dsccommunity / ActiveDirectoryDsc

This module contains DSC resources for deployment and configuration of Active Directory Domain Services.
MIT License
341 stars 141 forks source link

ActiveDirectoryDsc: ADGroup still fails with members with foreign security principals in v6.2.0-preview0001 #654

Open dslcleve opened 3 years ago

dslcleve commented 3 years ago

Details of the scenario you tried and the problem that is occurring

We have ADGroup DSC resources that create several groups in different OUs. After some of these groups are created by DSC, we manually add cross-domain members (foreign security principals). With ActiveDirectoryDsc version 6.0.1, we get errors as specified here: https://github.com/dsccommunity/ActiveDirectoryDsc/issues/619. We upgraded to ActiveDirectoryDsc version 6.2.0-preview0001. The number of these errors went from 20s to under 10.

The fix in 6.2.0 for this problem checks specifically for the following in Get-TargetResource in MSFT_ADGroup.psm1: $oneWayTrustFullyQualifiedErrorId = 'ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember'

But for some reason that I haven't determined, some of the groups return the following error instead (0 vs 8224): ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

Verbose logs showing the problem

Following is a snippet of the logs for one of the groups. I replaced the group name to XXXXX:

VERBOSE: Invoking AWS Systems Manager operation --output truncated--, CommandId:9d14e6b5-c93e-45ff-b27b-cbb2ae325979, DocumentVersion:$DEFAULT, ExecutionElapsedTime:PT30M2.993S, StandardErrorContent:PowerShell DSC resource MSFT_ADGroup  failed to execute Test-TargetResource 
functionality with error message: System.InvalidOperationException: Error 
retrieving membership for AD Group 'XXXXX'. (ADG0014) ---> 
Microsoft.ActiveDirectory.Management.ADException: An operations error occurred 
---> System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.Active
Directory.CustomActions.GetADGroupMemberFault]: Active Directory returned an 
error processing the operation.
Server stack trace: 
   at 
System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime 
operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean 
oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan 
timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCal
lMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage 
reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& 
msgData, Int32 type)
   at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManag
ement.GetADGroupMember(GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErro
rCode(String message, String errorCode, String extendedErrorMessage, Exception 
innerException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(Custom
ActionFault caFault, FaultException faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.Ac
tiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle 
handle, GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(
String partitionDN, String groupDN, Boolean recursive)
   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroup
MemberProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at 
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace --- 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

Suggested solution to the issue

I did the following in Get-TargetResource in MSFT_ADGroup.psm1 and it remedied my problem:

        # This FullyQualifiedErrorId is indicative of a failure to retrieve members with Get-ADGroupMember
        # for a one-way trust
        $oneWayTrustFullyQualifiedErrorId = `
            'ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember'
        $oneWayTrustFullyQualifiedErrorId8224 = `
            'ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember'

        if (($_.FullyQualifiedErrorId -eq $oneWayTrustFullyQualifiedErrorId) -or
            ($_.FullyQualifiedErrorId -eq $oneWayTrustFullyQualifiedErrorId8224))

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

The operating system the target node is running

OsName               : Microsoft Windows Server 2012 R2 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 9600.19994.amd64fre.winblue_ltsb_escrow.210331-1613
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value                                                                                                                                  
----                           -----                                                                                                                                  
PSVersion                      5.1.14409.1018
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1018
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

ActiveDirectoryDsc 6.2.0-preview0001

johlju commented 3 years ago

@X-Guardian do you have time to look at this issue, if this solves the pending PR (in draft) from you?

Labeling this as a bug and help wanted so someone in the community can work on this.

X-Guardian commented 3 years ago

No, this is not related to the pending ADGroup PR I have open. @dslcleve, can you post the output from Get-ADGroup -Properties * for a group that returns 8224 in the Get-ADGroupMember error, so that we can try and identity the difference in those groups.

dslcleve commented 3 years ago

I ran Get-ADGroup and Get-ADGroupMember on the command line in a powershell window. Oddly the Get-ADGroupMember returns 0 instead of 8224. I added the log from the DSC and have some debug messages to confirm that it returns 8224 (See the DEBUG messages)

