveDirectoryDsc: ADGroup still fails with members with foreign security principals in v6.2.0-preview0001 #654

Open
dslcleve opened this issue May 14, 2021 · 8 comments
Open

ActiveDirectoryDsc: ADGroup still fails with members with foreign security principals in v6.2.0-preview0001 #654

dslcleve opened this issue May 14, 2021 · 8 comments
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.

Comments

@dslcleve
Copy link

dslcleve commented May 14, 2021
edited by X-Guardian
Loading

Details of the scenario you tried and the problem that is occurring

We have ADGroup DSC resources that create several groups in different OUs. After some of these groups are created by DSC, we manually add cross-domain members (foreign security principals). With ActiveDirectoryDsc version 6.0.1, we get errors as specified here: #619. We upgraded to ActiveDirectoryDsc version 6.2.0-preview0001. The number of these errors went from 20s to under 10.

The fix in 6.2.0 for this problem checks specifically for the following in Get-TargetResource in MSFT_ADGroup.psm1:
$oneWayTrustFullyQualifiedErrorId = 'ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember'

But for some reason that I haven't determined, some of the groups return the following error instead (0 vs 8224):
ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

Verbose logs showing the problem

Following is a snippet of the logs for one of the groups. I replaced the group name to XXXXX:

VERBOSE: Invoking AWS Systems Manager operation --output truncated--, CommandId:9d14e6b5-c93e-45ff-b27b-cbb2ae325979, DocumentVersion:$DEFAULT, ExecutionElapsedTime:PT30M2.993S, StandardErrorContent:PowerShell DSC resource MSFT_ADGroup  failed to execute Test-TargetResource 
functionality with error message: System.InvalidOperationException: Error 
retrieving membership for AD Group 'XXXXX'. (ADG0014) ---> 
Microsoft.ActiveDirectory.Management.ADException: An operations error occurred 
---> System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.Active
Directory.CustomActions.GetADGroupMemberFault]: Active Directory returned an 
error processing the operation.
Server stack trace: 
   at 
System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime 
operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean 
oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan 
timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCal
lMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage 
reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& 
msgData, Int32 type)
   at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManag
ement.GetADGroupMember(GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErro
rCode(String message, String errorCode, String extendedErrorMessage, Exception 
innerException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(Custom
ActionFault caFault, FaultException faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.Ac
tiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle 
handle, GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(
String partitionDN, String groupDN, Boolean recursive)
   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroup
MemberProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at 
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace --- 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

Suggested solution to the issue

I did the following in Get-TargetResource in MSFT_ADGroup.psm1 and it remedied my problem:

        # This FullyQualifiedErrorId is indicative of a failure to retrieve members with Get-ADGroupMember
        # for a one-way trust
        $oneWayTrustFullyQualifiedErrorId = `
            'ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember'
        $oneWayTrustFullyQualifiedErrorId8224 = `
            'ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember'

        if (($_.FullyQualifiedErrorId -eq $oneWayTrustFullyQualifiedErrorId) -or
            ($_.FullyQualifiedErrorId -eq $oneWayTrustFullyQualifiedErrorId8224))

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

The operating system the target node is running

OsName               : Microsoft Windows Server 2012 R2 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 9600.19994.amd64fre.winblue_ltsb_escrow.210331-1613
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value                                                                                                                                  
----                           -----                                                                                                                                  
PSVersion                      5.1.14409.1018
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1018
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

ActiveDirectoryDsc 6.2.0-preview0001
@johlju
Copy link
Member

johlju commented May 15, 2021

@X-Guardian do you have time to look at this issue, if this solves the pending PR (in draft) from you?

Labeling this as a bug and help wanted so someone in the community can work on this.

@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels May 15, 2021
@X-Guardian
Copy link
Contributor

No, this is not related to the pending ADGroup PR I have open. @dslcleve, can you post the output from Get-ADGroup -Properties * for a group that returns 8224 in the Get-ADGroupMember error, so that we can try and identity the difference in those groups.

