search

dsccommunity / ComputerManagementDsc

DSC resources for for configuration of a Windows computer. These DSC resources allow you to perform computer management tasks, such as renaming the computer, joining a domain and scheduling tasks as well as configuring items such as virtual memory, event logs, time zones and power settings.
https://dsccommunity.org
MIT License
306 stars 83 forks source link

Group: Cannot perform this operation on built-in accounts #314

Closed fullenw1 closed 4 years ago

fullenw1 commented 4 years ago

Details of the scenario you tried and the problem that is occurring

I am setting members of 3 local groups. It works fine for 2 local groups (Remote Management Users and Remote Desktop Users), but not for the Local Administrators group.

Verbose logs showing the problem

ProviderName : Microsoft-Windows-DSC
Id           : 4103
Message      : Job {24745004-620A-11EA-897D-005056A0F218} :
               This event indicates that a non-terminating error was thrown when DSCEngine was executing Set-TargetResource on
               MSFT_GroupResource DSC resource. FullyQualifiedErrorId is PrincipalOperationException. Error Message is Exception calling
               "Save" with "0" argument(s): "Cannot perform this operation on built-in accounts.".

Current result:

PS> Get-LocalGroupMember administrators

ObjectClass Name                  PrincipalSource
----------- ----                  ---------------
Group       DomainName\Domain Admins     ActiveDirectory
User        ComputerName\Administrator Local

PS> Get-LocalGroupMember 'remote management users'

ObjectClass Name                  PrincipalSource
----------- ----                  ---------------
Group       DomainName\Computer_Admins   ActiveDirectory
Group       DomainName\Domain Admins     ActiveDirectory
User        ComputerName\Administrator Local

PS> Get-LocalGroupMember 'remote desktop users'

ObjectClass Name                  PrincipalSource
----------- ----                  ---------------
Group       DomainName\Computer_Admins   ActiveDirectory
Group       DomainName\Domain Admins     ActiveDirectory
User        ComputerName\Administrator Local

PS>

Expected result:

PS> Get-LocalGroupMember administrators

ObjectClass Name                  PrincipalSource
----------- ----                  ---------------
Group       DomainName\Domain Admins     ActiveDirectory
User        ComputerName\Administrator Local
Group       DomainName\Computer_Admins   ActiveDirectory

PS> Get-LocalGroupMember 'remote management users'

ObjectClass Name                  PrincipalSource
----------- ----                  ---------------
Group       DomainName\Computer_Admins   ActiveDirectory
Group       DomainName\Domain Admins     ActiveDirectory
User        ComputerName\Administrator Local

PS> Get-LocalGroupMember 'remote desktop users'

ObjectClass Name                  PrincipalSource
----------- ----                  ---------------
Group       DomainName\Computer_Admins   ActiveDirectory
Group       DomainName\Domain Admins     ActiveDirectory
User        ComputerName\Administrator Local

PS>

Suggested solution to the issue

No idea...

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Datum configuration:

PSDesiredStateConfiguration:
  Group:
    - GroupName: Administrators
      Members:
        - ComputerName\Administrator
        - DomainName\Computer_Admins
        - DomainName\Domain Admins
    - GroupName: "Remote Management Users"
      Members:
        - ComputerName\Administrator
        - DomainName\Computer_Admins
        - DomainName\Domain Admins
    - GroupName: "Remote Desktop Users"
      Members:
        - ComputerName\Administrator
        - DomainName\Computer_Admins
        - DomainName\Domain Admins

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.316
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.316
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   8.0.0      ComputerManagementDsc
PlagueHO commented 4 years ago

Hi @fullenw1 - sorry, I just got to looking at this one. I think you're using the PSDesiredStateConfiguration resource module to set group membership - suggest using xPSDesiredStateConfiguration and if it doesn't work, raising the issue over there as ComputerManagementDsc doesn't contain the Group resource.

fullenw1 commented 4 years ago

Hi @fullenw1 - sorry, I just got to looking at this one. I think you're using the PSDesiredStateConfiguration resource module to set group membership - suggest using xPSDesiredStateConfiguration and if it doesn't work, raising the issue over there as ComputerManagementDsc doesn't contain the Group resource.

@PlagueHO

Thanks and sorry for my mistake :/ I will open it there as you said. Have an nice day!