Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADGroup: Cannot Manage Child Domain User Membership Using DistinguishedName in v6.1.0-preview0006 #633

Open
X-Guardian opened this issue Nov 15, 2020 · 2 comments · May be fixed by #651
Open

ADGroup: Cannot Manage Child Domain User Membership Using DistinguishedName in v6.1.0-preview0006 #633

X-Guardian opened this issue Nov 15, 2020 · 2 comments · May be fixed by #651
Labels
blocking release The issue or pull request is blocking the next release. Higher priority than label 'High priority'. bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.

Comments

@X-Guardian
Copy link
Contributor

Details of the scenario you tried and the problem that is occurring

With the preview module v6.1.0-preview0006, containing the modified ADGroup resource code from PR #620, managing child domain user membership of an AD Group using the DistinguishedName MembershipAttribute now fails.

This is a blocker for the release of v6.1.0 of the module.

Verbose logs showing the problem

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DSC01 with user sid S-1-5-21-3553084080-2500667019-4197401787-500.
VERBOSE: [DSC01]: LCM:  [ Start  Set      ]
DEBUG: [DSC01]:                            [DSCEngine] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.psd1 not found
DEBUG: [DSC01]:                            [DSCEngine] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.strings.psd1
DEBUG: [DSC01]:                            [DSCEngine] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.psd1 not found
DEBUG: [DSC01]:                            [DSCEngine] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.strings.psd1
DEBUG: [DSC01]:                            [DSCEngine] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.psd1 not
 found
DEBUG: [DSC01]:                            [DSCEngine] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.strings.psd1
VERBOSE: [DSC01]: LCM:  [ Start  Resource ]  [[ADGroup]Group]
VERBOSE: [DSC01]: LCM:  [ Start  Test     ]  [[ADGroup]Group]
DEBUG: [DSC01]:                            [[ADGroup]Group] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.psd1 not found
DEBUG: [DSC01]:                            [[ADGroup]Group] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\DscResource.Common\0.9.0\en-US\DscResource.Common.strings.psd1
DEBUG: [DSC01]:                            [[ADGroup]Group] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.psd1 not found
DEBUG: [DSC01]:                            [[ADGroup]Group] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\Modules\ActiveDirectoryDsc.Common\en-US\ActiveDirectoryDsc.Common.strings.psd1
DEBUG: [DSC01]:                            [[ADGroup]Group] File C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.psd1 not found
DEBUG: [DSC01]:                            [[ADGroup]Group] Found C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.1.0\DscResources\MSFT_ADGroup\en-US\MSFT_ADGroup.strings.psd1
VERBOSE: [DSC01]:                            [[ADGroup]Group] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [DSC01]:                            [[ADGroup]Group] Group membership is NOT in the desired state. (ADG0002)
VERBOSE: [DSC01]: LCM:  [ End    Test     ]  [[ADGroup]Group]  in 3.1880 seconds.
VERBOSE: [DSC01]: LCM:  [ Start  Set      ]  [[ADGroup]Group]
VERBOSE: [DSC01]:                            [[ADGroup]Group] Group membership objects are in '1' different AD Domains. (ADG0013)
VERBOSE: [DSC01]:                            [[ADGroup]Group] Updating AD Group 'Dsc-Test-Group-1'. (ADG0006)
VERBOSE: [DSC01]:                            [[ADGroup]Group] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
VERBOSE: [DSC01]:                            [[ADGroup]Group] Adding '1' member(s) to AD group 'Dsc-Test-Group-1'. (ADG0003)
DEBUG: [DSC01]:                            [[ADGroup]Group] Resolving ObjectSID values based on supplied DistinguishedName values. (ADCOMMON0063)
DEBUG: [DSC01]:                            [[ADGroup]Group] Looking up AD Object based on ObjectSID 'DistinguishedName' to retrieve CN=childuser,CN=Users,DC=child1,DC=gteck,DC=com value. (ADCOMMON0066)
VERBOSE: [DSC01]: LCM:  [ End    Set      ]  [[ADGroup]Group]  in 1.5440 seconds.
PowerShell DSC resource MSFT_ADGroup  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Unable to resolve ObjectSID value 
from DistinguishedName 'CN=childuser,CN=Users,DC=child1,DC=gteck,DC=com'. (ADCOMMON0062) 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
 
VERBOSE: [DSC01]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 9.583 seconds

Suggested solution to the issue

The Get-ADObject call in the Resolve-MembersSecurityIdentifier common function is failing to get details of the user from the child domain. This can be resolved by targeting a global catalog server on this call -Server :3268, which then allows child domain users specified as Distinguished Names to be successfully added to groups. This does not allow the removal of child domain users however, which fail with the following error:

PowerShell DSC resource MSFT_ADGroup  failed to execute Set-TargetResource functionality with error message: 
System.InvalidOperationException: Unable to set the group membership for AD Group 'Dsc-Test-Group-1'. (ADCOMMON0030)
---> Microsoft.ActiveDirectory.Management.ADException: The specified account name is not a member of the group
---> System.ServiceModel.FaultException: Active Directory returned an error processing the operation.

Investigating this, it looks as if removing child domain members of a group by specifying the user SID in the Remove parameter of SetADGroup does not work. i.e.

Set-ADGroup -Identity 'CN=Dsc-Test-Group-1,OU=Groups,DC=gteck,DC=com' -Remove @{member='<SID=S-1-5-21-2513631178-1071234245-3612136875-1104>'}

Unfortunately, the group membership processing change that was introduced in PR #620 to resolve managing user membership across one way forest trusts currently relies on this functionality.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration ADGroup
{
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]
        $adminCredential
    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName ActiveDirectoryDsc -ModuleVersion 6.1.0

    $domainName = 'gteck.com'
    $childDomainName = "child1.$domainName"

    $domainFQDN = 'DC=' + $domainName.replace('.', ',DC=')
    $childDomainFQDN = 'DC=' + $childDomainName.replace('.', ',DC=')

    Node localhost
    {

        ADGroup Group {
            GroupName            = "Dsc-Test-Group-1"
            GroupScope           = "DomainLocal"
            Path                 = "OU=Groups,$domainFQDN"
            MembershipAttribute  = 'DistinguishedName'
            Members              = @(
                "CN=childuser,CN=Users,$childDomainFQDN"
            )
            PsDscRunAsCredential = $adminCredential
        }
    }
}

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

PSVersion                      5.1.17763.1490
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.1490
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

v6.1.0-preview0006
@johlju johlju added blocking release The issue or pull request is blocking the next release. Higher priority than label 'High priority'. bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Nov 16, 2020
@johlju
Copy link
Member

johlju commented Nov 16, 2020

Great that you found this, and awesome diagnosis of the problem! Should we revert the change that was introduced in PR #620, or do you see a way forward?

@X-Guardian
Copy link
Contributor Author

We can support all scenarios (same domain member, child domain member and one-way forest trust member) but it will need a rethink and refactor of the member addition/deletion code.

I've raised PR #631 to refactor the ADGroup resource, but this doesn't include any fix for this issue. I intend to finish that PR first, get it reviewed and merged then work on another PR to fix the child domain member support.

@X-Guardian X-Guardian mentioned this issue Dec 5, 2020
Open
8 tasks
@X-Guardian X-Guardian linked a pull request Apr 10, 2021 that will close this issue
Draft
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocking release The issue or pull request is blocking the next release. Higher priority than label 'High priority'. bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ADGroup: Fix Child Domain User Membership X-Guardian/ActiveDirectoryDsc
2 participants
@johlju @X-Guardian