ActiveDirectoryDsc icon indicating copy to clipboard operation
ActiveDirectoryDsc copied to clipboard
verified publisher icon dsccommunity

ADGroup: Cannot add group from trusting domain using distinguished name

Open TorstenSchnitter opened this issue 3 years ago • 0 comments

Problem description

Trying to add a group from a trusting domain to a domain local group using distinguished name.

working with ActiveDirectory 6.1.0-preview0005 NOT working with ActiveDirectory 6.2.0

Verbose logs

VERBOSE: [server]: LCM:  [ Start  Resource ]  [[ADGroup]Group]
VERBOSE: [server]: LCM:  [ Start  Test     ]  [[ADGroup]Group]
VERBOSE: [server]:                            [[ADGroup]Group] Retrieving AD Group 'Group'. (ADG0021)
VERBOSE: [server]:                            [[ADGroup]Group] The AD Group 'Group' is present. (ADG0023)
VERBOSE: [server]:                            [[ADGroup]Group] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [server]:                            [[ADGroup]Group] Checking for 'Included' members. (ADCOMMON0019)
VERBOSE: [server]:                            [[ADGroup]Group] Member 'CN=Group,DC=domain,DC=tld' is not in the desired state. (ADCOMMON0021)
VERBOSE: [server]:                            [[ADGroup]Group] Membership is NOT in the desired state. (ADCOMMON0024)
VERBOSE: [server]:                            [[ADGroup]Group] Group membership is NOT in the desired state. (ADG0002)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Ensure' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Category' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'GroupScope' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Description' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Notes' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Path' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'GroupName' is in desired state. (DRC0039)
VERBOSE: [server]: LCM:  [ End    Test     ]  [[ADGroup]Group]  in 0.0320 seconds.
VERBOSE: [server]: LCM:  [ Start  Set      ]  [[ADGroup]Group]
VERBOSE: [server]:                            [[ADGroup]Group] Retrieving AD Group 'Group'. (ADG0021)
VERBOSE: [server]:                            [[ADGroup]Group] The AD Group 'Group' is present. (ADG0023)
VERBOSE: [server]:                            [[ADGroup]Group] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Ensure' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Category' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'GroupScope' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Description' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Notes' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Path' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'GroupName' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] Adding 'CN=Group,DC=domain,DC=tld' member(s) to AD group 'Group'. (ADG0003)
VERBOSE: [server]: LCM:  [ End    Set      ]  [[ADGroup]Group]  in 0.0620 seconds.
PowerShell DSC resource MSFT_ADGroup  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Unable to resolve ObjectSID value from DistinguishedName 
'CN=Group,DC=domain,DC=tld'. (ADCOMMON0062) 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : server.domain.dom

DSC configuration

$DN = (Get-ADGroup -Server 'trusting domain' -Identity 'Groupname').DistinguishedName
...
ADGroup 'Group' {
         GroupName           = 'Group'
         GroupScope          = 'DomainLocal'
         Category            = 'Security'
         MembershipAttribute = 'DistinguishedName'
         MembersToInclude    = @($DN)
         Description         = 'Text'
         Notes               = 'Text'
         Path                = $Path
         Ensure              = 'Present'
      }

Suggested solution

No

Operating system the target node is running

OsName               : Microsoft Windows Server 2016 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 14393.5582.amd64fre.rs1_release.221130-1719
OsLanguage           : en-US
OsMuiLanguages       : {en-US}
PSComputerName       : server.domain.dom
RunspaceId           : a773a2d0-30f5-4d06-bcd9-2b0264011b7c

PowerShell version and build the target node is running

Name                           Value                                                                                                                                                                                    
----                           -----                                                                                                                                                                                    
PSVersion                      5.1.14393.5127                                                                                                                                                                           
PSEdition                      Desktop                                                                                                                                                                                  
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                  
BuildVersion                   10.0.14393.5127                                                                                                                                                                          
CLRVersion                     4.0.30319.42000                                                                                                                                                                          
WSManStackVersion              3.0                                                                                                                                                                                      
PSRemotingProtocolVersion      2.3                                                                                                                                                                                      
SerializationVersion           1.1.0.1

ActiveDirectoryDsc version

Name               Version Path                                                                                       
----               ------- ----                                                                                       
ActiveDirectoryDsc 6.2.0   C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.2.0\ActiveDirectoryDsc.psd1

TorstenSchnitter avatar Dec 21 '22 14:12 TorstenSchnitter