ActiveDirectoryDsc icon indicating copy to clipboard operation
ActiveDirectoryDsc copied to clipboard
verified publisher icon dsccommunity

ADManagedServiceAccount: add SamAccountName parameter

Open gaelicWizard opened this issue 4 years ago • 4 comments

Pull Request (PR) description

Adds optional parameter SamAccountName to ADManagedServiceAccount resource to allow setting this property separately. This requires that ServiceAccountName be specified using something other than the SamAccountName, e.g. SID, DN, UPN, &c.

This Pull Request (PR) fixes the following issues

  • See #655
  • Fixes #644

Task list

  • [x] Added an entry to the change log under the Unreleased section of the file CHANGELOG.md. Entry should say what was changed and how that affects users (if applicable), and reference the issue being resolved (if applicable).
  • [ ] Resource documentation added/updated in README.md.
  • [x] Resource parameter descriptions added/updated in README.md, schema.mof and comment-based help.
  • [x] Comment-based help added/updated.
  • [x] Localization strings added/updated in all localization files as appropriate.
  • [ ] Examples appropriately added/updated.
  • [x] Unit tests added/updated. See DSC Community Testing Guidelines.
  • [ ] Integration tests added/updated (where possible). See DSC Community Testing Guidelines.
  • [x] New/changed code adheres to DSC Community Style Guidelines.

This change is Reviewable

gaelicWizard avatar May 22 '21 22:05 gaelicWizard

Codecov Report

Merging #659 (10e97ed) into main (9346a1d) will increase coverage by 0%. The diff coverage is 100%.

Impacted file tree graph

@@         Coverage Diff         @@
##           main   #659   +/-   ##
===================================
  Coverage    98%    98%           
===================================
  Files        25     25           
  Lines      3408   3411    +3     
===================================
+ Hits       3340   3343    +3     
  Misses       68     68

codecov[bot] avatar May 22 '21 22:05 codecov[bot]

I have tested this change and it doesn't solve issue #644. The ServiceName is still mapping to the samAccountName according the error message I got.

This is my test scenario:

Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
    Import-DscResource -Module ActiveDirectoryDsc -ModuleVersion 6.2.0

    Node localhost
    {
        ADManagedServiceAccount 'ExampleStandaloneMSA'
        {
            Ensure = 'Present'
            ServiceAccountName = 'MyMoreFancyServiceLongName01'
            SamAccountName = 'Service01'
            AccountType = 'Standalone'
        }
    }
}

And this is the error message I got:

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer dc01 with user sid .
VERBOSE: [dc01]: LCM:  [ Start  Set      ]
VERBOSE: [dc01]: LCM:  [ Start  Resource ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: LCM:  [ Start  Test     ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'MyMoreFancyServiceLongName01'. (MSA0006)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'MyMoreFancyServiceLongName01' was not found. (MSA0005)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'MyMoreFancyServiceLongName01' does not exist but should. (MSA0011)
VERBOSE: [dc01]: LCM:  [ End    Test     ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]  in 0.3950 seconds.
VERBOSE: [dc01]: LCM:  [ Start  Set      ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'MyMoreFancyServiceLongName01'. (MSA0006)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'MyMoreFancyServiceLongName01' was not found. (MSA0005)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Adding Standalone Account
'MyMoreFancyServiceLongName01' to 'CN=Managed Service Accounts,DC=....l'. (MSA0001)
VERBOSE: [dc01]: LCM:  [ End    Set      ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]  in 0.3600 seconds.
PowerShell DSC resource MSFT_ADManagedServiceAccount  failed to execute Set-TargetResource functionality with error
message: System.InvalidOperationException: Error adding Standalone Account 'MyMoreFancyServiceLongName01' to
'CN=Managed Service Accounts,...'. (MSA0012) ---> System.ArgumentException: The service
account has a samAccountName attribute of 'MyMoreFancyServiceLongName01' which is too long; the samAccountName
attribute must not be longer than 15 characters.
   at Microsoft.ActiveDirectory.Management.Commands.ADComputerUtil.ToDirectoryServiceAccountSamAccountName(String
extendedAttribute, String[] directoryAttributes, ADPropertyValueCollection extendedData, ADEntity directoryObj,
CmdletSessionInfo cmdletSessionInfo)
   at Microsoft.ActiveDirectory.Management.Commands.AttributeConverterEntry.InvokeToDirectoryConverter(ADPropertyValueC
ollection extendedData, ADEntity directoryObj, CmdletSessionInfo cmdletSessionInfo)
   at Microsoft.ActiveDirectory.Management.Commands.ADFactory`1.UpdateFromParameters(ADParameterSet parameters,
Hashtable custPropsToAdd, Hashtable custPropsToReplace, Hashtable custPropsToRemove, String[] custPropsToClear,
ADObject directoryObj)
   at Microsoft.ActiveDirectory.Management.Commands.ADNewCmdletBase`3.ADNewCmdletBaseProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace ---
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

VERBOSE: [dc01]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.324 seconds

When I test the change with this DSC:

Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
    Import-DscResource -Module ActiveDirectoryDsc -ModuleVersion 6.2.0

    Node localhost
    {
        ADManagedServiceAccount 'ExampleStandaloneMSA'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service01'
            SamAccountName = 'SamService01'
            AccountType = 'Standalone'
        }
    }
}

The result is:

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer dc01 with user sid .
VERBOSE: [dc01]: LCM:  [ Start  Set      ]
VERBOSE: [dc01]: LCM:  [ Start  Resource ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: LCM:  [ Start  Test     ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'Service01'. (MSA0006)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'Service01' was not found. (MSA0005)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'Service01' does not exist but should. (MSA0011)
VERBOSE: [dc01]: LCM:  [ End    Test     ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]  in 0.3950 seconds.
VERBOSE: [dc01]: LCM:  [ Start  Set      ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'Service01'. (MSA0006)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'Service01' was not found. (MSA0005)
VERBOSE: [dc01]:                            [[ADManagedServiceAccount]ExampleStandaloneMSA] Adding Standalone Account
'Service01' to 'CN=Managed Service Accounts,...'. (MSA0001)
VERBOSE: [dc01]: LCM:  [ End    Set      ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]  in 0.4900 seconds.
VERBOSE: [dc01]: LCM:  [ End    Resource ]  [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: LCM:  [ End    Set      ]
VERBOSE: [dc01]: LCM:  [ End    Set      ]    in  1.3590 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.215 seconds

When looking to the attributes of the created Managed Service account the values are as following:

cn:               Service01
distinguishedNam: CN=Service01,CN=Managed Service Accounts,...
name:             Service01
sAMAccountName:   Service01$

In summary, the definition of the SamAccountName property has no effect.

Antiohne avatar May 23 '21 08:05 Antiohne

@Antiohne, thank you for testing this! I haven't been testing with an account created by DSC (my use case is an account created by an external installer invoked by xPackage). It's a bit of a giant gaping hole that I need to work out..

Thanks, JP2

gaelicWizard avatar May 26 '21 22:05 gaelicWizard

Labeling this pull request (PR) as abandoned since it has gone 14 days or more since the last update. An abandoned PR can be continued by another contributor. The abandoned label will be removed if work on this PR is taken up again.

stale[bot] avatar Jul 19 '21 08:07 stale[bot]