@dslcleve
Copy link
Author

dslcleve commented May 16, 2021
edited by johlju
Loading

I ran Get-ADGroup and Get-ADGroupMember on the command line in a powershell window. Oddly the Get-ADGroupMember returns 0 instead of 8224. I added the log from the DSC and have some debug messages to confirm that it returns 8224 (See the DEBUG messages)

Get-ADGroup -Properties * -Identity Role_Admins
CanonicalName                   : ext.us.csod.corp/Servers/ulp/Role_Admins
CN                              : Role_Admins
Created                         : 3/30/2021 9:33:47 PM
createTimeStamp                 : 3/30/2021 9:33:47 PM
Deleted                         : 
Description                     : 
DisplayName                     : 
DistinguishedName               : CN=Role_Admins,OU=ulp,OU=Servers,DC=ext,DC=us,DC=csod,DC=corp
dSCorePropagationData           : {4/15/2021 4:54:09 AM, 4/15/2021 4:52:54 AM, 4/15/2021 4:50:51 AM, 3/30/2021 9:33:50 PM...}
GroupCategory                   : Security
GroupScope                      : DomainLocal
groupType                       : -2147483644
HomePage                        : 
instanceType                    : 4
isDeleted                       : 
LastKnownParent                 : 
ManagedBy                       : 
member                          : {CN=S-1-5-21-192396600-3081844788-152134828-1135,CN=ForeignSecurityPrincipals,DC=ext,DC=us,DC=csod,DC=corp}
MemberOf                        : {}
Members                         : {CN=S-1-5-21-192396600-3081844788-152134828-1135,CN=ForeignSecurityPrincipals,DC=ext,DC=us,DC=csod,DC=corp}
Modified                        : 5/6/2021 5:29:12 PM
modifyTimeStamp                 : 5/6/2021 5:29:12 PM
Name                            : Role_Admins
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  : CN=Group,CN=Schema,CN=Configuration,DC=ext,DC=us,DC=csod,DC=corp
ObjectClass                     : group
ObjectGUID                      : 67cafe86-799c-452d-939b-ed46136cfb8d
objectSid                       : S-1-5-21-2438549848-2977374219-2524264263-1308
ProtectedFromAccidentalDeletion : False
SamAccountName                  : Role_Admins
sAMAccountType                  : 536870912
sDRightsEffective               : 15
SID                             : S-1-5-21-2438549848-2977374219-2524264263-1308
SIDHistory                      : {}
uSNChanged                      : 1902372
uSNCreated                      : 15908
whenChanged                     : 5/6/2021 5:29:12 PM
whenCreated                     : 3/30/2021 9:33:47 PM

get-adgroupmember -Identity Role_Admins
get-adgroupmember : The server was unable to process the request due to an internal error.  For more information about the error, either turn on 
IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to 
send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server 
trace logs.
At line:1 char:1
+ get-adgroupmember -Identity Role_Admins
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Role_Admins:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

VERBOSE: [UEMMGTADML-OIFW]: LCM:  [ Start  Resource ]  [[ADGroup]Role_Admins]
VERBOSE: [UEMMGTADML-OIFW]: LCM:  [ Start  Test     ]  [[ADGroup]Role_Admins]
VERBOSE: [UEMMGTADML-OIFW]:                            [[ADGroup]Role_Admins] Retrieving AD Group 'Role_Admins'. (ADG0021)
VERBOSE: [UEMMGTADML-OIFW]:                            [[ADGroup]Role_Admins] The AD Group 'Role_Admins' is present. (ADG0023)
VERBOSE: [UEMMGTADML-OIFW]:                            [[ADGroup]Role_Admins] Retrieving group membership based on 'SamAccountName' property. (ADG0001)
VERBOSE: [UEMMGTADML-OIFW]:                            [[ADGroup]Role_Admins] DEBUG1: ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
VERBOSE: [UEMMGTADML-OIFW]:                            [[ADGroup]Role_Admins] DEBUG2: ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
VERBOSE: [UEMMGTADML-OIFW]: LCM:  [ End    Test     ]  [[ADGroup]Role_Admins]  in 0.7710 seconds.
PowerShell DSC resource MSFT_ADGroup  failed to execute Test-TargetResource functionality with error message: 
System.InvalidOperationException: Error retrieving membership for AD Group 'Role_Admins'. (ADG0014) ---> 
Microsoft.ActiveDirectory.Management.ADException: An operations error occurred ---> System.ServiceModel.FaultException`1
[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault]: Active Directory returned an 
error processing the operation.

