xExchReceiveConnector: ExtendedRightDenyEntries cause removal of Allow not Deny
jrdbarnes opened this issue · 4 comments
Details of the scenario you tried and the problem that is occurring
the ExtendedRightDenyEntries parameter on xExchReceiveConnector functions incorrectly. It should add Deny entries with Add-ADPermission, instead it is removing Allow entries.
Verbose logs showing the problem
Suggested solution to the issue
Add parameters for
ExtendedRightAllowEntriesRemoval
ExtendedRightDenyEntriesRemoval
and make ExtendedRightDenyEntries actually add deny entries.
Alternatively, change to ExtendedRightEntriesAddition with an additional Allow or Deny hashtable key/value, and add ExtendedRightEntriesRemoval in the same format.
All of the above would be a breaking change i think.
Alternatively, use a separate resource to handle Add-ADPermission?
The DSC configuration that is used to reproduce the issue (as detailed as possible)
N/A
Exchange Server edition and version the target node is running
N/A
The operating system the target node is running
N/A
Version and build of PowerShell the target node is running
N/A
Version of the DSC module that was used ('dev' if using current dev branch)
N/A
Hi @jrdbarnes , thanks for the submission. I'm going to mark this as a bug. Let me know if you are planning on working on this yourself. In the meantime I'll flag this as Help Wanted.
Re: Add-ADPermission, I think it makes sense to keep that within the xExchange module, as it is an Exchange cmdlet.
Hi @mhendric, I was thinking about trying to fix it, but wasn't sure what the best approach was so any thoughts would be appreciated.
In some ways it feels like the correct approach would be to create MSFT_xExchAdPermission resource to manage this configuration, rather than it being part of the receive connector configuration. This would allow reuse in other areas of Exchange config as well.
The easier fix is to just add some more parameters and correct the code logic.
Indeed it was. Closing.