mgreenegit
commented
3 years ago I think I found the issue. The Registry (INF) section had an error that would have led to a MOF file that could check local values but would not have evaluated the backed up GPO. Releasing 4.1.1 with the fix. If you still see the behavior please re-open the issue so it is tracked again.
Background: We use ConvertFrom-GPO to convert GPO's to MOF files for the validation of settings only. We never use the MOF to apply settings, we allow the GPO system to do that.
We have a GPO in the domain. GPO is applied to a computer. I take a backup of the GPO and convert it to a DSC using ConvertFrom-GPO. I then take the MOF created and use that to test to ensure all settings were applied properly.
Every time I run Test-DSCConfiguration for any registry entry that has a value I get this: "Expected to find an array value for property ValueData in the current values, but it was either not present or was null. This has caused the test method to return false."
If I look in the registry the value is present as set by the GPO.
So I decided to let the MOF set the value in the registry. That works fine and then the test will pass. But the value in the registry did not change. Then to test I edited the value in the registry and re-ran the Test-DSCConfiguration. It passed (this is a big problem as the DSC is returning true even though the value in the registry is wrong).
Thus this tells me you are no longer looking in the registry as a result of your change from PSDscResources module to RegistryPolicyFile. You are only looking at the GPO config on the server. The whole point of this DSC module for me was to be able to test each setting of a GPO against a running system to ensure that all values are indeed set and honored. Right now if someone were to change a value and I tested the system it would pass as it would only be asking the GPO database what it thought the system was set to.
I guess I will need to roll back to the version that used PSDscResources, as that actually looked at the registry. This is unfortunate as that had issues too especially with key names that used /'s. However I still think you have a problem here in that the Test-DSCConfiguration is failing to return proper results due to the way it is parsing the registrypolicyfile. I should be able to test the application of a GPO without having the DSC also set all the settings. GPO should apply and DSC should validate in this situation.
We check to ensure that all GPO settings are consistent with the GPO every 30 minutes.