Author Posts

July 18, 2017 at 12:50 pm

I want to use DSC group resource keep few users [local users and domain users] in the local administrators group.

We have lost of Windows Server, each Windows Server has different domain users in local administrators group. We want to use PowerShell DSC to control the users in local administrators group in each different .MOF files that why I want to use PowerShell DSC to replace GPO setting.

But I found that I added another domain user which not in below script, the DSC can't delete this domain user in local administrators group.

configuration dsc-node-config {

        [PSCredential] $DomainCredential

   Import-DscResource -ModuleName PSDesiredStateConfiguration

    Node test-server

     Group Administrators
       GroupName        = 'Administrators'   
       Ensure           = 'Present'             
       Members   = @(
       'testdomain\Domain Admins',
       Credential = $DomainCredential
       PsDscRunAsCredential = $DomainCredential


$cd = @{
    AllNodes = @(
            NodeName = 'test-server'
            PSDscAllowDomainUser = $true
            PSDscAllowPlainTextPassword = $true
            # CertificateFile = "C:\PublicKeys\server1.cer"

$cred = Get-Credential -UserName testdomain\vif12066 -Message "Password please"

dsc-node-config -DomainCredential $cred -ConfigurationData $cd -OutputPath 'C:\Program Files\WindowsPowerShell\DscService\Configuration'
New-DscChecksum 'C:\Program Files\WindowsPowerShell\DscService\Configuration\test-server.mof' -Force
Update-DscConfiguration -ComputerName test-server

July 18, 2017 at 4:00 pm

Have you tried using "MembersToInclude" instead of "Members"? I haven't tried it yet, but this look like it might do the trick

July 18, 2017 at 11:42 pm

Thanks for your reply.

"MembersToInclude" just can add memebers into local groups, But can't keep the members in local groups.

I have tried "MembersToInclude", can't meet my request to keep members.

July 19, 2017 at 1:27 pm

***EDIT*** Nevermind. That would remove the group. Checking.

July 19, 2017 at 1:31 pm

There should be a MembersToExclude Option if you're using PSDesiredStateConfiguration 1.1

PS C:\Users\lwinadmin> Get-DscResource Group -Syntax
Group [String] #ResourceName
    GroupName = [string]
    [Credential = [PSCredential]]
    [DependsOn = [string[]]]
    [Description = [string]]
    [Ensure = [string]{ Absent | Present }]
    [Members = [string[]]]
    [MembersToExclude = [string[]]]
    [MembersToInclude = [string[]]]
    [PsDscRunAsCredential = [PSCredential]]

July 20, 2017 at 2:18 am

Hi Will, Thanks for your reply.

From my view, MembersToExclude can specify the members which I don't want to add to local administrators group. But can't keep a member list in local administrators group.

About description of Parameters Members:

[String[]] Members (Write): The members the group should have. This property will replace all the current group members with the specified members. Members should be specified as strings in the format of their domain qualified name (domain\username), their UPN (username@domainname), their distinguished name (CN=username,DC=...), or their username (for local machine accounts). Using either the MembersToExclude or MembersToInclude properties in the same configuration as this property will generate an error.

From the word, the members Parameters should keep a member list which I want to keep.

July 20, 2017 at 1:05 pm

Hi Allen,

I did a test on my side. The version of the Group resource shows as 1.1, so it's the original version. I used this for the configuration:

Group RDP 
            GroupName = "Remote Desktop Users"
            Ensure = "Present"
            Members = 

Then I added some extra domain users in the group manually. Dsc was able to remove them without any problem

I then tried it with xGroup( and it worked fine too, it removed any extra users I add manually.

The only version I did not test is the one in the updated PSDscResources( as I'm having problem importing it.
Do you know which version you are using that has the problem?

July 20, 2017 at 6:38 pm

Just for clarity, which of these statements meets your requirements? (or if none, can you explain further)

  • You need to add a list of members in machine local Administrators, without removing existing members
  • You need to set the list of members in machine local Administrators, and remove anyone not in the list, and remove any future accounts that are added using AutoCorrect
  • You need to set the list of members in machine local Administrators, without removing existing members, but remove any future accounts that are added using AutoCorrect

July 21, 2017 at 12:58 am

Hi Michael, thanks for your reply.

I mean as below

You need to set the list of members in machine local Administrators, without removing existing members, but remove any future accounts that are added using AutoCorrect

And I have set the LCM to ApplyAndAutoCorrect.

BTW: I got some information from Microsoft forums, one Goodman answer:

IF all of the members are present then nothing will ne changed. You are also missing the local administrator which must be included.

I don't know whether this answer is helpful for this topic.

July 21, 2017 at 1:06 am

Hi Sylvain. thanks for your reply.

The module which I used Group resource in PSDesiredStateConfiguration with version 1.1,
And I also tried xGroup resource in xPSDesiredStateConfiguration with version 6.4.

Both [x]Group resources are works for the non-local administrators group. I test them too.

But not working for the local administrators group. Do you try both resources on local administrators group?

July 21, 2017 at 6:02 am

I think I understand the issue. Please confirm this is correct.

In your ideal scenario the resource would:

  • Capture the list of members of the machine local Administrator group
  • Add new members based on the Configuration properties
  • Store a list containing a combination of accounts that were previously in the Administrators group, plus accounts that were added by the Configuration
  • Prevent future changes by comparing against that stored list

If this understanding is correct, then you would need to fork and modify the resource to add this behavior. Currently, the resource does not capture and store information in this way (it would be challenging to do this securely).

However, you mentioned you are switching from using Group Policy. Were you using "Restricted Groups"? The behavior of that policy is to effect inclusion and exclusion, so any accounts not listed in the policy would have been removed.

A good next step might be to run a script that remotely confirms membership of the machine local Administrators group across servers?