Get-ADGroup -Properties * -Identity Role_Admins
CanonicalName                   : ext.us.csod.corp/Servers/ulp/Role_Admins
CN                              : Role_Admins
Created                         : 3/30/2021 9:33:47 PM
createTimeStamp                 : 3/30/2021 9:33:47 PM
Deleted                         : 
Description                     : 
DisplayName                     : 
DistinguishedName               : CN=Role_Admins,OU=ulp,OU=Servers,DC=ext,DC=us,DC=csod,DC=corp
dSCorePropagationData           : {4/15/2021 4:54:09 AM, 4/15/2021 4:52:54 AM, 4/15/2021 4:50:51 AM, 3/30/2021 9:33:50 PM...}
GroupCategory                   : Security
GroupScope                      : DomainLocal
groupType                       : -2147483644
HomePage                        : 
instanceType                    : 4
isDeleted                       : 
LastKnownParent                 : 
ManagedBy                       : 
member                          : {CN=S-1-5-21-192396600-3081844788-152134828-1135,CN=ForeignSecurityPrincipals,DC=ext,DC=us,DC=csod,DC=corp}
MemberOf                        : {}
Members                         : {CN=S-1-5-21-192396600-3081844788-152134828-1135,CN=ForeignSecurityPrincipals,DC=ext,DC=us,DC=csod,DC=corp}
Modified                        : 5/6/2021 5:29:12 PM
modifyTimeStamp                 : 5/6/2021 5:29:12 PM
Name                            : Role_Admins
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  : CN=Group,CN=Schema,CN=Configuration,DC=ext,DC=us,DC=csod,DC=corp
ObjectClass                     : group
ObjectGUID                      : 67cafe86-799c-452d-939b-ed46136cfb8d
objectSid                       : S-1-5-21-2438549848-2977374219-2524264263-1308
ProtectedFromAccidentalDeletion : False
SamAccountName                  : Role_Admins
sAMAccountType                  : 536870912
sDRightsEffective               : 15
SID                             : S-1-5-21-2438549848-2977374219-2524264263-1308
SIDHistory                      : {}
uSNChanged                      : 1902372
uSNCreated                      : 15908
whenChanged                     : 5/6/2021 5:29:12 PM
whenCreated                     : 3/30/2021 9:33:47 PM
get-adgroupmember -Identity Role_Admins
get-adgroupmember : The server was unable to process the request due to an internal error.  For more information about the error, either turn on 
IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to 
send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server 
trace logs.
At line:1 char:1
+ get-adgroupmember -Identity Role_Admins
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Role_Admins:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
VERBOSE: [UEMMGTADML-OIFW]: LCM:  [ Start  Resource ]  [[ADGroup]Role_Admins]
VERBOSE: [UEMMGTADML-OIFW]: LCM:  [ Start  Test     ]  [[ADGroup]Role_Admins]
VERBOSE: [UEMMGTADML-OIFW]:                            [[ADGroup]Role_Admins] Retrieving AD Group 'Role_Admins'. (ADG0021)
VERBOSE: [UEMMGTADML-OIFW]:                            [[ADGroup]Role_Admins] The AD Group 'Role_Admins' is present. (ADG0023)
VERBOSE: [UEMMGTADML-OIFW]:                            [[ADGroup]Role_Admins] Retrieving group membership based on 'SamAccountName' property. (ADG0001)
VERBOSE: [UEMMGTADML-OIFW]:                            [[ADGroup]Role_Admins] DEBUG1: ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
VERBOSE: [UEMMGTADML-OIFW]:                            [[ADGroup]Role_Admins] DEBUG2: ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
VERBOSE: [UEMMGTADML-OIFW]: LCM:  [ End    Test     ]  [[ADGroup]Role_Admins]  in 0.7710 seconds.
PowerShell DSC resource MSFT_ADGroup  failed to execute Test-TargetResource functionality with error message: 
System.InvalidOperationException: Error retrieving membership for AD Group 'Role_Admins'. (ADG0014) ---> 
Microsoft.ActiveDirectory.Management.ADException: An operations error occurred ---> System.ServiceModel.FaultException`1
[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault]: Active Directory returned an 
error processing the operation.

Server stack trace: 
   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, 
Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, 
ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at 
schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroupMember(GetADGroupMemberRequest 
request)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, 
String extendedErrorMessage, Exception innerException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException 
faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManage
ment.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, 
Boolean recursive)
   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace --- 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
PowerShell DSC resource MSFT_ADGroup  failed to execute Test-TargetResource
functionality with error message: System.InvalidOperationException: Error
retrieving membership for AD Group 'Role_Admins'. (ADG0014) --->
Microsoft.ActiveDirectory.Management.ADException: An operations error occurred
---> System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.Active
Directory.CustomActions.GetADGroupMemberFault]: Active Directory returned an
error processing the operation.

Server stack trace:
   at
System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime
operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean
oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan
timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCal
lMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
msgData, Int32 type)
   at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManag
ement.GetADGroupMember(GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErro
rCode(String message, String errorCode, String extendedErrorMessage, Exception
innerException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(Custom
ActionFault caFault, FaultException faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.Ac
tiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle
handle, GetADGroupMemberRequest request)
   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(
String partitionDN, String groupDN, Boolean recursive)
   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroup
MemberProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace ---
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
X-Guardian commented 3 years ago

Thanks @dslcleve. Can you output the full error object you are receiving in the DscResource? You can do this by adding Write-Debug ($_ | ConvertTo-Json) to the resource. I'm hoping we can find a better property to check for somewhere in the error object. Exception.ServerErrorMessage looks interesting.

dslcleve commented 3 years ago

Here you go, thanks.

