ADUser: Using distinguished name and DomainAdministratorCredential fails when testing password

[johlju]

Details of the scenario you tried and the problem that is occurring

Using distinguished name and DomainAdministratorCredential fails when testing password.

Verbose logs showing the problem

Executing all tests in '.\Tests\Integration\MSFT_ADUser.Integration.Tests.ps1'

Executing script .\Tests\Integration\MSFT_ADUser.Integration.Tests.ps1

  Describing MSFT_ADUser_Integration

    Context When using configuration MSFT_ADUser_CreateUser1_Config
WARNING: It is not recommended to use domain credential for node 'localhost'. In order to suppress the warning, you can add a property named 'PSDscAllowDomainUser' with a value of $true to your DSC configuration data for node 'localhost'.
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer CLDC03 with user sid S-1-5-21-1619467470-1459113476-3809063323-1103.
VERBOSE: [CLDC03]: LCM:  [ Start  Set      ]
VERBOSE: [CLDC03]:                            [DSCEngine] Importing the module C:\Source\ActiveDirectoryDsc\DscResources\MSFT_ADUser\MSFT_ADUser.psm1 in force mode.
VERBOSE: [CLDC03]: LCM:  [ Start  Resource ]  [[ADUser]Integration_Test]
VERBOSE: [CLDC03]: LCM:  [ Start  Test     ]  [[ADUser]Integration_Test]
VERBOSE: [CLDC03]:                            [[ADUser]Integration_Test] Importing the module MSFT_ADUser in force mode.
VERBOSE: [CLDC03]:                            [[ADUser]Integration_Test] Retrieving Active Directory user 'DscTestUser1' (DscTestUser1@DC=companylab,DC=tk). (ADU0004)
VERBOSE: [CLDC03]:                            [[ADUser]Integration_Test] Active Directory user 'DscTestUser1' (DscTestUser1@DC=companylab,DC=tk) was NOT present. (ADU0008)
VERBOSE: [CLDC03]:                            [[ADUser]Integration_Test] Creating connection to Active Directory domain 'DC=companylab,DC=tk'. (ADU0005)
VERBOSE: [CLDC03]:                            [[ADUser]Integration_Test] Connecting to the ActiveDirectory using credential 'COMPANYLAB\Administrator' to test password for user 'DscTestUser1'.
      [-] Should compile and apply the MOF without throwing 1.17s
        Expected no exception to be thrown, but an exception "Exception calling ".ctor" with "4" argument(s): "The server could not be contacted."" was thrown from C:\Source\ActiveDirectoryDsc\Tests\Integration\MSFT_ADUser.Integration.Tests.ps1:59 char:21
            + ...               Start-DscConfiguration @startDscConfigurationParameters
            +                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
        60:                 } | Should -Not -Throw
        at <ScriptBlock>, C:\Source\ActiveDirectoryDsc\Tests\Integration\MSFT_ADUser.Integration.Tests.ps1: line 41
VERBOSE: An LCM method call arrived from computer CLDC03 with user sid S-1-5-21-1619467470-1459113476-3809063323-1103.
WARNING: [CLDC03]:                            [] The GET operation will be carried against a pending configuration since the latest configuration has not converged yet.
VERBOSE: [CLDC03]:                            [DSCEngine] Importing the module C:\Source\ActiveDirectoryDsc\DscResources\MSFT_ADUser\MSFT_ADUser.psm1 in force mode.
VERBOSE: [CLDC03]: LCM:  [ Start  Get      ]
VERBOSE: [CLDC03]:                            [[ADUser]Integration_Test] Importing the module MSFT_ADUser in force mode.
VERBOSE: [CLDC03]:                            [[ADUser]Integration_Test] Retrieving Active Directory user 'DscTestUser1' (DscTestUser1@DC=companylab,DC=tk). (ADU0004)
VERBOSE: [CLDC03]:                            [[ADUser]Integration_Test] Active Directory user 'DscTestUser1' (DscTestUser1@DC=companylab,DC=tk) was NOT present. (ADU0008)
VERBOSE: [CLDC03]: LCM:  [ End    Get      ]  [[ADUser]Integration_Test]  in 0.0940 seconds.
VERBOSE: [CLDC03]: LCM:  [ End    Get      ]    in  0.1720 seconds.

Suggested solution to the issue

The domain name here must be converted to FQDN before connecting to AD.

https://github.com/PowerShell/ActiveDirectoryDsc/blob/e2b3ce14952844910808780552b9a2658f136404/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1#L2534-L2538

The DSC configuration that is used to reproduce the issue (as detailed as possible)

#region HEADER
# Integration Test Config Template Version: 1.2.0
#endregion

$configFile = [System.IO.Path]::ChangeExtension($MyInvocation.MyCommand.Path, 'json')
if (Test-Path -Path $configFile)
{
    <#
        Allows reading the configuration data from a JSON file, for real testing
        scenarios outside of the CI.
    #>
    $ConfigurationData = Get-Content -Path $configFile | ConvertFrom-Json
}
else
{
    $currentDomain = Get-ADDomain
    $netBiosDomainName = $currentDomain.NetBIOSName
    if ($currentDomain.ComputersContainer -match 'DC=.+')
    {
        $domainDistinguishedName = $matches[0]
    }

    $ConfigurationData = @{
        AllNodes = @(
            @{
                NodeName                = 'localhost'
                CertificateFile         = $env:DscPublicCertificatePath

                DomainDistinguishedName = $domainDistinguishedName
                NetBIOSName             = $netBiosDomainName

                UserName1               = 'DscTestUser1'
                DisplayName1            = 'Dsc Test User 1'

                Password                = New-Object `
                    -TypeName System.Management.Automation.PSCredential `
                    -ArgumentList @(
                    'AnyName',
                    (ConvertTo-SecureString -String 'P@ssW0rd1' -AsPlainText -Force)
                )

                AdministratorUserName   = ('{0}\Administrator' -f $netBiosDomainName)
                AdministratorPassword   = 'P@ssw0rd1'
            }
        )
    }
}

<#
    .SYNOPSIS
        Removes a user account.
#>
Configuration MSFT_ADUser_CreateUser1_Config
{
    Import-DscResource -ModuleName 'ActiveDirectoryDsc'

    node $AllNodes.NodeName
    {
        ADUser 'Integration_Test'
        {
            DomainName           = $Node.DomainDistinguishedName
            UserName             = $Node.UserName1
            UserPrincipalName    = $Node.UserName1
            DisplayName          = $Node.DisplayName1
            PasswordNeverExpires = $true
            Password             = $Node.Password

            Credential           = New-Object `
                -TypeName System.Management.Automation.PSCredential `
                -ArgumentList @(
                $Node.AdministratorUserName,
                (ConvertTo-SecureString -String $Node.AdministratorPassword -AsPlainText -Force)
            )
        }
    }
}

The operating system the target node is running

Version and build of PowerShell the target node is running

Version of the DSC module that was used ('dev' if using current dev branch)

dev