Comments (13)
The Group schema have the GroupName
as the unique Key. Only one instance of the same resource and "set of unique keys" is allowed, that is why you get the error when trying to add the resource twice using the same local "Administrators" group.
I think newer DSC modules have a 'Name' attribute, so it allows multiple Group declarations on the same Group.
Not sure what you mean by this. Do you mean resource that uses Name
as the key, for example specify the username as the unique key?
You built a Script resource to solve this, but another option would be to add a resource with all three accounts when the target node name is one of these specific computers. But maybe that is not possible in your scenario?
from psdscresources.
Johlju - I'm referring to DSC modules such as SecurityPolicyDSC https://github.com/PowerShell/SecurityPolicyDsc/blob/dev/Examples/SecurityOption_Example.ps1
You can compound the SecurityOption by specifying a different Name parameter.
The issue with the current Group resource and targeting by nodename, is that you also have to define an accompanying 'node -ne x' resource for the other servers.
This is fine for one unique server, but the logic starts getting a little out of control when you have for example, 5 servers that need unique accounts of different types.
To simplify the logic I found that I eventually had to start defining the local Administrators group for each server, which adds a lot of extra lines to the DSC configuration, even though 75% of the servers had the same accounts.
So if there is a Name parameter, you could have a setting for All computers that defines 'Domain Admins' in MembersToInclude, and on specific computers, you could define additional accounts in MembersToInclude without conflict.
from psdscresources.
Is there a way that Non-Node Data could be used combined with a different way of grouping the server exceptions? If so, something like this might work:
$ConfigData = @{
NonNodeData = @{
AllAccessUsers = 'CONTOSO\Domain Admins', 'Administrator'
}
AllNodes = @(
@{
NodeName = 'ServerC'
Role = 'Web'
}
@{
NodeName = 'ServerB'
Role = 'FileServer'
}
@{
NodeName = 'ServerA'
Role = 'FileServer'
}
)
}
Configuration GroupMembershipExample {
Node $AllNodes.Where( {$PSItem.Role -contains 'Web'} )
{
Group 'AdministratorsGroupMembers'
{
GroupName = 'Administrators'
Ensure = 'Present'
MembersToInclude = ($NonNodeData.AllAccessUsers + 'CONTOSO\AddlMbr01')
}
}
Node $AllNodes.Where( {$PSItem.Role -contains 'FileServer'} )
{
Group 'AdministratorsGroupMembers'
{
GroupName = 'Administrators'
Ensure = 'Present'
MembersToInclude = ($NonNodeData.AllAccessUsers)
}
}
}
from psdscresources.
that could work but in my environment i have to add various developer users to different servers. there are only about 20 servers, so it seems a little excessive to create a lot of 1:1 server:group relationships.
so my by making a Script resource for this issue, my config code looks a lot more simple/streamlined.
i think DSC is a wonderful tool, but if you're not careful it can start looking excessively long and complicated. I spend a lot of time trying to make my code easy to read in case someone besides me has to look at it later.
from psdscresources.
So if there is a Name parameter, you could have a setting for All computers that defines 'Domain Admins' in MembersToInclude, and on specific computers, you could define additional accounts in MembersToInclude without conflict.
The equivalent to Name
is GroupName
. You specify 'Domain Admins' in GroupName
so that you can make sure that the group Domain Admins
are always in desired state, that it will only contain account X and Y.
If we would add Name
in addition to GroupName
then you will get a ping-pong behavior in certain scenarios. This configuration would never become in desired state.
Group 'All computers'
{
Name = 'All computers'
GroupName = 'Administrators'
Ensure = 'Present'
Members = @('Administrator', 'User1')
}
Group 'Only computer Y'
{
Name = 'Only computer Y'
GroupName = 'Administrators'
Ensure = 'Present'
Members = @('Administrator', 'User2')
}
from psdscresources.
@johlju: I hope I'm assuming @ewhitesides scenario correctly, but is there a way to do something like this:
Group 'All computers'
{
Name = 'All computers'
GroupName = 'Administrators'
Ensure = 'Present'
Members = @('Administrator', 'User1')
}
Group 'Only computer Y'
{
Name = 'Only computer Y'
GroupName = 'Administrators'
Ensure = 'Present'
MembersToInclude = @('User2')
DependsOn = '[Group]Only computer Y'
}
The biggest problem I can see is that every time Group 'All computers'
runs, it would erase the members defined in Group 'Only computer Y'
until it reruns it again. The only other thing I can think of would be a way for DSC to process all Group resources for the same Group Name before creating the MOF file, but I feel that would just go back to separating configuration and envirionment data in DSC
$ConfigData = @{
NonNodeData = @{
AllAccessUsers = 'CONTOSO\Domain Admins', 'Administrator'
}
AllNodes = @(
@{
NodeName = '*'
Admins = @('CONTOSO\Domain Admins')
}
@{
NodeName = 'ServerC'
Role = 'Web'
Admins = @('CONTOSO\Domain Admins', 'CONTOSO\AddlMbr01')
}
@{
NodeName = 'ServerB'
Role = 'FileServer'
}
@{
NodeName = 'ServerA'
Role = 'FileServer'
}
)
}
Configuration GroupMembershipExample {
Node $AllNodes.NodeName
{
Group 'AdministratorsGroupMembers'
{
GroupName = 'Administrators'
Ensure = 'Present'
MembersToInclude = $Node.Admins
}
}
}
If there's another way of doing it, I'm not sure what it would be.
from psdscresources.