VERBOSE: [TESTADML]: LCM: [ Start Resource ] [[ADGroup]Role_Admins] VERBOSE: [TESTADML]: LCM: [ Start Test ] [[ADGroup]Role_Admins] VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] Retrieving AD Group 'Role_Admins'. (ADG0021) VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] The AD Group 'Role_Admins' is present. (ADG0023) VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] Retrieving group membership based on 'SamAccountName' property. (ADG0001) VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] DEBUG1: ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember VERBOSE: [TESTADML]: LCM: [ End Test ] [[ADGroup]Role_Admins] in 0.6940 seconds. PowerShell DSC resource MSFT_ADGroup failed to execute Test-TargetResource functionality with error message: System.InvalidOperationException: Error retrieving membership for AD Group 'Role_Admins'. (ADG0014) ---> Microsoft.ActiveDirectory.Management.ADException: An operations error occurred ---> System.ServiceModel.FaultException`1 [schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault]: Active Directory returned an error processing the operation.

Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroupMember(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException) at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManage ment.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, Boolean recursive) at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord() --- End of inner exception stack trace ---

Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCal lMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManag ement.GetADGroupMember(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA DGroupMemberRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErro rCode(String message, String errorCode, String extendedErrorMessage, Exception innerException) at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(Custom ActionFault caFault, FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA DGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.Ac tiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers( String partitionDN, String groupDN, Boolean recursive) at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroup MemberProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord() --- End of inner exception stack trace ---

X-Guardian commented 3 years ago

This hasn't got the JSON output of the error object in it. You need to run Start-DscConfiguration with -Debug

dslcleve commented 3 years ago

Sorry, here it is:

VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] DEBUG1 FullyQualifiedErrorId: ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember VERBOSE: [TESTADML]: [[ADGroup]Role_Admins] {


                      "ErrorCode":  8224,
                      "ServerErrorMessage":  "An operations error occurred.\r\n",
                      "Message":  "An operations error occurred",
                      "Data":  {

                               },
                      "InnerException":  {
                                             "Detail":  "schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault",
                                             "Action":  "http://schemas.microsoft.com/2008/1/ActiveDirectory/Data/fault",
                                             "Code":  "System.ServiceModel.FaultCode",
                                             "Message":  "Active Directory returned an error processing the operation.",
                                             "Reason":  "Active Directory returned an error processing the operation.",
                                             "Data":  "System.Collections.ListDictionaryInternal",
                                             "InnerException":  null,
                                             "TargetSite":  "Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage, System.Runtime.Remoting.Messaging.IMessage)",
                                             "StackTrace":  "\r\nServer stack trace: \r\n   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc\u0026 rpc)\r\n   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)\r\n   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)\r\n   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)\r\n\r\nException rethrown at [0]: \r\n   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)\r\n   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData\u0026 msgData, Int32 type)\r\n   at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroupMember(GetADGroupMemberRequest request)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)",
                                             "HelpLink":  null,
                                             "Source":  "mscorlib",
                                             "HResult":  -2146233087
                                         },
                      "TargetSite":  {
                                         "Name":  "ThrowExceptionForErrorCode",
                                         "DeclaringType":  "Microsoft.ActiveDirectory.Management.AdwsConnection, Microsoft.ActiveDirectory.Management, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
                                         "ReflectedType":  "Microsoft.ActiveDirectory.Management.AdwsConnection, Microsoft.ActiveDirectory.Management, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
                                         "MemberType":  8,
                                         "MetadataToken":  100664494,
                                         "Module":  "Microsoft.ActiveDirectory.Management.dll",
                                         "IsSecurityCritical":  true,
                                         "IsSecuritySafeCritical":  false,
                                         "IsSecurityTransparent":  false,
                                         "MethodHandle":  "System.RuntimeMethodHandle",
                                         "Attributes":  145,
                                         "CallingConvention":  1,
                                         "ReturnType":  "void",
                                         "ReturnTypeCustomAttributes":  "Void ",
                                         "ReturnParameter":  "Void ",
                                         "IsGenericMethod":  false,
                                         "IsGenericMethodDefinition":  false,
                                         "ContainsGenericParameters":  false,
                                         "MethodImplementationFlags":  0,
                                         "IsPublic":  false,
                                         "IsPrivate":  true,
                                         "IsFamily":  false,
                                         "IsAssembly":  false,
                                         "IsFamilyAndAssembly":  false,
                                         "IsFamilyOrAssembly":  false,
                                         "IsStatic":  true,
                                         "IsFinal":  false,
                                         "IsVirtual":  false,
                                         "IsHideBySig":  true,
                                         "IsAbstract":  false,
                                         "IsSpecialName":  false,
                                         "IsConstructor":  false,
                                         "CustomAttributes":  ""
                                     },
                      "StackTrace":  "   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, Boolean recursive)\r\n   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()",
                      "HelpLink":  null,
                      "Source":  "Microsoft.ActiveDirectory.Management",
                      "HResult":  -2146233088
                  },
    "TargetObject":  {
                         "GroupScope":  null,
                         "GroupCategory":  null,
                         "SamAccountName":  null,
                         "SID":  null,
                         "DistinguishedName":  null,
                         "Name":  null,
                         "ObjectClass":  null,
                         "ObjectGuid":  null,
                         "PropertyNames":  [

