search

dsccommunity / ActiveDirectoryDsc

This module contains DSC resources for deployment and configuration of Active Directory Domain Services.
MIT License
345 stars 142 forks source link

Condition for DSC resource deployment #671

Closed Jetelaczek closed 2 years ago

Jetelaczek commented 2 years ago

Good afternoon,

Could anyone help me with below issue? I would like to:

  1. Reset local admin password on all servers as a first step of my DSC config - some are Domain Controllers and others are just member servers (works pretty well using below 'xUser' and all seems to be 'Compliant' at the beginning)
  2. Then some servers become DCs later on and there's nothing to reset (no local admin account anymore) and during 2nd round of 'DSC check' all those servers become 'Non Compliant' because DSC is trying to 'change' non-existing local admin password

What I'd like to achieve is some kind of condition for below xUser resource which does something like - FOR all nodes; IF node is not DC - try to reset local admin pwd; ELSE do nothing...

I haven't been able to find a solution for this so far and I would appreciate any help/idea...

DSC CODE (part):

Import-DscResource -ModuleName ActiveDirectoryDsc          
Import-DscResource -ModuleName xActiveDirectory            
Import-DscResource -ModuleName ...
...
...

node $AllNodes.NodeName
{   
    $DomainName              = $ConfigurationData.NonNodeData.DomainName
    $DomainCredential       = Get-AutomationPSCredential -Name "DomainAdmin"
    $DomainJoinCredential = Get-AutomationPSCredential -Name "DomainJoin"
    $LocalAdminUser          = Get-AutomationPSCredential -Name "LocalAdmin"

  xUser 'ChangeLocalAdminPassword' {
        UserName                = 'Superman'
        Description             = "Local administrator account"
        Disabled                = $false
        #Ensure                  = "Present"
        Password                = $LocalAdminUser           
        PasswordNeverExpires    = $true  
    }

    If ($node.Role -eq "ADDS") {

        WindowsFeature 'DNS' {
            Ensure               = "Present"
            Name                 = "DNS"
            IncludeAllSubFeature = $true
        }
        ...
        ...
        ...

Thanks much,

Tomas

johlju commented 2 years ago

It is not possible to have conditions in a compiled DSC configuration. You have to add such logic to a resource, or maybe a composite resource might do the trick.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

stale[bot] commented 2 years ago

This issue has been automatically closed because it is has not had activity from the community in the last 40 days.