Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ADObjectPermissionEntry: The object name has bad syntax when configuring OU which requires escaped character #675

Closed
Borgquite opened this issue Mar 17, 2022 · 1 comment · Fixed by #716
Labels
bug The issue is a bug.

Comments

@Borgquite
Copy link
Contributor

Borgquite commented Mar 17, 2022

Details of the scenario you tried and the problem that is occurring

When using ADObjectPermissionEntry to configure an ACL on a Path that requires escaping (comma, backslash, hash, plus etc), the command fails with 'The object name has bad syntax'

Verbose logs showing the problem

PowerShell DSC resource MSFT_ADObjectPermissionEntry failed to execute Test-TargetResource functionality with error message: The object name has bad syntax

Suggested solution to the issue

Appears to be a known error in Get-ACL when using the AD PSDrive provider since 1809: https://www.reddit.com/r/PowerShell/comments/ce4f2x/getacl_on_ad_object_bug_in_1809/eu08hae/

Under ActiveDirectoryDsc/source/DSCResources/MSFT_ADObjectPermissionEntry/MSFT_ADObjectPermissionEntry.psm1, the two Get-ACL commands (line 87, 213) and the Set-ACL command later on should have:
Get-Acl -Path "AD:$Path"
replaced with:
'Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$Path"`

It looks like whoever wrote it originally may have known this - it appears to have reverted in 2.25.0.0 (https://github.com/dsccommunity/ActiveDirectoryDsc/blob/main/HISTORIC_CHANGELOG.md#22500)

This will need to stay like this until Microsoft fix the AD PSDrive bug.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

              ADOrganizationalUnit "TestOU"
              {
                  Name = "Test+OU"
                  Path = "DC=domain,DC=name,DC=here"
                  Ensure = "Present"
              }
              ADObjectPermissionEntry $("Test2")
              {
                  Path = "OU=Test\+OU,DC=domain,DC=name,DC=here"
                  IdentityReference = "DomainName\Administrators"
                  AccessControlType = "Allow"
                  ObjectType = "00000000-0000-0000-0000-000000000000"
                  ActiveDirectorySecurityInheritance = "All"
                  InheritedObjectType = "00000000-0000-0000-0000-000000000000"
                  Ensure = "Present"
              }

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

PSVersion 5.1.17763.2268
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.2268
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used

6.0.1

@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Mar 18, 2022
@Borgquite
Copy link
Contributor Author

Borgquite commented Aug 19, 2024

Looks like the switch was from Microsoft.ActiveDirectory.Management\ActiveDirectory to AD:$Path as part of #243 to fix #236.

Can fix by using Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$Path to fix this problem without re-breaking #236

@johlju johlju removed the help wanted The issue is up for grabs for anyone in the community. label Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug The issue is a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants