Author Posts

December 13, 2016 at 3:10 pm

Hello,

I am looking for a simple DSC script (using Group Resource) which can be used to add multiple AD groups in to local administrators on multiple servers. Could someone pls help

December 14, 2016 at 3:56 pm

Please see if below works for you in a test environment. You'll need to work with certificates to properly secure the credential password.

Configuration AddGroupMembers {

    param (
        [Parameter(Mandatory)]
        [System.String]
        $GroupName,

        [Parameter(Mandatory)]
        [System.String[]]
        $MembersToInclude,

        [Parameter(Mandatory)]
        [System.Management.Automation.PSCredential]
        $Credential
    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration -Name Group

    Node $AllNodes.NodeName { 
        Group AddGroupMembers {
            Ensure = 'Present'
            GroupName = $GroupName
            MembersToInclude = $MembersToInclude
            Credential = $Credential
        }
    }
}

$ConfigData = @{
    AllNodes = @(
        @{
            # the name of the target node
            NodeName = 'localhost'

            # This is not recommended, only for testing purposes. Replace with Thumbprint and CertificateFile after testing.
            PsDscAllowPlainTextPassword = $true

            # Suppress warning: It is not recommended to use domain credential ...
            PSDscAllowDomainUser = $true
        }
    )
}

$AddParams = @{
    GroupName = 'Event Log Readers'
    MembersToInclude = 'DOMAIN\my-group'
    Credential = (Get-Credential -Credential 'DOMAIN\admin user')
    ConfigurationData = $ConfigData
}
AddGroupMembers @AddParams

I hope that helps to get started. Additional details regarding the encryption can be found here: https://msdn.microsoft.com/en-us/powershell/dsc/secureMOF

The online documentation for the Group resource is here: https://msdn.microsoft.com/en-us/powershell/dsc/groupresource