I think what's great about powershell (most of the time) is that the syntax resembles how a human thinks.
without getting super-technical when I think of 'membersToInclude' I think the following regardless if you have one or multiple scriptblocks applied to the same computer:
'check if user A is in this group X. if not there, add them'
so ideally, it would be nice to have it work like this:
Node $AllNodes.Nodename {
Group 'LocalAdmins' {
GroupName = 'Administrators'
Ensure = 'Present'
MembersToInclude = @('Administrator', 'User1')
}
}
Node $AllNodes.Where{$_.NodeName -eq 'WebSrv1'}.NodeName {
Group 'AdditionalAdmins' {
GroupName = 'Administrators'
Ensure = 'Present'
MembersToInclude = @('User2')
}
}
i realize that there may be a bunch of 'under the hood' changes to make this happen. I think MembersToInclude should probably function differently than the 'Members' property in perhaps a more simplistic way.
from psdscresources.
@ewhitesides I believe Members
and MembersToInclude
are supposed to be similar in name and function to their Restricted Groups counterparts in Group Policy, where 'Members' ensures that only the listed members are part of the group, and 'Member Of' (MembersToInclude) ensure that the listed members are included, but does not remove other accounts listed as members.
It would very likely be possible to do this with Group Policy's Restricted Groups feature, using 'Members Of' in a parent and child OU. The only way I can think of doing something similar using DSC is by using Partial Configurations with a parameterized nested configuration or composite resource
I defer to @johlju as to whether it would be possible to change the Group Resource without changing the core functionality of DSC. There may be other options that I'm not considering.
from psdscresources.
The limitation is that there can only be one Group resource with the same Key
's in the final compiled configuration. If there are two resources with the same Key
the compilation fails.
Another limitation is that an array can't be used as Key
.
Snippet of the schema. GroupName is the only type qulifier Key
.
[ClassVersion("1.0.0"),FriendlyName("Group")]
class MSFT_GroupResource : OMI_BaseResource
{
[Key, Description("The name of the group to create, modify, or remove.")] String GroupName;
...
[Write, Description("The members the group should have.")] String Members[];
[Write, Description("The members the group should include.")] String MembersToInclude[];
[Write, Description("The members the group should exclude.")] String MembersToExclude[];
...
};
@ewhitesides Your suggestion will not work unless LCM is fundamentally changed.
@aydeisen your first scenario would technically work if adding another Key
(property Name
). But that will result in a user can make a mistake and get a ping-pong behavior (see my example), especially if using partial configurations. The second scenario will work, as longs as $Node.Admins
will contain an array with all the names, those names will be compiled into the final configuration using only one Group resource.
Most of the time we would like LCM (DSC) to behave like a program flow, but for it to make sure a specific configuration is in desired state (and not getting a ping-pong behavior) there are some rules (limitations) to follow. 🙂
That said, there is nothing that say that this can't change in the future. Please submit any proposal as a uservoice and the community can vote on them.
I don't think adding a property Name
as Key
is the right way to go.
from psdscresources.
@johlju: thanks for the clarification. The latter makes sense to me since, based on the document discussing separating configuration data from environment data, having the full list under inside a Node hashtable allows for it to be used a documentation for the group.
I know that Microsoft has mentioned overhauling the LCM so it can be used with PowerShell 6 and .NET Core, with the advantage of the LCM being platform agnostic. Is the new LCM also a GitHub project that can be commented on, or is uservoice the only way to do it?
For better or worse, my observation is that uservoice is completely dependent on the community seeing and upvoting suggestions, and stuff tends to gets lost in uservoice. (Unrelated but, as an example: I have a request in uservoice for WSUS to allow Azure AD Authentication to SUSDB so the damn thing can be offloaded to an Azure Cloud Database offering. No comments, no responses, no upvotes. Even more disappointing, it's the top result in Bing and Google if you look for 'WSUS' and 'Azure Active Directory Authentication')
from psdscresources.
@aydeisen I know PowerShell Team is using their user voice. For the other, when last Wednesdays community call recording is online, listen to it as it is some news there; https://www.youtube.com/channel/UCMhQH-yJlr4_XHkwNunfMog. I can take a while until the recording is up there.
from psdscresources.
I'm closing this issue at this time as 'not fixed'. Please comment and reopen if there is still unanswered questions.
from psdscresources.
from psdscresources.
Related Issues (20)
- Set-StrictMode behavior breaks valid Configurations from (x)PSDesiredStateConfiguration HOT 3
- PsDscRunAsCredential with empty password throws error "Object reference not set to an instance of an object."
- Script Resource "No user exists"
- WindowsOptionalFeature: Get Method fails if OptionalFeature has no custom properties when called by the LCM.
- Archive: Special Characters not supported in file names within zip files
- WindowsFeatureSet broken when using member Source HOT 3
- Environment: Implement 'User' target HOT 1
- File: Default checksum type not documented
- Service: Invoke-DscResource fail to update a service HOT 3
- Fix CI Pipeline Failures
- Registry: Set "Absent" with ValueData fails if Key uses "HKEY_LOCAL_MACHINE\..." HOT 1
- Registry: add option to require reboot after setting
- User: Test-DscResource fails for user that is disabled by resource
- Archive: DSC resouce does not support paths longer than 260
- MSFT_GroupResource: SAMR can be blocked by domain controller GPO in Get-TargetResource HOT 1
- Group: Get-TargetResource throws with single member in group due to Type mismatch HOT 2
- WindowsFeature: Resource thinks Windows Server 2022 Azure Edition Core is a Client OS HOT 1
- WindowsProcess DSC resource fails intermittently with "Failed to wait for processes to start." HOT 1
- Registry: Cannot set same key for different users credentials
- psdscresources: dsc_ensure changed 'Present' to 'present' (corrective) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from psdscresources.