Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADGroup: Not restoring deleted object #496

Closed
johlju opened this issue Sep 1, 2019 · 1 comment · Fixed by #499
Closed

ADGroup: Not restoring deleted object #496

johlju opened this issue Sep 1, 2019 · 1 comment · Fixed by #499
Labels
documentation The issue is related to documentation only.

Comments

@johlju
Copy link
Member

johlju commented Sep 1, 2019
edited

Details of the scenario you tried and the problem that is occurring

When removing a group and then trying to restore the deleted group it fails and instead a new group is created.

Verbose logs showing the problem

    Context When using configuration MSFT_ADGroup_RemoveGroup1_Config
WARNING: It is not recommended to use domain credential for node 'localhost'. In order to suppress the warning, you can add a property named 'PSDscAllowDomainUser' with a value of $true to your DSC configuration data
for node 'localhost'.
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DC01 with user sid S-1-5-21-530133819-3181352061-503517500-500.
VERBOSE: [DC01]: LCM:  [ Start  Set      ]
VERBOSE: [DC01]:                            [DSCEngine] Importing the module C:\source\ActiveDirectoryDsc\DscResources\MSFT_ADGroup\MSFT_ADGroup.psm1 in force mode.
VERBOSE: [DC01]: LCM:  [ Start  Resource ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]: LCM:  [ Start  Test     ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Importing the module MSFT_ADGroup in force mode.
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Retrieving group membership based on 'SamAccountName' property. (ADG0001)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] AD Group 'Ensure' is not correct. Expected 'Absent', actual 'Present'. (ADG0011)
VERBOSE: [DC01]: LCM:  [ End    Test     ]  [[ADGroup]Integration_Test]  in 0.4530 seconds.
VERBOSE: [DC01]: LCM:  [ Start  Set      ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Importing the module MSFT_ADGroup in force mode.
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Retrieving group membership based on 'SamAccountName' property. (ADG0001)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Removing AD Group 'DscGroup1'. (ADG0007)
VERBOSE: [DC01]: LCM:  [ End    Set      ]  [[ADGroup]Integration_Test]  in 0.8750 seconds.
VERBOSE: [DC01]: LCM:  [ End    Resource ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]: LCM:  [ End    Set      ]
VERBOSE: [DC01]: LCM:  [ End    Set      ]    in  1.8590 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.234 seconds

    Context When using configuration MSFT_ADGroup_RestoreGroup1_Config
WARNING: It is not recommended to use domain credential for node 'localhost'. In order to suppress the warning, you can add a property named 'PSDscAllowDomainUser' with a value of $true to your DSC configuration data
for node 'localhost'.
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DC01 with user sid S-1-5-21-530133819-3181352061-503517500-500.
VERBOSE: [DC01]: LCM:  [ Start  Set      ]
VERBOSE: [DC01]:                            [DSCEngine] Importing the module C:\source\ActiveDirectoryDsc\DscResources\MSFT_ADGroup\MSFT_ADGroup.psm1 in force mode.
VERBOSE: [DC01]: LCM:  [ Start  Resource ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]: LCM:  [ Start  Test     ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Importing the module MSFT_ADGroup in force mode.
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] AD Group 'DscGroup1' was not found. (ADG00010)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] AD Group 'Ensure' is not correct. Expected 'Present', actual 'Absent'. (ADG0011)
VERBOSE: [DC01]: LCM:  [ End    Test     ]  [[ADGroup]Integration_Test]  in 0.3290 seconds.
VERBOSE: [DC01]: LCM:  [ Start  Set      ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Importing the module MSFT_ADGroup in force mode.
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] AD Group 'DscGroup1' was not found. (ADG00010)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Attempting to restore the group DscGroup1 from recycle bin. (ADG0009)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Finding objects in the recycle bin matching the filter msDS-LastKnownRDN -eq "DscGroup1" -and objectClass -eq "Group" -and isDeleted -eq $true.
(ADCOMMON0027)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Did not find a restorable object in the recycle bin. (ADCOMMON0055)
VERBOSE: [DC01]:                            [[ADGroup]Integration_Test] Adding AD Group 'DscGroup1'. (ADG0005)
VERBOSE: [DC01]: LCM:  [ End    Set      ]  [[ADGroup]Integration_Test]  in 0.9370 seconds.
VERBOSE: [DC01]: LCM:  [ End    Resource ]  [[ADGroup]Integration_Test]
VERBOSE: [DC01]: LCM:  [ End    Set      ]
VERBOSE: [DC01]: LCM:  [ End    Set      ]    in  1.7350 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.239 seconds

