ADGroup: Cannot Manage Child Domain User Membership Using DistinguishedName in v6.1.0-preview0006
X-Guardian opened this issue · 2 comments
Details of the scenario you tried and the problem that is occurring
With the preview module v6.1.0-preview0006
, containing the modified ADGroup
resource code from PR #620, managing child domain user membership of an AD Group using the DistinguishedName
MembershipAttribute now fails.
This is a blocker for the release of v6.1.0
of the module.
Verbose logs showing the problem
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DSC01 with user sid S-1-5-21-3553084080-2500667019-4197401787-500.
VERBOSE: [DSC01]: LCM: [ Start Set ]
DEBUG: [DSC01]: [DSCEngine] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.psd1 not found
DEBUG: [DSC01]: [DSCEngine] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.strings.psd1
DEBUG: [DSC01]: [DSCEngine] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.psd1 not found
DEBUG: [DSC01]: [DSCEngine] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.strings.psd1
DEBUG: [DSC01]: [DSCEngine] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.psd1 not
found
DEBUG: [DSC01]: [DSCEngine] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.strings.psd1
VERBOSE: [DSC01]: LCM: [ Start Resource ] [[ADGroup]Group]
VERBOSE: [DSC01]: LCM: [ Start Test ] [[ADGroup]Group]
DEBUG: [DSC01]: [[ADGroup]Group] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.psd1 not found
DEBUG: [DSC01]: [[ADGroup]Group] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.strings.psd1
DEBUG: [DSC01]: [[ADGroup]Group] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.psd1 not found
DEBUG: [DSC01]: [[ADGroup]Group] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.strings.psd1
DEBUG: [DSC01]: [[ADGroup]Group] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.psd1 not found
DEBUG: [DSC01]: [[ADGroup]Group] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.strings.psd1
VERBOSE: [DSC01]: [[ADGroup]Group] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [DSC01]: [[ADGroup]Group] Group membership is NOT in the desired state. (ADG0002)
VERBOSE: [DSC01]: LCM: [ End Test ] [[ADGroup]Group] in 3.1880 seconds.
VERBOSE: [DSC01]: LCM: [ Start Set ] [[ADGroup]Group]
VERBOSE: [DSC01]: [[ADGroup]Group] Group membership objects are in '1' different AD Domains. (ADG0013)
VERBOSE: [DSC01]: [[ADGroup]Group] Updating AD Group 'Dsc-Test-Group-1'. (ADG0006)
VERBOSE: [DSC01]: [[ADGroup]Group] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [DSC01]: [[ADGroup]Group] Adding '1' member(s) to AD group 'Dsc-Test-Group-1'. (ADG0003)
DEBUG: [DSC01]: [[ADGroup]Group] Resolving ObjectSID values based on supplied DistinguishedName values. (ADCOMMON0063)
DEBUG: [DSC01]: [[ADGroup]Group] Looking up AD Object based on ObjectSID 'DistinguishedName' to retrieve CN=childuser,CN=Users,DC=child1,DC=gteck,DC=com value. (ADCOMMON0066)
VERBOSE: [DSC01]: LCM: [ End Set ] [[ADGroup]Group] in 1.5440 seconds.
PowerShell DSC resource MSFT_ADGroup failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Unable to resolve ObjectSID value
from DistinguishedName 'CN=childuser,CN=Users,DC=child1,DC=gteck,DC=com'. (ADCOMMON0062)
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost
VERBOSE: [DSC01]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 9.583 seconds
Suggested solution to the issue
The Get-ADObject
call in the Resolve-MembersSecurityIdentifier
common function is failing to get details of the user from the child domain. This can be resolved by targeting a global catalog server on this call -Server :3268
, which then allows child domain users specified as Distinguished Names to be successfully added to groups. This does not allow the removal of child domain users however, which fail with the following error:
PowerShell DSC resource MSFT_ADGroup failed to execute Set-TargetResource functionality with error message:
System.InvalidOperationException: Unable to set the group membership for AD Group 'Dsc-Test-Group-1'. (ADCOMMON0030)
---> Microsoft.ActiveDirectory.Management.ADException: The specified account name is not a member of the group
---> System.ServiceModel.FaultException: Active Directory returned an error processing the operation.
Investigating this, it looks as if removing child domain members of a group by specifying the user SID in the Remove
parameter of SetADGroup
does not work. i.e.
Set-ADGroup -Identity 'CN=Dsc-Test-Group-1,OU=Groups,DC=gteck,DC=com' -Remove @{member='<SID=S-1-5-21-2513631178-1071234245-3612136875-1104>'}
Unfortunately, the group membership processing change that was introduced in PR #620 to resolve managing user membership across one way forest trusts currently relies on this functionality.
The DSC configuration that is used to reproduce the issue (as detailed as possible)
Configuration ADGroup
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$adminCredential
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName ActiveDirectoryDsc -ModuleVersion 6.1.0
$domainName = 'gteck.com'
$childDomainName = "child1.$domainName"
$domainFQDN = 'DC=' + $domainName.replace('.', ',DC=')
$childDomainFQDN = 'DC=' + $childDomainName.replace('.', ',DC=')
Node localhost
{
ADGroup Group {
GroupName = "Dsc-Test-Group-1"
GroupScope = "DomainLocal"
Path = "OU=Groups,$domainFQDN"
MembershipAttribute = 'DistinguishedName'
Members = @(
"CN=childuser,CN=Users,$childDomainFQDN"
)
PsDscRunAsCredential = $adminCredential
}
}
}
The operating system the target node is running
OsName : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}
Version and build of PowerShell the target node is running
PSVersion 5.1.17763.1490
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1490
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Version of the DSC module that was used
v6.1.0-preview0006
Great that you found this, and awesome diagnosis of the problem! Should we revert the change that was introduced in PR #620, or do you see a way forward?
We can support all scenarios (same domain member, child domain member and one-way forest trust member) but it will need a rethink and refactor of the member addition/deletion code.
I've raised PR #631 to refactor the ADGroup
resource, but this doesn't include any fix for this issue. I intend to finish that PR first, get it reviewed and merged then work on another PR to fix the child domain member support.