Skip to content

ADGroup: Cannot add group from trusting domain using distinguished name #696

New issue
New issue
Open
Open
ADGroup: Cannot add group from trusting domain using distinguished name#696
Labels
enhancementThe issue is an enhancement request.help wantedThe issue is up for grabs for anyone in the community.
@TorstenSchnitter

Description

@TorstenSchnitter
TorstenSchnitter
opened on Dec 21, 2022

Problem description

Trying to add a group from a trusting domain to a domain local group using distinguished name.

working with ActiveDirectory 6.1.0-preview0005
NOT working with ActiveDirectory 6.2.0

Verbose logs

VERBOSE: [server]: LCM:  [ Start  Resource ]  [[ADGroup]Group]
VERBOSE: [server]: LCM:  [ Start  Test     ]  [[ADGroup]Group]
VERBOSE: [server]:                            [[ADGroup]Group] Retrieving AD Group 'Group'. (ADG0021)
VERBOSE: [server]:                            [[ADGroup]Group] The AD Group 'Group' is present. (ADG0023)
VERBOSE: [server]:                            [[ADGroup]Group] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [server]:                            [[ADGroup]Group] Checking for 'Included' members. (ADCOMMON0019)
VERBOSE: [server]:                            [[ADGroup]Group] Member 'CN=Group,DC=domain,DC=tld' is not in the desired state. (ADCOMMON0021)
VERBOSE: [server]:                            [[ADGroup]Group] Membership is NOT in the desired state. (ADCOMMON0024)
VERBOSE: [server]:                            [[ADGroup]Group] Group membership is NOT in the desired state. (ADG0002)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Ensure' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Category' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'GroupScope' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Description' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Notes' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Path' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'GroupName' is in desired state. (DRC0039)
VERBOSE: [server]: LCM:  [ End    Test     ]  [[ADGroup]Group]  in 0.0320 seconds.
VERBOSE: [server]: LCM:  [ Start  Set      ]  [[ADGroup]Group]
VERBOSE: [server]:                            [[ADGroup]Group] Retrieving AD Group 'Group'. (ADG0021)
VERBOSE: [server]:                            [[ADGroup]Group] The AD Group 'Group' is present. (ADG0023)
VERBOSE: [server]:                            [[ADGroup]Group] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Ensure' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Category' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'GroupScope' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Description' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Notes' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'Path' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] The parameter 'GroupName' is in desired state. (DRC0039)
VERBOSE: [server]:                            [[ADGroup]Group] Adding 'CN=Group,DC=domain,DC=tld' member(s) to AD group 'Group'. (ADG0003)
VERBOSE: [server]: LCM:  [ End    Set      ]  [[ADGroup]Group]  in 0.0620 seconds.
PowerShell DSC resource MSFT_ADGroup  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Unable to resolve ObjectSID value from DistinguishedName 
'CN=Group,DC=domain,DC=tld'. (ADCOMMON0062) 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : server.domain.dom

DSC configuration

$DN = (Get-ADGroup -Server 'trusting domain' -Identity 'Groupname').DistinguishedName
...
ADGroup 'Group' {
         GroupName           = 'Group'
         GroupScope          = 'DomainLocal'
         Category            = 'Security'
         MembershipAttribute = 'DistinguishedName'
         MembersToInclude    = @($DN)
         Description         = 'Text'
         Notes               = 'Text'
         Path                = $Path
         Ensure              = 'Present'
      }

Suggested solution

No

Operating system the target node is running

OsName               : Microsoft Windows Server 2016 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 14393.5582.amd64fre.rs1_release.221130-1719
OsLanguage           : en-US
OsMuiLanguages       : {en-US}
PSComputerName       : server.domain.dom
RunspaceId           : a773a2d0-30f5-4d06-bcd9-2b0264011b7c

PowerShell version and build the target node is running

Name                           Value                                                                                                                                                                                    
----                           -----                                                                                                                                                                                    
PSVersion                      5.1.14393.5127                                                                                                                                                                           
PSEdition                      Desktop                                                                                                                                                                                  
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                  
BuildVersion                   10.0.14393.5127                                                                                                                                                                          
CLRVersion                     4.0.30319.42000                                                                                                                                                                          
WSManStackVersion              3.0                                                                                                                                                                                      
PSRemotingProtocolVersion      2.3                                                                                                                                                                                      
SerializationVersion           1.1.0.1

ActiveDirectoryDsc version

Name               Version Path                                                                                       
----               ------- ----                                                                                       
ActiveDirectoryDsc 6.2.0   C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.2.0\ActiveDirectoryDsc.psd1

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementThe issue is an enhancement request.help wantedThe issue is up for grabs for anyone in the community.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions