search

dsccommunity / ActiveDirectoryDsc

This module contains DSC resources for deployment and configuration of Active Directory Domain Services.
MIT License
345 stars 142 forks source link

ADDomainDefaultPasswordPolicy does not work on Windows Server 2022 in the ActiveDirectoryDsc resource #678

Closed SimonRousingBerg closed 2 years ago

SimonRousingBerg commented 2 years ago

Details of the scenario you tried and the problem that is occurring

This is the end result in the Active Directory Default Domain Policy. image

Info retrieved with Powershell PS C:\Windows\system32> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled : True DistinguishedName : DC=mydomain,DC=com LockoutDuration : 00:30:00 LockoutObservationWindow : 00:30:00 LockoutThreshold : 0 MaxPasswordAge : 42.00:00:00 MinPasswordAge : 1.00:00:00 MinPasswordLength : 7 objectClass : {domainDNS} objectGuid : 944be70d-ad0e-46eb-827b-0f32d10a001e PasswordHistoryCount : 24 ReversibleEncryptionEnabled : False

Verbose logs showing the problem

VERBOSE: [DOAC-149-TEST07]: LCM: [ Start Resource ] [[ADDomainDefaultPasswordPolicy]DomainDefaultPasswordPolicy] VERBOSE: [DOAC-149-TEST07]: LCM: [ Start Test ] [[ADDomainDefaultPasswordPolicy]DomainDefaultPasswordPolicy] VERBOSE: [DOAC-149-TEST07]: [[ADDomainDefaultPasswordPolicy]DomainDefaultPasswordPolicy] Querying Active Directory domain 'mydomain.com' default password policy. (ADDDPP0001) VERBOSE: [DOAC-149-TEST07]: [[ADDomainDefaultPasswordPolicy]DomainDefaultPasswordPolicy] Resource 'mydomain.com' is in the desired state. (ADDDPP0005) VERBOSE: [DOAC-149-TEST07]: LCM: [ End Test ] [[ADDomainDefaultPasswordPolicy]DomainDefaultPasswordPolicy] in 0.1250 seconds. VERBOSE: [DOAC-149-TEST07]: LCM: [ Skip Set ] [[ADDomainDefaultPasswordPolicy]DomainDefaultPasswordPolicy] VERBOSE: [DOAC-149-TEST07]: LCM: [ End Resource ] [[ADDomainDefaultPasswordPolicy]DomainDefaultPasswordPolicy]

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)


# insert configuration here
ADDomainDefaultPasswordPolicy DomainDefaultPasswordPolicy
{
    DomainName = 'mydomain.com'
    PasswordHistoryCount = 5
    MaxPasswordAge = 129600
    MinPasswordAge = 14400
    MinPasswordLength = 10
    ComplexityEnabled = $true
    ReversibleEncryptionEnabled = $false
    LockoutDuration = 30
    LockoutThreshold = 5
    LockoutObservationWindow = 30
}

#### The operating system the target node is running
OsName               : Microsoft Windows Server 2022 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

#### Version and build of PowerShell the target node is running
Name                           Value
----                           -----
PSVersion                      5.1.20348.558
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.558
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

#### Version of the DSC module that was used
PS C:\Windows\system32> Get-Module -Name ActiveDirectoryDsc -ListAvailable

    Directory: C:\Program Files\WindowsPowerShell\Modules

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   6.0.1      ActiveDirectoryDsc                  Find-DomainController
SimonRousingBerg commented 2 years ago

Could the reason be that i'm not using the "Credential" in the ADDomainDefaultPasswordPolicy?

But this is for sure a bug because it's reporting it is compliant while it is not.

SimonRousingBerg commented 2 years ago

Even if I specify the correct credential for the domain it still just tells me it is compliant...

SimonRousingBerg commented 2 years ago

If i write my own script resrouce and trigger a reboot after the DC installation / promoting and before the ADDomainDefaultPasswordPolicy resource then it fixes the issue

johlju commented 2 years ago

ADDomain and ADDomainController seems to restart the node after promoting, but you mean you need yet another boot for it to work?

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

stale[bot] commented 2 years ago

This issue has been automatically closed because it is has not had activity from the community in the last 40 days.