Suggested solution to the issue

None.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

<#
    .SYNOPSIS
        Remove a group.
#>
Configuration MSFT_ADGroup_RemoveGroup1_Config
{
    Import-DscResource -ModuleName 'ActiveDirectoryDsc'

    node $AllNodes.NodeName
    {
        ADGroup 'Integration_Test'
        {
            Ensure     = 'Absent'
            GroupName  = $Node.Group1_Name

            Credential = New-Object `
                -TypeName System.Management.Automation.PSCredential `
                -ArgumentList @(
                $Node.AdministratorUserName,
                (ConvertTo-SecureString -String $Node.AdministratorPassword -AsPlainText -Force)
            )
        }
    }
}

<#
    .SYNOPSIS
        Restore a group from recycle bin.
#>
Configuration MSFT_ADGroup_RestoreGroup1_Config
{
    Import-DscResource -ModuleName 'ActiveDirectoryDsc'

    node $AllNodes.NodeName
    {
        ADGroup 'Integration_Test'
        {
            Ensure                = 'Present'
            GroupName             = $Node.Group1_Name
            RestoreFromRecycleBin = $true

            Credential            = New-Object `
                -TypeName System.Management.Automation.PSCredential `
                -ArgumentList @(
                $Node.AdministratorUserName,
                (ConvertTo-SecureString -String $Node.AdministratorPassword -AsPlainText -Force)
            )
        }
    }
}

The operating system the target node is running

n/a

Version and build of PowerShell the target node is running

n/a

Version of the DSC module that was used ('dev' if using current dev branch)

dev
@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. documentation The issue is related to documentation only. in progress The issue is being actively worked on by someone. and removed bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Sep 1, 2019
@johlju
Copy link
Member Author

johlju commented Sep 3, 2019
edited

So this did not work because I did not enable the Recycle Bin in the lab environment whihc resulted in msDS-LastKnownRDN did not exist on the objects. I honestly thought the Recycle Bin was enabled by default when running Windows Server 2019 domain. 🙂

But I will send in a PR that adds a bit of documentation around this.

@johlju johlju mentioned this issue Sep 3, 2019
Merged
10 tasks
johlju added a commit that referenced this issue Sep 3, 2019
@johlju
Update documentation for resource that uses RestoreFromRecycleBin (#499)
ae42a2c 
- Changes to ADUser
  - Added a note to the resource README.md that `RestoreFromRecycleBin`
    needs the feature Recycle Bin enabled.
- Changes to ADGroup
  - Added a note to the resource README.md that `RestoreFromRecycleBin`
    needs the feature Recycle Bin enabled (issue #496).
- Changes to ADOrganizationalUnit
  - Added a note to the resource README.md that `RestoreFromRecycleBin`
    needs the feature Recycle Bin enabled.
- Changes to ADComputer
  - Added a note to the resource README.md that `RestoreFromRecycleBin`
    needs the feature Recycle Bin enabled (issue #498).
  - Updated integration test to be able to catch when a computer account
    cannot be restored.
@johlju johlju removed the in progress The issue is being actively worked on by someone. label Sep 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation The issue is related to documentation only.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update documentation for resource that uses RestoreFromRecycleBin johlju/ActiveDirectoryDsc
1 participant
@johlju