DSC group resource can't remove domain user from local administrators group

This topic contains 10 replies, has 4 voices, and was last updated by  Michael Greene 10 months, 1 week ago.

  • Author
  • #75191


    I want to use DSC group resource keep few users [local users and domain users] in the local administrators group.

    We have lost of Windows Server, each Windows Server has different domain users in local administrators group. We want to use PowerShell DSC to control the users in local administrators group in each different .MOF files that why I want to use PowerShell DSC to replace GPO setting.

    But I found that I added another domain user which not in below script, the DSC can't delete this domain user in local administrators group.

    configuration dsc-node-config {
            [PSCredential] $DomainCredential
       Import-DscResource -ModuleName PSDesiredStateConfiguration
        Node test-server
         Group Administrators
           GroupName        = 'Administrators'   
           Ensure           = 'Present'             
           Members   = @(
           'testdomain\Domain Admins',
           Credential = $DomainCredential
           PsDscRunAsCredential = $DomainCredential
    $cd = @{
        AllNodes = @(
                NodeName = 'test-server'
                PSDscAllowDomainUser = $true
                PSDscAllowPlainTextPassword = $true
                # CertificateFile = "C:\PublicKeys\server1.cer"
    $cred = Get-Credential -UserName testdomain\vif12066 -Message "Password please"
    dsc-node-config -DomainCredential $cred -ConfigurationData $cd -OutputPath 'C:\Program Files\WindowsPowerShell\DscService\Configuration'
    New-DscChecksum 'C:\Program Files\WindowsPowerShell\DscService\Configuration\test-server.mof' -Force
    Update-DscConfiguration -ComputerName test-server
  • #75200


    Have you tried using "MembersToInclude" instead of "Members"? I haven't tried it yet, but this look like it might do the trick

    • #75214


      Thanks for your reply.

      "MembersToInclude" just can add memebers into local groups, But can't keep the members in local groups.

      I have tried "MembersToInclude", can't meet my request to keep members.

  • #75260

    Will Anderson

    ***EDIT*** Nevermind. That would remove the group. Checking.

  • #75262

    Will Anderson

    There should be a MembersToExclude Option if you're using PSDesiredStateConfiguration 1.1

    PS C:\Users\lwinadmin> Get-DscResource Group -Syntax
    Group [String] #ResourceName
        GroupName = [string]
        [Credential = [PSCredential]]
        [DependsOn = [string[]]]
        [Description = [string]]
        [Ensure = [string]{ Absent | Present }]
        [Members = [string[]]]
        [MembersToExclude = [string[]]]
        [MembersToInclude = [string[]]]
        [PsDscRunAsCredential = [PSCredential]]
    • #75295


      Hi Will, Thanks for your reply.

      From my view, MembersToExclude can specify the members which I don't want to add to local administrators group. But can't keep a member list in local administrators group.

      About description of Parameters Members:

      [String[]] Members (Write): The members the group should have. This property will replace all the current group members with the specified members. Members should be specified as strings in the format of their domain qualified name (domain\username), their UPN (username@domainname), their distinguished name (CN=username,DC=...), or their username (for local machine accounts). Using either the MembersToExclude or MembersToInclude properties in the same configuration as this property will generate an error.

      From the word, the members Parameters should keep a member list which I want to keep.

  • #75325


    Hi Allen,

    I did a test on my side. The version of the Group resource shows as 1.1, so it's the original version. I used this for the configuration:

    Group RDP 
                GroupName = "Remote Desktop Users"
                Ensure = "Present"
                Members = 

    Then I added some extra domain users in the group manually. Dsc was able to remove them without any problem

    I then tried it with xGroup( and it worked fine too, it removed any extra users I add manually.

    The only version I did not test is the one in the updated PSDscResources( as I'm having problem importing it.
    Do you know which version you are using that has the problem?

    • #75383


      Hi Sylvain. thanks for your reply.

      The module which I used Group resource in PSDesiredStateConfiguration with version 1.1,
      And I also tried xGroup resource in xPSDesiredStateConfiguration with version 6.4.

      Both [x]Group resources are works for the non-local administrators group. I test them too.

      But not working for the local administrators group. Do you try both resources on local administrators group?

  • #75353

    Michael Greene

    Just for clarity, which of these statements meets your requirements? (or if none, can you explain further)

    • You need to add a list of members in machine local Administrators, without removing existing members
    • You need to set the list of members in machine local Administrators, and remove anyone not in the list, and remove any future accounts that are added using AutoCorrect
    • You need to set the list of members in machine local Administrators, without removing existing members, but remove any future accounts that are added using AutoCorrect
    • #75380


      Hi Michael, thanks for your reply.

      I mean as below

      You need to set the list of members in machine local Administrators, without removing existing members, but remove any future accounts that are added using AutoCorrect

      And I have set the LCM to ApplyAndAutoCorrect.

      BTW: I got some information from Microsoft forums, one Goodman answer:

      IF all of the members are present then nothing will ne changed. You are also missing the local administrator which must be included.

      I don't know whether this answer is helpful for this topic.

    • #75391

      Michael Greene

      I think I understand the issue. Please confirm this is correct.

      In your ideal scenario the resource would:

      • Capture the list of members of the machine local Administrator group
      • Add new members based on the Configuration properties
      • Store a list containing a combination of accounts that were previously in the Administrators group, plus accounts that were added by the Configuration
      • Prevent future changes by comparing against that stored list

      If this understanding is correct, then you would need to fork and modify the resource to add this behavior. Currently, the resource does not capture and store information in this way (it would be challenging to do this securely).

      However, you mentioned you are switching from using Group Policy. Were you using "Restricted Groups"? The behavior of that policy is to effect inclusion and exclusion, so any accounts not listed in the policy would have been removed.

      A good next step might be to run a script that remotely confirms membership of the machine local Administrators group across servers?

You must be logged in to reply to this topic.