In Configuration, Resource Discovery

This topic contains 5 replies, has 2 voices, and was last updated by  Raymond Piller 1 month ago.

  • Author
    Posts
  • #99265

    Raymond Piller
    Participant

    During the execution of a Custom Resource, I'd like the Custom Resource to be able to look at the DependsOn property. Unfortunately, this doesn't seem possible as the DependsOn property is not made available to the Set-TargetResource or Test-TargetResource functions.

    I'm working on an adjustment to the Registry resource. If it's not accepted, I'll just make an alternative Custom Resource and make it available.

    Is there a way to get access to the DependsOn property without digging through Get-DscConfiguration?

  • #99267

    Don Jones
    Keymaster

    Nope. DependsOn is intended for the LCM, and it isn't passed through to resources.

    May I ask what the use case is?

  • #99270

    Raymond Piller
    Participant

    I linked the GitHub issue that I'm working on that has a lot of detail about it. I'll try summarize it here ...

    The Registry resource is missing a fundamental action that would allow it to mimic some functionality of many GPO settings. One particular GPO setting is the OneDrive AllowTenantList. This is a registry key with one value under it for each item in the list. Of course, we can create a Registry resource config for each item in the list, but what about any registry values that aren't managed? How do I clear out the extra values under that key? Of course, this could be done with a Script resource, but that's just lame that the Registry resource can't handle it natively. So I proposed the following configuration:

    Registry OneDrive_AllowTenantList_1
    {
        Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive\AllowTenantList'
        ValueName = '1'
        ValueData = 'My Tenant'
        ValueType = 'String'
    }
    
    Registry OneDrive_AllowTenantList_2
    {
        Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive\AllowTenantList'
        ValueName = '2'
        ValueData = 'Trusted Tenant'
        ValueType = 'String'
    }
    
    Registry OneDrive_AllowTenantList_CleanUpExcess
    {
        Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive\AllowTenantList'
        ValueName = '' # Ideally without this property
        RemoveExcessValueNames = $true
        DependsOn = @(
            '[Registry]OneDrive_AllowTenantList_1',
            '[Registry]OneDrive_AllowTenantList_2'
        )
    }

    The final Registry resource configuration would remove the values under the Key that aren't being managed by the Registry resource configurations in the DependsOn Property; suggested implementation is in the GitHub issue.

    Since I'm nearing defeat, I thought about implementing RemoveExcessValueNames with this code; but it's not as DRY:

    Registry OneDrive_AllowTenantList_CleanUpExcess
    {
        Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive\AllowTenantList'
        ValueName = '' # Ideally without this property
        RemoveExcessValueNames = @('1', '2')
        DependsOn = @(
            '[Registry]OneDrive_AllowTenantList_1',
            '[Registry]OneDrive_AllowTenantList_2'
        )
    }

    Arguably, with this syntax you could add Values that you don't want to manage, and also don't want to delete. Otherwise, you would have to add another Registry resource to ensure that at least the Value exists; even if I don't want to mange the Data. I believe that Registry resource configuration would look something like this:

    Registry OneDrive_AllowTenantList_DoNotDelete
    {
        Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive\AllowTenantList'
        ValueName = 'DoNotDelete'
    }

    Currently, I am trying to figure out how I can at least get my Instance Name (such as: [Registry]OneDrive_AllowTenantList_CleanUpExcess) from within the Set-TargetResource function. If I could get that, I could use Get-DscConfiguration to get my DependsOn information, and use that to get the Keys/Value information for the relevant Registry blocks ... I think. 😀

  • #99277

    Raymond Piller
    Participant

    By the way, this is what the Script resource to do the cleanup looks like:

    $RegKey = 'Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive\AllowTenantList'
    $AllowedValueNames = @('1', '2')
    
    Script OneDrive_AllowTenantList_CleanUpExcess {
        GetScript = {
            $Key = Get-Item -LiteralPath $using:RegKey
            $ValueHashtable = @{}
    
            foreach ($Value in $Key.Property)
            {
                $ValueHashtable.Add($Value, $Key.GetValue($Value))
            }
    
            return @{ Result = ($ValueHashtable | Out-String).Trim() }
        }
        SetScript = {
            $Key = Get-Item -LiteralPath $using:RegKey
            $NotAllowedValues = $Key.Property | Where-Object{ $using:AllowedValueNames -notcontains $_ }
    
            foreach ($Value in $NotAllowedValues)
            {
                Remove-ItemProperty -LiteralPath $using:RegKey -Name $Value -Force
            }
        }
        TestScript = {
            $Key = Get-Item -LiteralPath $using:RegKey
            $NotAllowedValues = $Key.Property | Where-Object{ $using:AllowedValueNames -notcontains $_ }
    
            if ($NotAllowedValues.Count -gt 0)
            {
                return $false
            }
            else
            {
                return $true
            }
        }
        DependsOn = @(
            '[Registry]OneDrive_AllowTenantList_1',
            '[Registry]OneDrive_AllowTenantList_2'
        )
    }
  • #99288

    Don Jones
    Keymaster

    Yeah, so, short answer is, "no, you can't" (grin) which you probably knew. "Expanding the functionality of the product" is definitely better handled in GitHub as you've done.

  • #99291

    Raymond Piller
    Participant

    Do you know if there's a way to that I can at least get my Instance Name (such as: [Registry]OneDrive_AllowTenantList_CleanUpExcess) from within the Set-TargetResource (or any other TargetResource function?

You must be logged in to reply to this topic.