Author Posts

September 18, 2014 at 3:15 pm

Hi,

I am trying to create some local groups and add Domain members to those groups.

So far I have this:

$systemID = $env:COMPUTERNAME

$ConfigurationData = @{
AllNodes = @(
@{
NodeName=$systemID
PSDscAllowPlainTextPassword=$true
}
}
}

$securedstring = ConvertTo-SecureString -String $Password -AsPlainText -Force
[PSCredential]$cred = New-Object System.Management.Automation.PSCredential ($UserName, $securedstring)

Group sitecore_ro {
GroupName = "sitecore_ro"
Ensure = "Present"
Description = "sitecore_ro"
Members = "$Domain\Dept_IT Dev"
#Members = @("$Domain\Dept_IT Dev")
Credential = $cred
}

It creates the group but does not add the members to the group.

Could some one post an example of the correct way to write this?
Also, I need to add more than one user or group, so is the Members = @("$Domain\Dept_IT Dev","user1","user2")
format the correct way to do this?

TIA

The Old Dog

September 19, 2014 at 8:30 am

I've had the same issue as discussed in my post here – https://powershell.org/forums/topic/issue-adding-users-to-a-group/

Don replied to me and pointed me towards some info that may help you. I've been busy and haven't had a chance to dig back into it myself so I can't really help you out any further than to point you to my thread and Dons reply.

September 19, 2014 at 9:00 am

Are you getting an error? If so, can you post it?

September 19, 2014 at 2:47 pm

I get this error message:

The PowerShell provider MSFT_GroupResource threw one or more non-terminating errors while running the
Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational
Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : DSCTESTIAPP

One more thing, I am trying this on Windows 2008R2 server. I have noticed that some of the resources only work on 2012 servers.

September 19, 2014 at 3:08 pm

What is the error in the Microsoft-Windows-DSC/Operational (Applications and Services Logs > Microsoft > Windows > Desired State Configuration > Operational) event log?

September 22, 2014 at 11:44 am

This event indicates that a non-terminating error was thrown when DSCEngine was executing Set-TargetResource on MSFT_GroupResource provider.
FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling "FindByIdentity" with "2" argument(s): "Unknown error (0x80005000)".

Old Dog

September 22, 2014 at 1:05 pm

If I comment out the members line, the script runs without an error. It can't seem to find the members..
The members are on a different, trusted domain and I can add them to the groups with a simple

Net localgroup "Performance Log Users" "otherdomain.com\user" /add

I wonder if this is a "feature" of DSC?

BTW, the Group Resource adds the group and description with no problems.

Mike

September 22, 2014 at 6:39 pm

That's what I thought. The Group resource only works when everything is on the same domain. Computer, members, etc. Sad trombone. I'm not sure there is any workaround. It doesn't look like anyone has contributed a fix.

Here is a PowerShell Connect issue I've filed about this. It covers two issues: you have to supply credentials when talking to any AD, even if that instance is world readable, and those credentials and the members being added to the group must be on the same domain. Feel free to give it an up vote:
https://connect.microsoft.com/PowerShell/feedbackdetail/view/957378/dsc-group-resource-fails-to-add-a-domain-user-to-a-local-group-without-domain-credentials

January 21, 2015 at 1:26 pm

I had problems with this myself, and I finally figured it out and got it working! Using your code as an example. My 2 "minor" changes (not minor when your pulling your hair out) in [b]BOLD[/b]:

$systemID = $env:COMPUTERNAME

$ConfigurationData = @{
 AllNodes = @(
 @{
 NodeName=$systemID
 PSDscAllowPlainTextPassword=$true
 }
 }
 }

$securedstring = ConvertTo-SecureString -String $Password -AsPlainText -Force
 [PSCredential]$cred = New-Object System.Management.Automation.PSCredential ([b]$Domain\[/b]$UserName, $securedstring)

Configuration AddUsersToGroup

        Node $systemID {

Group sitecore_ro {
 GroupName = "sitecore_ro"
 Ensure = "Present"
 Description = "sitecore_ro"
 Members[b]ToInclude[/b] = "$Domain\Dept_IT Dev"
 Credential = $cred
 }
}

AddUsersToGroup -ConfigurationData $ConfigurationData