gaelicWizard commented 3 years ago

Pull Request (PR) description

Adds optional parameter SamAccountName to ADManagedServiceAccount resource to allow setting this property separately. This requires that ServiceAccountName be specified using something other than the SamAccountName, e.g. SID, DN, UPN, &c.

This Pull Request (PR) fixes the following issues

See #655
Fixes #644

Task list

[x] Added an entry to the change log under the Unreleased section of the file CHANGELOG.md. Entry should say what was changed and how that affects users (if applicable), and reference the issue being resolved (if applicable).
[ ] Resource documentation added/updated in README.md.
[x] Resource parameter descriptions added/updated in README.md, schema.mof and comment-based help.
[x] Comment-based help added/updated.
[x] Localization strings added/updated in all localization files as appropriate.
[ ] Examples appropriately added/updated.
[x] Unit tests added/updated. See DSC Community Testing Guidelines.
[ ] Integration tests added/updated (where possible). See DSC Community Testing Guidelines.
[x] New/changed code adheres to DSC Community Style Guidelines.

This change is

codecov[bot] commented 3 years ago

Codecov Report

Merging #659 (10e97ed) into main (9346a1d) will increase coverage by 0%. The diff coverage is 100%.

@@         Coverage Diff         @@
##           main   #659   +/-   ##
===================================
  Coverage    98%    98%           
===================================
  Files        25     25           
  Lines      3408   3411    +3     
===================================
+ Hits       3340   3343    +3     
  Misses       68     68

Antiohne commented 3 years ago

I have tested this change and it doesn't solve issue #644. The ServiceName is still mapping to the samAccountName according the error message I got.

This is my test scenario:

Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
    Import-DscResource -Module ActiveDirectoryDsc -ModuleVersion 6.2.0

    Node localhost
    {
        ADManagedServiceAccount 'ExampleStandaloneMSA'
        {
            Ensure = 'Present'
            ServiceAccountName = 'MyMoreFancyServiceLongName01'
            SamAccountName = 'Service01'
            AccountType = 'Standalone'
        }
    }
}

And this is the error message I got:

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer dc01 with user sid .
VERBOSE: [dc01]: LCM:  [ Start  Set      ]
VERBOSE: [dc01]: LCM:  [ Start  Resource ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: LCM:  [ Start  Test     ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'MyMoreFancyServiceLongName01'. (MSA0006)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'MyMoreFancyServiceLongName01' was not found. (MSA0005)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'MyMoreFancyServiceLongName01' does not exist but should. (MSA0011)
VERBOSE: [dc01]: LCM:  [ End    Test     ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]  in 0.3950 seconds.
VERBOSE: [dc01]: LCM:  [ Start  Set      ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'MyMoreFancyServiceLongName01'. (MSA0006)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'MyMoreFancyServiceLongName01' was not found. (MSA0005)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Adding Standalone Account
'MyMoreFancyServiceLongName01' to 'CN=Managed Service Accounts,DC=....l'. (MSA0001)
VERBOSE: [dc01]: LCM:  [ End    Set      ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]  in 0.3600 seconds.
PowerShell DSC resource MSFT_ADManagedServiceAccount  failed to execute Set-TargetResource functionality with error
message: System.InvalidOperationException: Error adding Standalone Account 'MyMoreFancyServiceLongName01' to
'CN=Managed Service Accounts,...'. (MSA0012) ---> System.ArgumentException: The service
account has a samAccountName attribute of 'MyMoreFancyServiceLongName01' which is too long; the samAccountName
attribute must not be longer than 15 characters.
   at Microsoft.ActiveDirectory.Management.Commands.ADComputerUtil.ToDirectoryServiceAccountSamAccountName(String
extendedAttribute, String[] directoryAttributes, ADPropertyValueCollection extendedData, ADEntity directoryObj,
CmdletSessionInfo cmdletSessionInfo)
   at Microsoft.ActiveDirectory.Management.Commands.AttributeConverterEntry.InvokeToDirectoryConverter(ADPropertyValueC
ollection extendedData, ADEntity directoryObj, CmdletSessionInfo cmdletSessionInfo)
   at Microsoft.ActiveDirectory.Management.Commands.ADFactory`1.UpdateFromParameters(ADParameterSet parameters,
Hashtable custPropsToAdd, Hashtable custPropsToReplace, Hashtable custPropsToRemove, String[] custPropsToClear,
ADObject directoryObj)
   at Microsoft.ActiveDirectory.Management.Commands.ADNewCmdletBase`3.ADNewCmdletBaseProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace ---
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

VERBOSE: [dc01]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.324 seconds

When I test the change with this DSC:

Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
    Import-DscResource -Module ActiveDirectoryDsc -ModuleVersion 6.2.0

    Node localhost
    {
        ADManagedServiceAccount 'ExampleStandaloneMSA'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service01'
            SamAccountName = 'SamService01'
            AccountType = 'Standalone'
        }
    }
}

The result is:

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer dc01 with user sid .
VERBOSE: [dc01]: LCM:  [ Start  Set      ]
VERBOSE: [dc01]: LCM:  [ Start  Resource ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: LCM:  [ Start  Test     ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'Service01'. (MSA0006)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'Service01' was not found. (MSA0005)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'Service01' does not exist but should. (MSA0011)
VERBOSE: [dc01]: LCM:  [ End    Test     ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]  in 0.3950 seconds.
VERBOSE: [dc01]: LCM:  [ Start  Set      ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'Service01'. (MSA0006)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'Service01' was not found. (MSA0005)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Adding Standalone Account
'Service01' to 'CN=Managed Service Accounts,...'. (MSA0001)
VERBOSE: [dc01]: LCM:  [ End    Set      ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]  in 0.4900 seconds.
VERBOSE: [dc01]: LCM:  [ End    Resource ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: LCM:  [ End    Set      ]
VERBOSE: [dc01]: LCM:  [ End    Set      ]    in  1.3590 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.215 seconds

When looking to the attributes of the created Managed Service account the values are as following:

cn:               Service01
distinguishedNam: CN=Service01,CN=Managed Service Accounts,...
name:             Service01
sAMAccountName:   Service01$

In summary, the definition of the SamAccountName property has no effect.

gaelicWizard commented 3 years ago

@Antiohne, thank you for testing this! I haven't been testing with an account created by DSC (my use case is an account created by an external installer invoked by xPackage). It's a bit of a giant gaping hole that I need to work out..

Thanks, JP2

stale[bot] commented 3 years ago

Labeling this pull request (PR) as abandoned since it has gone 14 days or more since the last update. An abandoned PR can be continued by another contributor. The abandoned label will be removed if work on this PR is taken up again.

dsccommunity / ActiveDirectoryDsc

ADManagedServiceAccount: add SamAccountName parameter #659

Pull Request (PR) description

This Pull Request (PR) fixes the following issues

Task list

Codecov Report