xUser Cannot test password if account is disabled

[DamianBis]

$principalContext.ValidateCredentials($UserName, $Password.GetNetworkCredential().Password)) cannot run in the Test target resource if the account is disabled.. it will always error as you can't validate the credentials of a disabled account

If i try and set the account to disabled WITHOUT a password i get an error

PowerShell DSC resource MSFT_UserResource failed to execute Set-TargetResource functionality with error message: There could be a possible multiple matches exception while trying to use the System.DirectoryServices API's.Exception calling "Save" with "0" argument(s): "The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

[kwirkykat]

@DamianBis Have you tried using the more recent version of xUser from this module instead of the in-box resource?

[Clebam]

Hi there, I face a similar issue from this portion of code : https://github.com/dsccommunity/xPSDesiredStateConfiguration/blob/main/source/DSCResources/DSC_xUserResource/DSC_xUserResource.psm1#L708

(It generates audit failure with logon failed = account is disabled)

I wonder if we should not skip this test if account is disabled ?

Here is a code sample that could fix the problem

        if ($PSBoundParameters.ContainsKey('Password'))
        {
            # Test password only if account is not disabled
            if (-not($PSBoundParameters.ContainsKey('Disabled') -and $Disabled -and $Disabled -eq -not $user.enabled))
            {
                if (-not $principalContext.ValidateCredentials($UserName, $Password.GetNetworkCredential().Password))
                {
                    # The Password property does not match
                    Write-Verbose -Message ($script:localizedData.PasswordPropertyMismatch -f 'Password')
                    return $false
                }
            }
        }