ADObjectPermissionEntry: Ensure=Absent not removing entry
TorstenSchnitter opened this issue · 1 comments
TorstenSchnitter commented
Details of the scenario you tried and the problem that is occurring
Added an ACL entry with:
$Path = [System.String]::Format('cn=computers,{0}', $DomainDN)
ADObjectPermissionEntry ([System.String]::Format('[{0}]:{1}\ad_de_mandant_ComputerAccountOperators_U[c|d]', $Path, $DomainNetBIOSName)) {
Path = $Path
Ensure = 'Present'
IdentityReference = 'ad_de_mandant_ComputerAccountOperators_U'
ActiveDirectoryRights = 'CreateChild', 'DeleteChild'
AccessControlType = 'Allow'
ObjectType = $ConfigurationData.ObjectGUID.Computer
ActiveDirectorySecurityInheritance = 'All'
InheritedObjectType = $ConfigurationData.ObjectGUID.All
}
With setting "Ensure = 'Absent'" (see below) this entry is not deleted again and still persists.
Although verbose output is telling: "Removing object..."
Verbose logs showing the problem
VERBOSE: [...]: LCM: [ Start Resource ] [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]]
VERBOSE: [...]: LCM: [ Start Test ] [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]]
VERBOSE: [...]: [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]] Object permission entry found on object 'cn=comput
ers,...,dc=...,dc=...'. (OPE0001)
VERBOSE: [...]: [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]] Object permission entry on object 'cn=computers,dc
=qs-ds,dc=...,dc=...' is not in the desired state. (OPE0006)
VERBOSE: [...]: LCM: [ End Test ] [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]] in 0.0500 seconds.
VERBOSE: [...]: LCM: [ Start Set ] [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]]
VERBOSE: [...]: [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]] Removing object permission entry from object 'cn=c
omputers,...,dc=...,dc=...'. (OPE0004)
VERBOSE: [...]: LCM: [ End Set ] [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]] in 0.0700 seconds.
VERBOSE: [...]: LCM: [ End Resource ] [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]]
Suggested solution to the issue
removing acl entry
The DSC configuration that is used to reproduce the issue (as detailed as possible)
# insert configuration here
$Path = [System.String]::Format('cn=computers,{0}', $DomainDN)
ADObjectPermissionEntry ([System.String]::Format('[{0}]:{1}\ad_de_mandant_ComputerAccountOperators_U[c|d]', $Path, $DomainNetBIOSName)) {
Path = $Path
Ensure = 'Absent'
IdentityReference = 'ad_de_mandant_ComputerAccountOperators_U'
ActiveDirectoryRights = 'CreateChild', 'DeleteChild'
AccessControlType = 'Allow'
ObjectType = $ConfigurationData.ObjectGUID.Computer
ActiveDirectorySecurityInheritance = 'All'
InheritedObjectType = $ConfigurationData.ObjectGUID.All
}
The operating system the target node is running
OsName : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}
Version and build of PowerShell the target node is running
Name Value
---- -----
PSRemotingProtocolVersion 2.3
BuildVersion 10.0.17763.2268
PSVersion 5.1.17763.2268
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSEdition Desktop
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
Version of the DSC module that was used
6.1.0-preview0005
6.2.0-preview0001
johlju commented
I haven't tested this myself but labelling it as a bug.