Server stack trace: 
   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, 
Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, 
ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at 
schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroupMember(GetADGroupMemberRequest 
request)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, 
String extendedErrorMessage, Exception innerException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException 
faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManage
ment.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, 
Boolean recursive)
   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace --- 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
PowerShell DSC resource MSFT_ADGroup  failed to execute Test-TargetResource
functionality with error message: System.InvalidOperationException: Error
retrieving membership for AD Group 'Role_Admins'. (ADG0014) --->
Microsoft.ActiveDirectory.Management.ADException: An operations error occurred
---> System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.Active
Directory.CustomActions.GetADGroupMemberFault]: Active Directory returned an
error processing the operation.

Server stack trace:
   at
System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime
operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean
oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan
timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCal
lMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
msgData, Int32 type)
   at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManag
ement.GetADGroupMember(GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErro
rCode(String message, String errorCode, String extendedErrorMessage, Exception
innerException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(Custom
ActionFault caFault, FaultException faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.Ac
tiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle
handle, GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(
String partitionDN, String groupDN, Boolean recursive)
   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroup
MemberProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace ---
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

@X-Guardian
Copy link
Contributor

Thanks @dslcleve. Can you output the full error object you are receiving in the DscResource? You can do this by adding Write-Debug ($_ | ConvertTo-Json) to the resource. I'm hoping we can find a better property to check for somewhere in the error object. Exception.ServerErrorMessage looks interesting.

@dslcleve
Copy link
Author

Here you go, thanks.

VERBOSE: [TESTADML]: LCM: [ Start Resource ] [[ADGroup]Role_Admins]
VERBOSE: [TESTADML]: LCM: [ Start Test ] [[ADGroup]Role_Admins]
VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] Retrieving AD Group 'Role_Admins'. (ADG0021)
VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] The AD Group 'Role_Admins' is present. (ADG0023)
VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] Retrieving group membership based on 'SamAccountName' property. (ADG0001)
VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] DEBUG1: ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
VERBOSE: [TESTADML]: LCM: [ End Test ] [[ADGroup]Role_Admins] in 0.6940 seconds.
PowerShell DSC resource MSFT_ADGroup failed to execute Test-TargetResource functionality with error message:
System.InvalidOperationException: Error retrieving membership for AD Group 'Role_Admins'. (ADG0014) --->
Microsoft.ActiveDirectory.Management.ADException: An operations error occurred ---> System.ServiceModel.FaultException`1
[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault]: Active Directory returned an
error processing the operation.

Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation,
Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall,
ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at
schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroupMember(GetADGroupMemberRequest
request)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)
--- End of inner exception stack trace ---
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode,
String extendedErrorMessage, Exception innerException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException
faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManage
ment.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request)
at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN,
Boolean recursive)
at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSRoutine()
at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase1.ProcessRecord() --- End of inner exception stack trace --- + CategoryInfo : InvalidOperation: (:) [], CimException + FullyQualifiedErrorId : ProviderOperationExecutionFailure + PSComputerName : localhost PowerShell DSC resource MSFT_ADGroup failed to execute Test-TargetResource functionality with error message: System.InvalidOperationException: Error retrieving membership for AD Group 'Role_Admins'. (ADG0014) ---> Microsoft.ActiveDirectory.Management.ADException: An operations error occurred ---> System.ServiceModel.FaultException1[schemas.microsoft.com._2008._1.Active
Directory.CustomActions.GetADGroupMemberFault]: Active Directory returned an
error processing the operation.

