我正在尝试使用 PowerShell DSC 将域组添加到本地管理员组。以下是代码:
Configuration TestSetup {
Node localhost {
Group Administrators {
GroupName = "Administrators"
MembersToInclude = "MYDOMAIN\TheAdministratorsGroup"
}
}
}
当我运行它时,这导致以下错误:
PowerShell provider MSFT_GroupResource failed to execute Test-TargetResource functionality with error message: Could not find a principal with the provided name [mydomain\theadministratorsgroup]
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost
主体确实存在,我可以通过 GUI 手动添加它并使用net localgroup。
我知道 DSC 配置是在帐户下执行的,SYSTEM所以我认为这可能是帐户SYSTEM想要查询 Active Directory 的权限问题。但是,我使用 PsExec 以帐户身份运行了 cmd SYSTEM,并且能够毫无困难地将域组添加到本地管理员组。
答案1
您必须指定凭证:
例子:
获取凭证的方式:
$securedstring = ConvertTo-SecureString -String $Password -AsPlainText -Force
[PSCredential]$cred = New-Object System.Management.Automation.PSCredential ($UserName, $securedstring)
这是配置 DSC 资源所需的代码
$ConfigurationData = @{
AllNodes = @(
@{
NodeName="*"
PSDscAllowPlainTextPassword=$true
}
@{
NodeName="SRV2-WS2012R2"
}
@{
NodeName="SRV3-WS2012R2"
}
)
}
Node $AllNodes.NodeName
{
LocalConfigurationManager
{
RebootNodeIfNeeded = $false
}
Group $group.Name
{
GroupName = $group.Name
Ensure = $group.Ensure
Members = $group.Members
Credential = $cred
}
}
然后只需执行
ProcessDscResources -ConfigurationData $ConfigurationData -OutputPath $folderPathTmp
Start-DscConfiguration -Wait -Force -Path $folderPathTmp