DSC Group Resource - Error on "NETWORK SERVICE" member

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Arie H Arie H 7 months, 3 weeks ago.

  • Author
    Posts
  • #54933
    Profile photo of Steffen Hoppe
    Steffen Hoppe
    Participant

    Hello @all.

    It seems, that the MSFT_GroupResource has an error, if the group to edit has a member "NETWORK SERVICE".

    It exits with an error like 'New-Object : Exception calling ".ctor" with "2" argument(s): "Server names cannot contain a space character.'

    Debugging the resource shows line 782 producing the exception.

    # ...
    [System.DirectoryServices.AccountManagement.Principal] $principal = $null
    
    # extract the objectSid from the underlying DirectoryEntry
    [System.DirectoryServices.DirectoryEntry] $entry = New-Object System.DirectoryServices.DirectoryEntry($item)
    [byte[]] $sidBytes = $entry.Properties["objectSid"].Value    # < – 
    # ...
    
    Looks like the conversion to DirectoryEntry does not work here. Is there any way around this? Probably just customizing the resource... Thanks for the input. Steffen
    • This topic was modified 7 months, 3 weeks ago by Profile photo of Steffen Hoppe Steffen Hoppe.
  • #54947
    Profile photo of Arie H
    Arie H
    Participant

    Can you check a local group with a space and a domain group with a space..it doesn't seem to be limited to just 'NETWORK SERVICE'.

    Should probably open an issue on PowerShell DSC repo on GitHub – https://github.com/PowerShell/DscResources

    • #54950
      Profile photo of Steffen Hoppe
      Steffen Hoppe
      Participant

      Hi Arie,

      thanks for your time.

      I think you got me wrong. I do not want to add NETWORK SERVICE, it is already a member of the group. Changing the members using the "Group" resource fails with the above error message. 🙁

      If I remove NETWORK SERVICE from the group afore running my DSC config, everything works fine. That is not a viable solution, though.

      Cheers,
      Steffen

  • #54963
    Profile photo of Arie H
    Arie H
    Participant

    Hi,

    I think it might be something to do with DirectoryService not working with local built-in SIDs but rather domain ones
    but since I dont think your the first to try this and this hasn't been reported yet, I assume its a matter of syntax.

    Instead of 'Network Service' as the value in your DSC script, try 'NT AUTHORITY\NETWORK SERVICE' or 'BUILTIN\NETWORK SERVICE' or 'ServerName\NETWORK SERVICE' replacing ServerName with the real name of your server. IIRC the first one should be the one I;ve seen used in the past.

You must be logged in to reply to this topic.