DSC group resource can't remove domain user from local administrators group

This topic contains 10 replies, has 4 voices, and was last updated by  Michael Greene 2 months, 4 weeks ago.

  • Author
    Posts
  • #75191

    Allen.Zhang
    Participant

    I want to use DSC group resource keep few users [local users and domain users] in the local administrators group.

    We have lost of Windows Server, each Windows Server has different domain users in local administrators group. We want to use PowerShell DSC to control the users in local administrators group in each different .MOF files that why I want to use PowerShell DSC to replace GPO setting.

    But I found that I added another domain user which not in below script, the DSC can't delete this domain user in local administrators group.

    
    configuration dsc-node-config {
    
       param
        (
            [PSCredential] $DomainCredential
        )
    
       Import-DscResource -ModuleName PSDesiredStateConfiguration
    
    
        Node test-server
     {
    
    
    
         Group Administrators
        {
           GroupName        = 'Administrators'   
           Ensure           = 'Present'             
           Members   = @(
           'testdomain\uf012066',
           'testdomain\uf033913',
           'testdomain\Domain Admins',
           'testdomain\ServerAdministrator',
           'testUser',
           'testdomain\vs000974')
           Credential = $DomainCredential
           PsDscRunAsCredential = $DomainCredential
        }
     
    
       }
    }
    
    
    $cd = @{
        AllNodes = @(
            @{
                NodeName = 'test-server'
                PSDscAllowDomainUser = $true
                PSDscAllowPlainTextPassword = $true
                # CertificateFile = "C:\PublicKeys\server1.cer"
            }
        )
    }
    
    
    $cred = Get-Credential -UserName testdomain\vif12066 -Message "Password please"
    
    dsc-node-config -DomainCredential $cred -ConfigurationData $cd -OutputPath 'C:\Program Files\WindowsPowerShell\DscService\Configuration'
    New-DscChecksum 'C:\Program Files\WindowsPowerShell\DscService\Configuration\test-server.mof' -Force
    Update-DscConfiguration -ComputerName test-server
    
  • #75200

    Sylvain Martel
    Participant

    Have you tried using "MembersToInclude" instead of "Members"? I haven't tried it yet, but this look like it might do the trick

    • #75214

      Allen.Zhang
      Participant

      Thanks for your reply.

      "MembersToInclude" just can add memebers into local groups, But can't keep the members in local groups.

      I have tried "MembersToInclude", can't meet my request to keep members.

  • #75260

    Will Anderson
    Keymaster

    ***EDIT*** Nevermind. That would remove the group. Checking.

  • #75262

    Will Anderson
    Keymaster

    There should be a MembersToExclude Option if you're using PSDesiredStateConfiguration 1.1

    PS C:\Users\lwinadmin> Get-DscResource Group -Syntax
    Group [String] #ResourceName
    {
        GroupName = [string]
        [Credential = [PSCredential]]
        [DependsOn = [string[]]]
        [Description = [string]]
        [Ensure = [string]{ Absent | Present }]
        [Members = [string[]]]
        [MembersToExclude = [string[]]]
        [MembersToInclude = [string[]]]
        [PsDscRunAsCredential = [PSCredential]]
    }
    
    • #75295

      Allen.Zhang
      Participant

      Hi Will, Thanks for your reply.

      From my view, MembersToExclude can specify the members which I don't want to add to local administrators group. But can't keep a member list in local administrators group.

      About description of Parameters Members:
      https://github.com/PowerShell/PSDscResources/tree/2c33e69634aa9c641ab27427d457fe9f49884e7c#group

      [String[]] Members (Write): The members the group should have. This property will replace all the current group members with the specified members. Members should be specified as strings in the format of their domain qualified name (domain\username), their UPN (username@domainname), their distinguished name (CN=username,DC=...), or their username (for local machine accounts). Using either the MembersToExclude or MembersToInclude properties in the same configuration as this property will generate an error.

      From the word, the members Parameters should keep a member list which I want to keep.

  • #75325

    Sylvain Martel
    Participant

    Hi Allen,

    I did a test on my side. The version of the Group resource shows as 1.1, so it's the original version. I used this for the configuration:

    Group RDP 
            {
                GroupName = "Remote Desktop Users"
                Ensure = "Present"
                Members = 
                @(
                    'testdomain\myuser'                
                )
            }

    Then I added some extra domain users in the group manually. Dsc was able to remove them without any problem

    I then tried it with xGroup(6.4.0.0) and it worked fine too, it removed any extra users I add manually.

    The only version I did not test is the one in the updated PSDscResources(2.8.0.0) as I'm having problem importing it.
    Do you know which version you are using that has the problem?

    • #75383

      Allen.Zhang
      Participant

      Hi Sylvain. thanks for your reply.

      The module which I used Group resource in PSDesiredStateConfiguration with version 1.1,
      And I also tried xGroup resource in xPSDesiredStateConfiguration with version 6.4.

      Both [x]Group resources are works for the non-local administrators group. I test them too.

      But not working for the local administrators group. Do you try both resources on local administrators group?

  • #75353

    Michael Greene
    Participant

    Just for clarity, which of these statements meets your requirements? (or if none, can you explain further)

    • You need to add a list of members in machine local Administrators, without removing existing members
    • You need to set the list of members in machine local Administrators, and remove anyone not in the list, and remove any future accounts that are added using AutoCorrect
    • You need to set the list of members in machine local Administrators, without removing existing members, but remove any future accounts that are added using AutoCorrect
    • #75380

      Allen.Zhang
      Participant

      Hi Michael, thanks for your reply.

      I mean as below

      You need to set the list of members in machine local Administrators, without removing existing members, but remove any future accounts that are added using AutoCorrect

      And I have set the LCM to ApplyAndAutoCorrect.

      BTW: I got some information from Microsoft forums, one Goodman answer:

      IF all of the members are present then nothing will ne changed. You are also missing the local administrator which must be included.

      I don't know whether this answer is helpful for this topic.

    • #75391

      Michael Greene
      Participant

      I think I understand the issue. Please confirm this is correct.

      In your ideal scenario the resource would:

      • Capture the list of members of the machine local Administrator group
      • Add new members based on the Configuration properties
      • Store a list containing a combination of accounts that were previously in the Administrators group, plus accounts that were added by the Configuration
      • Prevent future changes by comparing against that stored list

      If this understanding is correct, then you would need to fork and modify the resource to add this behavior. Currently, the resource does not capture and store information in this way (it would be challenging to do this securely).

      However, you mentioned you are switching from using Group Policy. Were you using "Restricted Groups"? The behavior of that policy is to effect inclusion and exclusion, so any accounts not listed in the policy would have been removed.

      A good next step might be to run a script that remotely confirms membership of the machine local Administrators group across servers?

You must be logged in to reply to this topic.