DSC resources for for configuration of a Windows computer. These DSC resources allow you to perform computer management tasks, such as renaming the computer, joining a domain and scheduling tasks as well as configuring items such as virtual memory, event logs, time zones and power settings.
I recently created some SmbShare resources with multiple entries in the access permissions entries in the ChangeAccess parameter
These changes applied successfully, but subsequent tests of the resource returned as 'noncompliant' even though the permissions were applied correctly
It looks like SmbShare is really picky about what order Get-SmbShareAccess returns permissions in, and running Set-TargetResource doesn't result in them being applied in the provided order either. I am not aware that permission order on file shares matters - Test-TargetResource can return 'true' for a resource even if the permission entries are returned in a different order to how they were defined in the FullAccess/ChangeAccess/ReadAccess/NoAccess parameters in DSC.
Verbose logs
VERBOSE: [HOSTNAME]: LCM: [ Start Resource ] [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME]
VERBOSE: [HOSTNAME]: LCM: [ Start Test ] [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME]
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Determining if the SMB share 'ShareName' is in the desired state.
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Getting the current state of the SMB share 'ShareName'.
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] The SMB share with the name 'ShareName' exist. Evaluating the properties of the SMB share.
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'ChangeAccess'. (DRC0028)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value [0] (type 'System.String') for property 'ChangeAccess' does match. Current state is 'DOMAINNAME\Domain Controllers' and desired state is 'DOMAINNAME\Domain Controllers'. (DRC0025)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] NOTMATCH: Value [1] (type 'System.String') for property 'ChangeAccess' does match. Current state is 'DOMAINNAME\Domain Computers' and desired state is 'DOMAINNAME\Read-only Domain Controllers'. (DRC0024)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] NOTMATCH: Value [2] (type 'System.String') for property 'ChangeAccess' does match. Current state is 'DOMAINNAME\Read-only Domain Controllers' and desired state is 'DOMAINNAME\Domain Computers'. (DRC0024)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'ReadAccess'. (DRC0028)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String[]') for property 'ReadAccess' does match. Current state is 'empty array' and desired state is 'empty array'. (DRC0020)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'NoAccess'. (DRC0028)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String[]') for property 'NoAccess' does match. Current state is 'empty array' and desired state is 'empty array'. (DRC0020)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String') for property 'Name' does match. Current state is 'ShareName' and desired state is 'ShareName'. (DRC0020)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'FullAccess'. (DRC0028)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value [0] (type 'System.String') for property 'FullAccess' does match. Current state is 'DOMAINNAME\Domain Admins' and desired state is 'DOMAINNAME\Domain Admins'. (DRC0025)
VERBOSE: [HOSTNAME]: [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String') for property 'Path' does match. Current state is 'C:\DFSTargets\ShareName' and desired state is 'C:\DFSTargets\ShareName'. (DRC0020)
VERBOSE: [HOSTNAME]: LCM: [ End Test ] [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] False in 0.2500 seconds.
VERBOSE: [HOSTNAME]: LCM: [ End Resource ] [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME]
Fix Test-TargetResource to make the checks for FullAccess, ChangeAccess, ReadAccess and NoAccess ignore the order of the information returned by Get-TargetResource
Operating system the target node is running
OsName : Microsoft Windows Server 2022 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage : en-US
OsMuiLanguages : {en-US}
PowerShell version and build the target node is running
Name Version Path
---- ------- ----
ComputerManagementDsc 9.0.0 C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\9.0.0\ComputerManagementDsc.psd1
Problem description
I recently created some SmbShare resources with multiple entries in the access permissions entries in the ChangeAccess parameter
These changes applied successfully, but subsequent tests of the resource returned as 'noncompliant' even though the permissions were applied correctly
It looks like SmbShare is really picky about what order Get-SmbShareAccess returns permissions in, and running Set-TargetResource doesn't result in them being applied in the provided order either. I am not aware that permission order on file shares matters - Test-TargetResource can return 'true' for a resource even if the permission entries are returned in a different order to how they were defined in the FullAccess/ChangeAccess/ReadAccess/NoAccess parameters in DSC.
Verbose logs
DSC configuration
Suggested solution
Fix Test-TargetResource to make the checks for FullAccess, ChangeAccess, ReadAccess and NoAccess ignore the order of the information returned by Get-TargetResource
Operating system the target node is running
PowerShell version and build the target node is running
ComputerManagementDsc version