Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADGroup: Not removing members if MemberParameter is null #189

Closed
voigtsv opened this issue Apr 30, 2018 · 3 comments · Fixed by #497
Closed

ADGroup: Not removing members if MemberParameter is null #189

voigtsv opened this issue Apr 30, 2018 · 3 comments · Fixed by #497
Labels
bug The issue is a bug.
Projects
All issues and PR's

Comments

@voigtsv
Copy link

voigtsv commented Apr 30, 2018

Hi,

in xActiveDirectory 2.18.0.0 when setting the member parameter of a xADGroup resource to null, existing groupmembers will not be removed. Instead the membership will be reported as "in the desired state".

xADGroup "Schema Admins"
        {
           GroupName = "Schema Admins"
           GroupScope = "Universal"
           Category = "Security"
           MembershipAttribute = "SamAccountName"
           Members = @()
           Description = "Designated administrators of the schema"
           Ensure = 'Present'
        }

This looks like the place where null values are skipped in the code
if ($PSBoundParameters.ContainsKey('Members') -and -not [system.string]::IsNullOrEmpty($Members))

Is there another way to do this?

Regards
@johlju
Copy link
Member

johlju commented Apr 30, 2018

Your scenario haven't been thought of. Normally having a group with empty members have no point, then the group could be removed instead. But that is not the case for the 'Schema Admins', since that group should not be removed.

Not sure of your scenario, I'm sure you have valid reasons for doing this (seeing your configuration). Although if you run this from a pull server then 'Schema Admins' will be empty every ~15 minutes (the default). It could potentially have consequences on any upgrade of the schema that is done in the future if it is removed in the middle of such upgrade.

If the resource should be able to empty a group from all members, then this is a bug. If instead the group should be removed if it should not contain any members, then this is by design.

@voigtsv What are your thoughts about this?

@johlju johlju added the needs more information The issue needs more information from the author or the community. label Apr 30, 2018
@johlju johlju changed the title xADGroup not removing members if MemberParameter is null xADGroup: Not removing members if MemberParameter is null Apr 30, 2018
@voigtsv
Copy link
Author

voigtsv commented Apr 30, 2018

Having the group emptied every 15 minutes is exactly what I want. For Schema Admins and a couple of other groups that need to be there but empty in our default configuration.
In case of a schema update my plan is to pull a new configuration before and after.

@johlju I can see my case being a bit extraordinary though.

@johlju
Copy link
Member

johlju commented Apr 30, 2018

@voigtsv I label this as a bug and 'help wanted' so that someone in the community can run with this.

@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. and removed needs more information The issue needs more information from the author or the community. labels Apr 30, 2018
@SteveL-MSFT SteveL-MSFT added this to Help Wanted in powershell/dscresources May 14, 2019
@johlju johlju added this to To do in All issues and PR's May 23, 2019
@johlju johlju changed the title xADGroup: Not removing members if MemberParameter is null ADGroup: Not removing members if MemberParameter is null Jul 28, 2019
@johlju johlju added in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels Sep 1, 2019
johlju added a commit to johlju/ActiveDirectoryDsc that referenced this issue Sep 1, 2019
@johlju
Fix issue dsccommunity#151, issue dsccommunity#189, issue dsccommunit…
184058a 
…y#493
@johlju johlju mentioned this issue Sep 1, 2019
Merged
10 tasks
All issues and PR's automation moved this from To do to Done Sep 2, 2019
johlju added a commit that referenced this issue Sep 2, 2019
@johlju
ADGroup: Fix issue #151, issue #189, issue #493 (#497)
b6d67dd 
- Changes to ActiveDirectoryDsc.Common
  - Update helper function `Add-ADCommonGroupMember` to reduce duplicated
    code, and add an evaluation if `Members` is empty.
  - Updated helper function `Restore-ADCommonObject` to write out a verbose
    message when no object was found in the recycle bin.
  - Updated helper function `Assert-MemberParameters` to not throw an error
    if the parameter `Members` is en empty array.
- Changes to ADGroup
  - Added a read-only property `DistinguishedName`.
  - Refactor the function `Set-TargetResource` to use the function
    `Get-TargetResource` so that `Set-TargetResource` can correctly throw
    an error when something goes wrong (issue #151, issue #166, issue #493).
  - It is now possible to enforce a group with no members by using
    `Members = @()` in a configuration (issue #189).
@johlju johlju removed the in progress The issue is being actively worked on by someone. label Sep 2, 2019
@SteveL-MSFT SteveL-MSFT removed this from Help Wanted in powershell/dscresources Nov 27, 2019
@jeremyciak jeremyciak mentioned this issue Jun 26, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug.
Projects
All issues and PR's
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ADGroup: Fix issue #151, issue #189, issue #493 johlju/ActiveDirectoryDsc
2 participants
@johlju @voigtsv