                                           ],
                         "AddedProperties":  [

                                             ],
                         "RemovedProperties":  [

                                               ],
                         "ModifiedProperties":  [

                                                ],
                         "PropertyCount":  0
                     },
    "CategoryInfo":  {
                         "Category":  0,
                         "Activity":  "Get-ADGroupMember",
                         "Reason":  "ADException",
                         "TargetName":  "Role_Admins",
                         "TargetType":  "ADGroup"
                     },
    "FullyQualifiedErrorId":  "ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember",
    "ErrorDetails":  null,
    "InvocationInfo":  {
                           "MyCommand":  {
                                             "Verb":  "Get",
                                             "Noun":  "ADGroupMember",
                                             "HelpFile":  "Microsoft.ActiveDirectory.Management.dll-Help.xml",
                                             "PSSnapIn":  null,
                                             "Version":  "1.0.0.0",
                                             "ImplementingType":  "Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember",
                                             "Definition":  "\r\nGet-ADGroupMember [\u003cCommonParameters\u003e]\r\n",
                                             "DefaultParameterSet":  null,
                                             "OutputType":  "",
                                             "Options":  1,
                                             "Name":  "Get-ADGroupMember",
                                             "CommandType":  8,
                                             "Source":  "ActiveDirectory",
                                             "Visibility":  0,
                                             "ModuleName":  "ActiveDirectory",
                                             "Module":  "ActiveDirectory",
                                             "RemotingCapability":  1,
                                             "Parameters":  "System.Collections.Generic.Dictionary`2[System.String,System.Management.Automation.ParameterMetadata]",
                                             "ParameterSets":  "[\u003cCommonParameters\u003e]"
                                         },
                           "BoundParameters":  {

                                               },
                           "UnboundArguments":  [

                                                ],
                           "ScriptLineNumber":  98,
                           "OffsetInLine":  47,
                           "HistoryId":  1,
                           "ScriptName":  "C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup\\MSFT_ADGroup.psm1",
                           "Line":  "            [System.Array] $adGroupMembers = (Get-ADGroupMember @commonParameters).$MembershipAttribute\r\n",
                           "PositionMessage":  "At C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup\\MSFT_ADGroup.psm1:98 char:47\r\n+ ... Array] $adGroupMembers = (Get-ADGroupMember @commonParameters).$Membe ...\r\n+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~",
                           "PSScriptRoot":  "C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup",
                           "PSCommandPath":  "C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup\\MSFT_ADGroup.psm1",
                           "InvocationName":  "Get-ADGroupMember",
                           "PipelineLength":  0,
                           "PipelinePosition":  0,
                           "ExpectingInput":  false,
                           "CommandOrigin":  1,
                           "DisplayScriptPosition":  null
                       },
    "ScriptStackTrace":  "at Get-TargetResource, C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup\\MSFT_ADGroup.psm1: line 98\r\nat Test-TargetResource, C:\\Program Files\\WindowsPowerShell\\Modules\\ActiveDirectoryDsc\\DscResources\\MSFT_ADGroup\\MSFT_ADGroup.psm1: line 388",
    "PipelineIterationInfo":  [

                              ],
    "PSMessageDetails":  null
}
dslcleve commented 3 years ago

Hi @X-Guardian, have the outputs helped?

I found this: https://stackoverflow.com/questions/29808611/get-adgroupmember-stopped-working-for-some-users and it seems like 8224 is an error for the same problem, i.e. foreign security principals as members of the group. I have multiple groups and some succeed because it returns with 0 instead of 8224. The groups are all created via DSC in one automation run and some even in the same loop, therefore same code and same user. The foreign security principals are manually added after creation to the groups. They can be different users, but they are all from the same domain.

Can 6.2.0 be updated to also check for 8224?