Unable to work with Group Policy related resources

ShobuPrime commented 2 years ago

Terraform Version and Provider Version

terragrunt version v0.38.3
Terraform v1.2.4 on darwin_amd64

Windows Version

Windows Server 2022 Datacenter

Affected Resource(s)

ad_gpo
ad_gplink

No resource/data source related to Group Policy seems to work while all other resources for this provider (example: ad_user and ad_group_membership) successfully execute..

Terraform Configuration Files

resource "ad_gpo" "test" {
    name = "test3"
    domain = aws_directory_service_directory.MicrosoftAD.name
}

resource "ad_gplink" "test_link" {
    gpo_guid = ad_gpo.test.id
    target_dn = ad_ou.workspaces.dn
    enforced = true
    enabled = true
}

Expected Behavior

What should have happened?

A new GPO by the name of "test3" should have been created and linked to an OU by the name of Workspaces

Actual Behavior

What actually happened?

Error: command exited with a non-zero exit code 1, stderr: An operations error occurred. (Exception from HRESULT: 0x80072020)
│ CategoryInfo          : NotSpecified: (:) [New-GPO], COMException
│ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.GroupPolicy.Commands.NewGpoCommand
│ PSComputerName        : <Redacted>
│
│   with ad_gpo.test,
│   on group_policy.tf line 4, in resource "ad_gpo" "test":
│    4: resource "ad_gpo" "test" {

Error: command exited with a non-zero exit code 1, stderr: An operations error occurred. (Exception from HRESULT: 0x80072020)
│ CategoryInfo          : NotSpecified: (:) [Get-GPO], COMException
│ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.GroupPolicy.Commands.GetGpoCommand

Steps to Reproduce

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

ShobuPrime commented 2 years ago

I did some digging, and apparently the error looks like it's related to some permissions error along the way

However, using the same credentials I have in my provider, I'm able to RDP directly to my Domain Host/Manager and run the New-GPO and Get-GPO commands with no issues.

ryanschaaf-dmc commented 1 year ago

@ShobuPrime we are experiencing the same issue on our AD environment - were you able to figure out anymore specifics on what permissions issues may be happening?

lineardraft commented 1 year ago

Is anybody else getting the same error message? I've configured terraform according to this https://registry.terraform.io/providers/hashicorp/ad/latest/docs#double-hop-authentication configuration and it's failing with same error code 0x80072020 for GPO creation.

I've enabled debug to extract the constructed PowerShell commands so I can mimic them in regular PowerShell window and it's failing with same message. If I change the command to something like Get-Date it's working. So it's something related with double hop authentication.

hashicorp / terraform-provider-ad