我正在尝试使用PowerShell DSC将域组添加到本地pipe理员组。 这里是代码:
Configuration TestSetup { Node localhost { Group Administrators { GroupName = "Administrators" MembersToInclude = "MYDOMAIN\TheAdministratorsGroup" } } } 当我运行它时,会导致以下错误:
PowerShell provider MSFT_GroupResource failed to execute Test-TargetResource functionality with error message: Could not find a principal with the provided name [mydomain\theadministratorsgroup] + CategoryInfo : InvalidOperation: (:) [], CimException + FullyQualifiedErrorId : ProviderOperationExecutionFailure + PSComputerName : localhost
主体确实存在,我可以通过GUI手动添加它并使用net localgroup 。
我知道DSCconfiguration在SYSTEM帐户下执行,所以我认为这可能是SYSTEM帐户希望查询Active Directory的权限问题。 然而,我已经运行了一个cmd作为使用PsExec的SYSTEM帐户,我可以毫不费力地将一个域组添加到本地pipe理员组中。
您必须指定凭证:
例:
获取凭证的方式:
$securedstring = ConvertTo-SecureString -String $Password -AsPlainText -Force [PSCredential]$cred = New-Object System.Management.Automation.PSCredential ($UserName, $securedstring)
这是您需要configurationDSC资源的代码
$ConfigurationData = @{ AllNodes = @( @{ NodeName="*" PSDscAllowPlainTextPassword=$true } @{ NodeName="SRV2-WS2012R2" } @{ NodeName="SRV3-WS2012R2" } ) } Node $AllNodes.NodeName { LocalConfigurationManager { RebootNodeIfNeeded = $false } Group $group.Name { GroupName = $group.Name Ensure = $group.Ensure Members = $group.Members Credential = $cred } }
然后简单地执行
ProcessDscResources -ConfigurationData $ConfigurationData -OutputPath $folderPathTmp Start-DscConfiguration -Wait -Force -Path $folderPathTmp