Using DSC with domain credentials

Welcome Forums General PowerShell Q&A Using DSC with domain credentials

This topic contains 2 replies, has 3 voices, and was last updated by

5 years, 11 months ago.

  • Author
  • #9554

    Topics: 3
    Replies: 1
    Points: 1
    Rank: Member

    I am trying to get DSC to work with operations that require a domain account for access. For instance, I would like to add a domain group to the local administrators group.

    First, you have to use a credential.

    But when I specify one, I get the following exception "error processing property 'Credential' OF TYPE 'LocalConfigurationManager': Converting and storing an encrypted password as plaintext is
    allowed only if PSDscAllowPlainTextPassword is set to true."

    I am unable to find where to set that variable, but I feel like I should be doing something to keep the password from being in plain text.

    I looked in the source code for PSDesiredStatConfiguration and it looks like I should be able to set a CertificateID, but that did not work either.

    Here is the code that I am trying:

    $password = Get-Content .\securestring.txt | ConvertTo-SecureString
    $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "DOMAIN\dscuser",$password
    $certificate = Get-ChildItem cert:\LocalMachine\My | where{ $_.Subject -eq "CN=$($env:COMPUTERNAME)" }

    Configuration ServerProvisioning
    Node "*"
    CertificateID = $certificate.Thumbprint
    Credential =$credential

    Group AdminGroup
    Ensure ="Present"
    GroupName = "Administrators"
    MembersToInclude = "domain\admingroup"


    Does anyone have an example of using a domain credentials that works?

  • #9557

    Topics: 13
    Replies: 4872
    Points: 1,842
    Helping HandTeam Member
    Rank: Community Hero

    Keep in mind that DSC is still very much in beta – you probably need to be a bit careful about chasing an error too far, as it might just be unfinished code at this point. I'm gonna ping Steve Murawski, though, because he's been working with this a lot.

  • #9565

    Topics: 0
    Replies: 26
    Points: 21
    Rank: Member

    Encrypting secrets (like passwords) will require a certificate. There aren't any samples out there about how to configure that, and I haven't went far down that hole, since as Don mentioned, these are early bits and not production ready (and there could be changes down the line).

    I think that PSDscAllowPlainTextPassword might be in the LocalConfigurationManager meta configuration. I'll spin up a box with WMF3 and take a peek.

The topic ‘Using DSC with domain credentials’ is closed to new replies.