Server stack trace:
at
System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime
operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean
oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan
timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCal
lMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
msgData, Int32 type)
at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManag
ement.GetADGroupMember(GetADGroupMemberRequest request)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
--- End of inner exception stack trace ---
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErro
rCode(String message, String errorCode, String extendedErrorMessage, Exception
innerException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(Custom
ActionFault caFault, FaultException faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.Ac
tiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle
handle, GetADGroupMemberRequest request)
at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(
String partitionDN, String groupDN, Boolean recursive)
at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroup
MemberProcessCSRoutine()
at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
at
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
--- End of inner exception stack trace ---
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost

@X-Guardian
Copy link
Contributor

This hasn't got the JSON output of the error object in it. You need to run Start-DscConfiguration with -Debug

@dslcleve
Copy link
Author

dslcleve commented May 18, 2021
edited by X-Guardian
Loading

Sorry, here it is:

VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] DEBUG1 FullyQualifiedErrorId: ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] {

                      "ErrorCode":  8224,
                      "ServerErrorMessage":  "An operations error occurred.\r\n",
                      "Message":  "An operations error occurred",
                      "Data":  {

                               },
                      "InnerException":  {
                                             "Detail":  "schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault",
                                             "Action":  "http://schemas.microsoft.com/2008/1/ActiveDirectory/Data/fault",
                                             "Code":  "System.ServiceModel.FaultCode",
                                             "Message":  "Active Directory returned an error processing the operation.",
                                             "Reason":  "Active Directory returned an error processing the operation.",
                                             "Data":  "System.Collections.ListDictionaryInternal",
                                             "InnerException":  null,
                                             "TargetSite":  "Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage, System.Runtime.Remoting.Messaging.IMessage)",
                                             "StackTrace":  "\r\nServer stack trace: \r\n   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc\u0026 rpc)\r\n   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)\r\n   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)\r\n   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)\r\n\r\nException rethrown at [0]: \r\n   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)\r\n   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData\u0026 msgData, Int32 type)\r\n   at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroupMember(GetADGroupMemberRequest request)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)",
                                             "HelpLink":  null,
                                             "Source":  "mscorlib",
                                             "HResult":  -2146233087
                                         },
                      "TargetSite":  {
                                         "Name":  "ThrowExceptionForErrorCode",
                                         "DeclaringType":  "Microsoft.ActiveDirectory.Management.AdwsConnection, Microsoft.ActiveDirectory.Management, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
                                         "ReflectedType":  "Microsoft.ActiveDirectory.Management.AdwsConnection, Microsoft.ActiveDirectory.Management, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
                                         "MemberType":  8,
                                         "MetadataToken":  100664494,
                                         "Module":  "Microsoft.ActiveDirectory.Management.dll",
                                         "IsSecurityCritical":  true,
                                         "IsSecuritySafeCritical":  false,
                                         "IsSecurityTransparent":  false,
                                         "MethodHandle":  "System.RuntimeMethodHandle",
                                         "Attributes":  145,
                                         "CallingConvention":  1,
                                         "ReturnType":  "void",
                                         "ReturnTypeCustomAttributes":  "Void ",
                                         "ReturnParameter":  "Void ",
                                         "IsGenericMethod":  false,
                                         "IsGenericMethodDefinition":  false,
                                         "ContainsGenericParameters":  false,
                                         "MethodImplementationFlags":  0,
                                         "IsPublic":  false,
                                         "IsPrivate":  true,
                                         "IsFamily":  false,
                                         "IsAssembly":  false,
                                         "IsFamilyAndAssembly":  false,
                                         "IsFamilyOrAssembly":  false,
                                         "IsStatic":  true,
                                         "IsFinal":  false,
                                         "IsVirtual":  false,
                                         "IsHideBySig":  true,
                                         "IsAbstract":  false,
                                         "IsSpecialName":  false,
                                         "IsConstructor":  false,
                                         "CustomAttributes":  ""
                                     },
                      "StackTrace":  "   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, Boolean recursive)\r\n   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()",
                      "HelpLink":  null,
                      "Source":  "Microsoft.ActiveDirectory.Management",
                      "HResult":  -2146233088
                  },
    "TargetObject":  {
                         "GroupScope":  null,
                         "GroupCategory":  null,
                         "SamAccountName":  null,
                         "SID":  null,
                         "DistinguishedName":  null,
                         "Name":  null,
                         "ObjectClass":  null,
                         "ObjectGuid":  null,
                         "PropertyNames":  [

