Issue with xADGroup when using MembersToInclude

[gmatusko]

We've been using the xADGroup resource for some time without an issue. I saw with the latest version 2.10 that we could use the resource to add/remove members to the group as well. The issue is when we try to add members to the group we get an error saying the group already exists. Looking into the logs, the test resource successfully shows there are missing members in the group which then moves to the set resource. The set resource sees there are missing members, adds the missing members but kicks back a warning saying the group was not found, tries to great the group and errors out saying the specified group already exists. Here is the snippet of the log so you can see what is happening:

VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: LCM: [ Start Resource ] [[xADGroup]SessionHosts]
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: LCM: [ Start Test ] [[xADGroup]SessionHosts]
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] Retrieving group
membership based on 'SamAccountName' property.
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] Checking for
'Included' members.
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] Member 'rd-stan-01'
is not in the desired state.
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] Group membership is
NOT in the desired state.
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: LCM: [ End Test ] [[xADGroup]SessionHosts] in 0.3430 seconds.
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: LCM: [ Start Set ] [[xADGroup]SessionHosts]
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] Updating AD Group
'SessionHosts'
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] Retrieving group
membership based on 'SamAccountName' property.
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] Checking for
'Included' members.
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] Member 'rd-stan-01'
is not in the desired state.
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] Adding '2' member(s)
to AD group 'SessionHosts'.
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] AD Group
'SessionHosts' was not found
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: [[xADGroup]SessionHosts] Adding AD Group
'SessionHosts'
VERBOSE: [2016-04-24T15:40:40] [ERROR] The specified group already exists
VERBOSE: [2016-04-24T15:40:40] [VERBOSE] [DC-STAN-01]: LCM: [ End Set ] [[xADGroup]SessionHosts] in 1.0940 seconds.
VERBOSE: [2016-04-24T15:40:40] [ERROR] The PowerShell DSC resource '[xADGroup]SessionHosts' with SourceInfo
'C:\Packages\Plugins\Microsoft.Powershell.DSC\2.16.0.0\DSCWork\ConfigDcServer.0\ConfigDC.ps1::362::13::xADGroup' threw one or
more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel
called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.

We're passing the resource a variable which is an array of users to add to the group. The MOF file seems to correctly handle the array so I guess the real question is what is the format for adding/removing multiple users when using the Members/MembersToInclude/MembersToRemove? Here is what my MOF file is showing for the resource:

instance of MSFT_xADGroup as $MSFT_xADGroup3ref
{
ResourceID = "[xADGroup]SessionHosts";
Path = "OU=SessionHosts,OU=xServers,DC=some,DC=domain,DC=com";
Credential = $MSFT_Credential15ref;
Ensure = "Present";
Category = "Security";
MembersToInclude = {
"rd-stan-01",
"rd-stan-02"
};
SourceInfo = "C:\Packages\Plugins\Microsoft.Powershell.DSC\2.16.0.0\DSCWork\ConfigDcServer.0\ConfigDC.ps1::362::13::xADGroup";
GroupScope = "Global";
GroupName = "SessionHosts";
ModuleName = "xActiveDirectory";
ModuleVersion = "2.10.0.0";

DependsOn = {

"[xADOrganizationalUnit]SessionHosts",

 "[Script]AddSessionHostComputerObjects"};

ConfigurationName = "ConfigDC";

};

Let me know if the format of the MembersToInclude is correct or if we need to pass this in a different way. Thanks!

[iainbrighton]

@gmatusko It looks like the Test method finds the group and determines that the membership is incorrect. Looking at the verbose output, it looks like the Set method doesn't find the group and tries to recreate it.

However, I don't think this is the issue. I'm guessing rd-stan-01 is a computer account? If this is the case you need to specify rd-stan-01$. Can you confirm this works?

[gmatusko]

@iainbrighton you are correct. I'm trying to add computer objects to a group and forgot the samAccountName includes the $. I've modified my array to include the computer name with a $ and all seems to be working as it should. Thanks for helping me out on this one.

[iainbrighton]

No problem! It is reporting the wrong error though as it says the group doesn't exist, not the AD member doesn't exist. I'll fix this to make it clearer in future :)