Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADGroup: unable to remove trusted domain members from group #583

Open
andreacuozzo opened this issue Mar 26, 2020 · 1 comment
Open

ADGroup: unable to remove trusted domain members from group #583

andreacuozzo opened this issue Mar 26, 2020 · 1 comment
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.

Comments

@andreacuozzo
Copy link

andreacuozzo commented Mar 26, 2020
edited
Loading

Details of the scenario you tried and the problem that is occurring

DomainA and DomainB are trusting each other with external trusts. Using the ADGroup resource, I can add DomainA\TestUser to DomainB\group, but removing the same DomainA\TestUser from DomainB\group generates the error:

Cannot find an object with identity: 'CN=TestUser,DC=DomainA,DC=local' under: 'DC=DomainB,DC=local'.

I've tested both using the Members and MembersToExclude properties, with the same result.

Verbose logs showing the problem

DETTAGLIATO: [DC2]: LCM:  [ Start  Resource ]  [[ADGroup]testgrp]
DETTAGLIATO: [DC2]: LCM:  [ Start  Test     ]  [[ADGroup]testgrp]
DETTAGLIATO: [DC2]:                            [[ADGroup]testgrp] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
DETTAGLIATO: [DC2]:                            [[ADGroup]testgrp] Group membership is NOT in the desired state. (ADG0002)
DETTAGLIATO: [DC2]: LCM:  [ End    Test     ]  [[ADGroup]testgrp]  in 0.2350 seconds.
DETTAGLIATO: [DC2]: LCM:  [ Start  Set      ]  [[ADGroup]testgrp]
DETTAGLIATO: [DC2]:                            [[ADGroup]testgrp] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
DETTAGLIATO: [DC2]:                            [[ADGroup]testgrp] Updating AD Group 'testgrp'. (ADG0006)
DETTAGLIATO: [DC2]:                            [[ADGroup]testgrp] Retrieving group membership based on 'DistinguishedName' property. (ADG0001)
DETTAGLIATO: [DC2]:                            [[ADGroup]testgrp] Removing '3' member(s) from AD group 'testgrp'. (ADG0004)
Cannot find an object with identity: 'CN=TestUser,DC=DomainA,DC=local' under: 'DC=DomainB,DC=local'.
    + CategoryInfo          : ObjectNotFound: (CN=TestUser,DC=DomainA,DC=local:) [], CimException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember

Suggested solution to the issue

Looking at the resource code with my limited skills it seems to me that we're adding users with the Add-ADCommonGroupMember function and we're removing users with the Windows built-in AD Remove-ADGroupMember cmdlet.

Outside ADGroup, I can reproduce the same error using the Windows AD powershell cmdlet, both trying to Add and Remove DomainA\TestUser to/from DomainB\TestGrp. The following commands ran on DomainB domain controller both generate the same error:

Add-ADGroupMember -Identity TestGrp -Members 'CN=TestUser,DC=DomainA,DC=local'

Add-ADGroupMember : Cannot find an object with identity: Cannot find an object with identity: 'CN=TestUser,DC=DomainA,DC=local' under: 'DC=DomainB,DC=local'.

Remove-ADGroupMember -Identity TestGrp -Members 'CN=TestUser,DC=DomainA,DC=local'

Remove-ADGroupMember : Cannot find an object with identity: Cannot find an object with identity: 'CN=TestUser,DC=DomainA,DC=local' under: 'DC=DomainB,DC=local'.

Could the same code used in the Add-ADCommonGroupMember fuction be used with minor changes to have a working Remove-ADCommonGroupMember function ? I've tried, but failed with my basic powershell skills.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# This code succesfully adds both DomainA\TestUsers and Domain\B TestUser to 
# DomainB\TestGrp ADGroup "testgrp". Removing the 'CN=TestUser,DC=DomainA,DC=local' 
# user from the Members list afterwards generates the error:

ADGroup "testgrp"
            {
            GroupName           = "testgrp"
            GroupScope          = 'DomainLocal'
            Category            = 'Security'
            Ensure              = 'Present'
            Path                = "OU=Groups,DC=DomainB,DC=local"
            MembershipAttribute = 'DistinguishedName'
            Members             = @(
                                   'CN=TestUser,DC=DomainA,DC=local'
                                   'CN=TestUser,DC=DomainB,DC=local'
                                   )
            }

The operating system the target node is running

OsName : Microsoft Windows Server 2016 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsBuildLabEx : 14393.3297.amd64fre.rs1_release_1.191001-1045
OsLanguage : en-US
OsMuiLanguages : {en-US}

Name Value

PSVersion 5.1.14393.3053
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.3053
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used

ActiveDirectoryDsc version 6.0.0
@johlju
Copy link
Member

johlju commented Mar 29, 2020

It is the function Add-ADCommonGroupMember that calls Add-ADGroupMember but have logic to handle multiple domains.

ActiveDirectoryDsc/source/Modules/ActiveDirectoryDsc.Common/ActiveDirectoryDsc.Common.psm1

Lines 1261 to 1336 in 4cbeae1

function Add-ADCommonGroupMember
{
[CmdletBinding()]
param
(
[Parameter()]
[System.String[]]
$Members,
[Parameter()]
[hashtable]
$Parameters,
[Parameter()]
[System.Management.Automation.SwitchParameter]
$MembersInMultipleDomains
)
Assert-Module -ModuleName ActiveDirectory
if ($Members)
{
if ($MembersInMultipleDomains.IsPresent)
{
foreach ($member in $Members)
{
$memberDomain = Get-ADDomainNameFromDistinguishedName -DistinguishedName $member
if (-not $memberDomain)
{
$errorMessage = $script:localizedData.EmptyDomainError -f $member, $Parameters.Identity
New-InvalidOperationException -Message $errorMessage
}
Write-Verbose -Message ($script:localizedData.AddingGroupMember -f $member, $memberDomain, $Parameters.Identity)
$commonParameters = @{
Identity = $member
Server = $memberDomain
ErrorAction = 'Stop'
}
$activeDirectoryObject = Get-ADObject @commonParameters -Properties @('ObjectClass')
$memberObjectClass = $activeDirectoryObject.ObjectClass
if ($memberObjectClass -eq 'computer')
{
$memberObject = Get-ADComputer @commonParameters
}
elseif ($memberObjectClass -eq 'group')
{
$memberObject = Get-ADGroup @commonParameters
}
elseif ($memberObjectClass -eq 'user')
{
$memberObject = Get-ADUser @commonParameters
}
elseif ($memberObjectClass -eq 'msDS-ManagedServiceAccount')
{
$memberObject = Get-ADServiceAccount @commonParameters
}
elseif ($memberObjectClass -eq 'msDS-GroupManagedServiceAccount')
{
$memberObject = Get-ADServiceAccount @commonParameters
}
Add-ADGroupMember @Parameters -Members $memberObject -ErrorAction 'Stop'
}
}
else
{
Add-ADGroupMember @Parameters -Members $Members -ErrorAction 'Stop'
}
}
}

Would it be so easy to create Remove-ADCommonGroupMember with the same logic expect replace Add-ADGroupMember to Remove-ADGroupMember? 🤔

@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Mar 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johlju @andreacuozzo