dsccommunity/ActiveDirectoryDsc

ADObjectPermissionEntry: Ensure=Absent not removing entry

TorstenSchnitter opened this issue · 1 comments

Details of the scenario you tried and the problem that is occurring

Added an ACL entry with:

$Path = [System.String]::Format('cn=computers,{0}', $DomainDN)
ADObjectPermissionEntry ([System.String]::Format('[{0}]:{1}\ad_de_mandant_ComputerAccountOperators_U[c|d]', $Path, $DomainNetBIOSName)) {
  Path = $Path
  Ensure = 'Present'
  IdentityReference = 'ad_de_mandant_ComputerAccountOperators_U'
  ActiveDirectoryRights = 'CreateChild', 'DeleteChild'
  AccessControlType = 'Allow'
  ObjectType = $ConfigurationData.ObjectGUID.Computer
  ActiveDirectorySecurityInheritance = 'All'
  InheritedObjectType = $ConfigurationData.ObjectGUID.All
}

With setting "Ensure = 'Absent'" (see below) this entry is not deleted again and still persists.
Although verbose output is telling: "Removing object..."

Verbose logs showing the problem

VERBOSE: [...]: LCM:  [ Start  Resource ]  [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]]
VERBOSE: [...]: LCM:  [ Start  Test     ]  [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]]
VERBOSE: [...]:                            [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]] Object permission entry found on object 'cn=comput
ers,...,dc=...,dc=...'. (OPE0001)
VERBOSE: [...]:                            [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]] Object permission entry on object 'cn=computers,dc
=qs-ds,dc=...,dc=...' is not in the desired state. (OPE0006)
VERBOSE: [...]: LCM:  [ End    Test     ]  [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]]  in 0.0500 seconds.
VERBOSE: [...]: LCM:  [ Start  Set      ]  [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]]
VERBOSE: [...]:                            [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]] Removing object permission entry from object 'cn=c
omputers,...,dc=...,dc=...'. (OPE0004)
VERBOSE: [...]: LCM:  [ End    Set      ]  [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]]  in 0.0700 seconds.
VERBOSE: [...]: LCM:  [ End    Resource ]  [[ADObjectPermissionEntry][cn=computers,dc=...,dc=...,dc=...]:...\ad_de_mandant_ComputerAccountOperators_U[c|d]]

Suggested solution to the issue

removing acl entry

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here
$Path = [System.String]::Format('cn=computers,{0}', $DomainDN)
ADObjectPermissionEntry ([System.String]::Format('[{0}]:{1}\ad_de_mandant_ComputerAccountOperators_U[c|d]', $Path, $DomainNetBIOSName)) {
  Path = $Path
  Ensure = 'Absent'
  IdentityReference = 'ad_de_mandant_ComputerAccountOperators_U'
  ActiveDirectoryRights = 'CreateChild', 'DeleteChild'
  AccessControlType = 'Allow'
  ObjectType = $ConfigurationData.ObjectGUID.Computer
  ActiveDirectorySecurityInheritance = 'All'
  InheritedObjectType = $ConfigurationData.ObjectGUID.All
}

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value                                                                                                                                                                                      
----                           -----                                                                                                                                                                                      
PSRemotingProtocolVersion      2.3                                                                                                                                                                                        
BuildVersion                   10.0.17763.2268                                                                                                                                                                            
PSVersion                      5.1.17763.2268                                                                                                                                                                             
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                    
PSEdition                      Desktop                                                                                                                                                                                    
CLRVersion                     4.0.30319.42000                                                                                                                                                                            
WSManStackVersion              3.0                                                                                                                                                                                        
SerializationVersion           1.1.0.1  

Version of the DSC module that was used

6.1.0-preview0005
6.2.0-preview0001

I haven't tested this myself but labelling it as a bug.