dsccommunity/ActiveDirectoryDsc

ADGroup: Cannot Manage Child Domain User Membership Using DistinguishedName in v6.1.0-preview0006

X-Guardian opened this issue · 2 comments

Details of the scenario you tried and the problem that is occurring

With the preview module v6.1.0-preview0006, containing the modified ADGroup resource code from PR #620, managing child domain user membership of an AD Group using the DistinguishedName MembershipAttribute now fails.

This is a blocker for the release of v6.1.0 of the module.

Verbose logs showing the problem

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DSC01 with user sid S-1-5-21-3553084080-2500667019-4197401787-500.
VERBOSE: [DSC01]: LCM:  [ Start  Set      ]
DEBUG: [DSC01]:                            [DSCEngine] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.psd1 not found
DEBUG: [DSC01]:                            [DSCEngine] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.strings.psd1
DEBUG: [DSC01]:                            [DSCEngine] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.psd1 not found
DEBUG: [DSC01]:                            [DSCEngine] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.strings.psd1
DEBUG: [DSC01]:                            [DSCEngine] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.psd1 not
 found
DEBUG: [DSC01]:                            [DSCEngine] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.strings.psd1
VERBOSE: [DSC01]: LCM:  [ Start  Resource ]  [[ADGroup]Group]
VERBOSE: [DSC01]: LCM:  [ Start  Test     ]  [[ADGroup]Group]
DEBUG: [DSC01]:                            [[ADGroup]Group] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.psd1 not found
DEBUG: [DSC01]:                            [[ADGroup]Group] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.strings.psd1
DEBUG: [DSC01]:                            [[ADGroup]Group] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.psd1 not found
DEBUG: [DSC01]:                            [[ADGroup]Group] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.strings.psd1
DEBUG: [DSC01]:                            [[ADGroup]Group] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.psd1 not found
DEBUG: [DSC01]:                            [[ADGroup]Group] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.strings.psd1
VERBOSE: [DSC01]:                            [[ADGroup]Group] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [DSC01]:                            [[ADGroup]Group] Group membership is NOT in the desired state. (ADG0002)
VERBOSE: [DSC01]: LCM:  [ End    Test     ]  [[ADGroup]Group]  in 3.1880 seconds.
VERBOSE: [DSC01]: LCM:  [ Start  Set      ]  [[ADGroup]Group]
VERBOSE: [DSC01]:                            [[ADGroup]Group] Group membership objects are in '1' different AD Domains. (ADG0013)
VERBOSE: [DSC01]:                            [[ADGroup]Group] Updating AD Group 'Dsc-Test-Group-1'. (ADG0006)
VERBOSE: [DSC01]:                            [[ADGroup]Group] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [DSC01]:                            [[ADGroup]Group] Adding '1' member(s) to AD group 'Dsc-Test-Group-1'. (ADG0003)
DEBUG: [DSC01]:                            [[ADGroup]Group] Resolving ObjectSID values based on supplied DistinguishedName values. (ADCOMMON0063)
DEBUG: [DSC01]:                            [[ADGroup]Group] Looking up AD Object based on ObjectSID 'DistinguishedName' to retrieve CN=childuser,CN=Users,DC=child1,DC=gteck,DC=com value. (ADCOMMON0066)
VERBOSE: [DSC01]: LCM:  [ End    Set      ]  [[ADGroup]Group]  in 1.5440 seconds.
PowerShell DSC resource MSFT_ADGroup  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Unable to resolve ObjectSID value 
from DistinguishedName 'CN=childuser,CN=Users,DC=child1,DC=gteck,DC=com'. (ADCOMMON0062) 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
 
VERBOSE: [DSC01]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 9.583 seconds

Suggested solution to the issue

The Get-ADObject call in the Resolve-MembersSecurityIdentifier common function is failing to get details of the user from the child domain. This can be resolved by targeting a global catalog server on this call -Server :3268, which then allows child domain users specified as Distinguished Names to be successfully added to groups. This does not allow the removal of child domain users however, which fail with the following error:

PowerShell DSC resource MSFT_ADGroup  failed to execute Set-TargetResource functionality with error message: 
System.InvalidOperationException: Unable to set the group membership for AD Group 'Dsc-Test-Group-1'. (ADCOMMON0030)
---> Microsoft.ActiveDirectory.Management.ADException: The specified account name is not a member of the group
---> System.ServiceModel.FaultException: Active Directory returned an error processing the operation.

Investigating this, it looks as if removing child domain members of a group by specifying the user SID in the Remove parameter of SetADGroup does not work. i.e.

Set-ADGroup -Identity 'CN=Dsc-Test-Group-1,OU=Groups,DC=gteck,DC=com' -Remove @{member='<SID=S-1-5-21-2513631178-1071234245-3612136875-1104>'}

Unfortunately, the group membership processing change that was introduced in PR #620 to resolve managing user membership across one way forest trusts currently relies on this functionality.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration ADGroup
{
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]
        $adminCredential
    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName ActiveDirectoryDsc -ModuleVersion 6.1.0

    $domainName = 'gteck.com'
    $childDomainName = "child1.$domainName"

    $domainFQDN = 'DC=' + $domainName.replace('.', ',DC=')
    $childDomainFQDN = 'DC=' + $childDomainName.replace('.', ',DC=')

    Node localhost
    {

        ADGroup Group {
            GroupName            = "Dsc-Test-Group-1"
            GroupScope           = "DomainLocal"
            Path                 = "OU=Groups,$domainFQDN"
            MembershipAttribute  = 'DistinguishedName'
            Members              = @(
                "CN=childuser,CN=Users,$childDomainFQDN"
            )
            PsDscRunAsCredential = $adminCredential
        }
    }
}

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

PSVersion                      5.1.17763.1490
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.1490
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

v6.1.0-preview0006

Great that you found this, and awesome diagnosis of the problem! Should we revert the change that was introduced in PR #620, or do you see a way forward?

We can support all scenarios (same domain member, child domain member and one-way forest trust member) but it will need a rethink and refactor of the member addition/deletion code.

I've raised PR #631 to refactor the ADGroup resource, but this doesn't include any fix for this issue. I intend to finish that PR first, get it reviewed and merged then work on another PR to fix the child domain member support.