Correct way to use the Group Resource

This topic contains 8 replies, has 4 voices, and was last updated by Profile photo of Aubrey Ekstrom Aubrey Ekstrom 1 year, 10 months ago.

  • Author
    Posts
  • #18928
    Profile photo of Michael Felkins
    Michael Felkins
    Participant

    Hi,

    I am trying to create some local groups and add Domain members to those groups.

    So far I have this:

    $systemID = $env:COMPUTERNAME

    $ConfigurationData = @{
    AllNodes = @(
    @{
    NodeName=$systemID
    PSDscAllowPlainTextPassword=$true
    }
    }
    }

    $securedstring = ConvertTo-SecureString -String $Password -AsPlainText -Force
    [PSCredential]$cred = New-Object System.Management.Automation.PSCredential ($UserName, $securedstring)

    Group sitecore_ro {
    GroupName = "sitecore_ro"
    Ensure = "Present"
    Description = "sitecore_ro"
    Members = "$Domain\Dept_IT Dev"
    #Members = @("$Domain\Dept_IT Dev")
    Credential = $cred
    }

    It creates the group but does not add the members to the group.

    Could some one post an example of the correct way to write this?
    Also, I need to add more than one user or group, so is the Members = @("$Domain\Dept_IT Dev","user1","user2")
    format the correct way to do this?

    TIA

    The Old Dog

  • #18942
    Profile photo of Matt Thompson
    Matt Thompson
    Participant

    I've had the same issue as discussed in my post here – https://powershell.org/forums/topic/issue-adding-users-to-a-group/

    Don replied to me and pointed me towards some info that may help you. I've been busy and haven't had a chance to dig back into it myself so I can't really help you out any further than to point you to my thread and Dons reply.

  • #18943
    Profile photo of Aaron Jensen
    Aaron Jensen
    Participant

    Are you getting an error? If so, can you post it?

  • #18950
    Profile photo of Michael Felkins
    Michael Felkins
    Participant

    I get this error message:

    The PowerShell provider MSFT_GroupResource threw one or more non-terminating errors while running the
    Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational
    Refer to this channel for more details.
    + CategoryInfo : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName : DSCTESTIAPP

    One more thing, I am trying this on Windows 2008R2 server. I have noticed that some of the resources only work on 2012 servers.

  • #18951
    Profile photo of Aaron Jensen
    Aaron Jensen
    Participant

    What is the error in the Microsoft-Windows-DSC/Operational (Applications and Services Logs > Microsoft > Windows > Desired State Configuration > Operational) event log?

  • #18996
    Profile photo of Michael Felkins
    Michael Felkins
    Participant

    This event indicates that a non-terminating error was thrown when DSCEngine was executing Set-TargetResource on MSFT_GroupResource provider.
    FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling "FindByIdentity" with "2" argument(s): "Unknown error (0x80005000)".

    Old Dog

  • #18998
    Profile photo of Michael Felkins
    Michael Felkins
    Participant

    If I comment out the members line, the script runs without an error. It can't seem to find the members..
    The members are on a different, trusted domain and I can add them to the groups with a simple

    Net localgroup "Performance Log Users" "otherdomain.com\user" /add

    I wonder if this is a "feature" of DSC?

    BTW, the Group Resource adds the group and description with no problems.

    Mike

  • #19003
    Profile photo of Aaron Jensen
    Aaron Jensen
    Participant

    That's what I thought. The Group resource only works when everything is on the same domain. Computer, members, etc. Sad trombone. I'm not sure there is any workaround. It doesn't look like anyone has contributed a fix.

    Here is a PowerShell Connect issue I've filed about this. It covers two issues: you have to supply credentials when talking to any AD, even if that instance is world readable, and those credentials and the members being added to the group must be on the same domain. Feel free to give it an up vote:
    https://connect.microsoft.com/PowerShell/feedbackdetail/view/957378/dsc-group-resource-fails-to-add-a-domain-user-to-a-local-group-without-domain-credentials

  • #22054
    Profile photo of Aubrey Ekstrom
    Aubrey Ekstrom
    Participant

    I had problems with this myself, and I finally figured it out and got it working! Using your code as an example. My 2 "minor" changes (not minor when your pulling your hair out) in [b]BOLD[/b]:

    $systemID = $env:COMPUTERNAME
    
    $ConfigurationData = @{
     AllNodes = @(
     @{
     NodeName=$systemID
     PSDscAllowPlainTextPassword=$true
     }
     }
     }
    
    $securedstring = ConvertTo-SecureString -String $Password -AsPlainText -Force
     [PSCredential]$cred = New-Object System.Management.Automation.PSCredential ([b]$Domain\[/b]$UserName, $securedstring)
    
    Configuration AddUsersToGroup
    
            Node $systemID {
    
    Group sitecore_ro {
     GroupName = "sitecore_ro"
     Ensure = "Present"
     Description = "sitecore_ro"
     Members[b]ToInclude[/b] = "$Domain\Dept_IT Dev"
     Credential = $cred
     }
    }
    
    AddUsersToGroup -ConfigurationData $ConfigurationData 
    

You must be logged in to reply to this topic.