                                           ],
                         "AddedProperties":  [

                                             ],
                         "RemovedProperties":  [

                                               ],
                         "ModifiedProperties":  [

                                                ],
                         "PropertyCount":  0
                     },
    "CategoryInfo":  {
                         "Category":  0,
                         "Activity":  "Get-ADGroupMember",
                         "Reason":  "ADException",
                         "TargetName":  "Role_Admins",
                         "TargetType":  "ADGroup"
                     },
    "FullyQualifiedErrorId":  "ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember",
    "ErrorDetails":  null,
    "InvocationInfo":  {
                           "MyCommand":  {
                                             "Verb":  "Get",
                                             "Noun":  "ADGroupMember",
                                             "HelpFile":  "Microsoft.ActiveDirectory.Management.dll-Help.xml",
                                             "PSSnapIn":  null,
                                             "Version":  "1.0.0.0",
                                             "ImplementingType":  "Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember",
                                             "Definition":  "\r\nGet-ADGroupMember [\u003cCommonParameters\u003e]\r\n",
                                             "DefaultParameterSet":  null,
                                             "OutputType":  "",
                                             "Options":  1,
                                             "Name":  "Get-ADGroupMember",
                                             "CommandType":  8,
                                             "Source":  "ActiveDirectory",
                                             "Visibility":  0,
                                             "ModuleName":  "ActiveDirectory",
                                             "Module":  "ActiveDirectory",
                                             "RemotingCapability":  1,
                                             "Parameters":  "System.Collections.Generic.Dictionary`2[System.String,System.Management.Automation.ParameterMetadata]",
                                             "ParameterSets":  "[\u003cCommonParameters\u003e]"
                                         },
                           "BoundParameters":  {

                                               },
                           "UnboundArguments":  [

                                                ],
                           "ScriptLineNumber":  98,
                           "OffsetInLine":  47,
                           "HistoryId":  1,
                           "ScriptName":  "C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup\\MSFT_ADGroup.psm1",
                           "Line":  "            [System.Array] $adGroupMembers = (Get-ADGroupMember @commonParameters).$MembershipAttribute\r\n",
                           "PositionMessage":  "At C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup\\MSFT_ADGroup.psm1:98 char:47\r\n+ ... Array] $adGroupMembers = (Get-ADGroupMember @commonParameters).$Membe ...\r\n+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~",
                           "PSScriptRoot":  "C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup",
                           "PSCommandPath":  "C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup\\MSFT_ADGroup.psm1",
                           "InvocationName":  "Get-ADGroupMember",
                           "PipelineLength":  0,
                           "PipelinePosition":  0,
                           "ExpectingInput":  false,
                           "CommandOrigin":  1,
                           "DisplayScriptPosition":  null
                       },
    "ScriptStackTrace":  "at Get-TargetResource, C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup\\MSFT_ADGroup.psm1: line 98\r\nat Test-TargetResource, C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup\\MSFT_ADGroup.psm1: line 388",
    "PipelineIterationInfo":  [

                              ],
    "PSMessageDetails":  null
}

@dslcleve
Copy link
Author

Hi @X-Guardian, have the outputs helped?

I found this: https://stackoverflow.com/questions/29808611/get-adgroupmember-stopped-working-for-some-users and it seems like 8224 is an error for the same problem, i.e. foreign security principals as members of the group. I have multiple groups and some succeed because it returns with 0 instead of 8224. The groups are all created via DSC in one automation run and some even in the same loop, therefore same code and same user. The foreign security principals are manually added after creation to the groups. They can be different users, but they are all from the same domain.

Can 6.2.0 be updated to also check for 8224?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@johlju @dslcleve @X-Guardian