none
DSC group resource can't remove domain user from local administrators group RRS feed

  • Question

  • I want to use DSC resource keep few users [local users and domain users] in the local administrators group.

    But I found that I added another domain user which not in below script, the DSC can't delete this domain user in local administrators group.

    configuration dsc-node-config {
    
       param
        (
            [PSCredential] $DomainCredential
        )
    
        Node test-server
     {
    
    
    
         Group Administrators
        {
           GroupName        = 'Administrators'   
           Ensure           = 'Present'             
           Members = @(
           'testdomain\uf012066',
           'testdomain\uf033913',
           'testdomain\Domain Admins',
           'testdomain\ServerAdministrator',
           'TESTUser',
           'testdomain\vs000974')
           Credential       = $DomainCredential
    
    
    
        }
      
            }
    
       }
    
    
    $cd = @{
        AllNodes = @(
            @{
                NodeName = 'test-server'
                PSDscAllowDomainUser = $true
                PSDscAllowPlainTextPassword = $true
            }
        )
    }
    
    
    $cred = Get-Credential -UserName testdomain\vif12066 -Message "Password please"
    
    dsc-node-config -DomainCredential $cred -ConfigurationData $cd -OutputPath 'C:\Program Files\WindowsPowerShell\DscService\Configuration'

    • Moved by Bill_Stewart Friday, January 26, 2018 6:35 PM Abandoned
    Friday, July 14, 2017 8:17 AM

All replies

  • This would be done using Group Policy "Restricted Groups".


    \_(ツ)_/

    Friday, July 14, 2017 8:35 AM
  • Thanks for your reply.

    We have lost of Windows Server, each Windows Server has different domain users in local administrators group. We want to use PowerShell DSC to control the users in local administrators group in each different .MOF files that why I want to use PowerShell DSC to replace GPO setting.

    Friday, July 14, 2017 12:36 PM
  • You are not adding the local admin account which is required.

    See example 2 here: https://msdn.microsoft.com/en-us/powershell/dsc/groupresource


    \_(ツ)_/

    Friday, July 14, 2017 12:56 PM
  • Hi jrv, Thanks for your reply.

    I add "PsDscRunAsCredential" as below code, but still can't remove the domain users which not in the Desired member list as below. 

    configuration dsc-node-config {
    
       param
        (
            [PSCredential] $DomainCredential
        )
    
       Import-DscResource -ModuleName PSDesiredStateConfiguration
    
    
        Node test-server
     {
    
    
    
         Group Administrators
        {
           GroupName        = 'Administrators'   
           Ensure           = 'Present'             
           Members   = @(
           'testdomain\uf012066',
           'testdomain\uf033913',
           'testdomain\Domain Admins',
           'testdomain\ServerAdministrator',
           'BBAUser',
           'testdomain\vs000974')
           Credential = $DomainCredential
           PsDscRunAsCredential = $DomainCredential
        }
     
    
       }
    }
    
    
    $cd = @{
        AllNodes = @(
            @{
                NodeName = 'test-server'
                PSDscAllowDomainUser = $true
                PSDscAllowPlainTextPassword = $true
                # CertificateFile = "C:\PublicKeys\server1.cer"
            }
        )
    }
    
    
    $cred = Get-Credential -UserName testdomain\vif12066 -Message "Password please"
    
    dsc-node-config -DomainCredential $cred -ConfigurationData $cd -OutputPath 'C:\Program Files\WindowsPowerShell\DscService\Configuration'
    New-DscChecksum 'C:\Program Files\WindowsPowerShell\DscService\Configuration\test-server.mof' -Force
    Update-DscConfiguration -ComputerName test-server


    Tuesday, July 18, 2017 7:41 AM
  • IF all of the members are present then nothing will ne changed.  You are also missing the local administrator which must be included.


    \_(ツ)_/

    Tuesday, July 18, 2017 2:09 PM