ADManagedServiceAccount: add SamAccountName parameter #659
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #659 +/- ##
===================================
Coverage 98% 98%
===================================
Files 25 25
Lines 3408 3411 +3
===================================
+ Hits 3340 3343 +3
Misses 68 68 |
|
I have tested this change and it doesn't solve issue #644. The ServiceName is still mapping to the samAccountName according the error message I got. This is my test scenario: Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
Import-DscResource -Module ActiveDirectoryDsc -ModuleVersion 6.2.0
Node localhost
{
ADManagedServiceAccount 'ExampleStandaloneMSA'
{
Ensure = 'Present'
ServiceAccountName = 'MyMoreFancyServiceLongName01'
SamAccountName = 'Service01'
AccountType = 'Standalone'
}
}
}And this is the error message I got: VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer dc01 with user sid .
VERBOSE: [dc01]: LCM: [ Start Set ]
VERBOSE: [dc01]: LCM: [ Start Resource ] [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: LCM: [ Start Test ] [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'MyMoreFancyServiceLongName01'. (MSA0006)
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'MyMoreFancyServiceLongName01' was not found. (MSA0005)
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'MyMoreFancyServiceLongName01' does not exist but should. (MSA0011)
VERBOSE: [dc01]: LCM: [ End Test ] [[ADManagedServiceAccount]ExampleStandaloneMSA] in 0.3950 seconds.
VERBOSE: [dc01]: LCM: [ Start Set ] [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'MyMoreFancyServiceLongName01'. (MSA0006)
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'MyMoreFancyServiceLongName01' was not found. (MSA0005)
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Adding Standalone Account
'MyMoreFancyServiceLongName01' to 'CN=Managed Service Accounts,DC=....l'. (MSA0001)
VERBOSE: [dc01]: LCM: [ End Set ] [[ADManagedServiceAccount]ExampleStandaloneMSA] in 0.3600 seconds.
PowerShell DSC resource MSFT_ADManagedServiceAccount failed to execute Set-TargetResource functionality with error
message: System.InvalidOperationException: Error adding Standalone Account 'MyMoreFancyServiceLongName01' to
'CN=Managed Service Accounts,...'. (MSA0012) ---> System.ArgumentException: The service
account has a samAccountName attribute of 'MyMoreFancyServiceLongName01' which is too long; the samAccountName
attribute must not be longer than 15 characters.
at Microsoft.ActiveDirectory.Management.Commands.ADComputerUtil.ToDirectoryServiceAccountSamAccountName(String
extendedAttribute, String[] directoryAttributes, ADPropertyValueCollection extendedData, ADEntity directoryObj,
CmdletSessionInfo cmdletSessionInfo)
at Microsoft.ActiveDirectory.Management.Commands.AttributeConverterEntry.InvokeToDirectoryConverter(ADPropertyValueC
ollection extendedData, ADEntity directoryObj, CmdletSessionInfo cmdletSessionInfo)
at Microsoft.ActiveDirectory.Management.Commands.ADFactory`1.UpdateFromParameters(ADParameterSet parameters,
Hashtable custPropsToAdd, Hashtable custPropsToReplace, Hashtable custPropsToRemove, String[] custPropsToClear,
ADObject directoryObj)
at Microsoft.ActiveDirectory.Management.Commands.ADNewCmdletBase`3.ADNewCmdletBaseProcessCSRoutine()
at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
--- End of inner exception stack trace ---
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost
VERBOSE: [dc01]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.324 secondsWhen I test the change with this DSC: Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
Import-DscResource -Module ActiveDirectoryDsc -ModuleVersion 6.2.0
Node localhost
{
ADManagedServiceAccount 'ExampleStandaloneMSA'
{
Ensure = 'Present'
ServiceAccountName = 'Service01'
SamAccountName = 'SamService01'
AccountType = 'Standalone'
}
}
}The result is: VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer dc01 with user sid .
VERBOSE: [dc01]: LCM: [ Start Set ]
VERBOSE: [dc01]: LCM: [ Start Resource ] [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: LCM: [ Start Test ] [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'Service01'. (MSA0006)
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'Service01' was not found. (MSA0005)
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'Service01' does not exist but should. (MSA0011)
VERBOSE: [dc01]: LCM: [ End Test ] [[ADManagedServiceAccount]ExampleStandaloneMSA] in 0.3950 seconds.
VERBOSE: [dc01]: LCM: [ Start Set ] [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Retrieving Account
'Service01'. (MSA0006)
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Standalone Account
'Service01' was not found. (MSA0005)
VERBOSE: [dc01]: [[ADManagedServiceAccount]ExampleStandaloneMSA] Adding Standalone Account
'Service01' to 'CN=Managed Service Accounts,...'. (MSA0001)
VERBOSE: [dc01]: LCM: [ End Set ] [[ADManagedServiceAccount]ExampleStandaloneMSA] in 0.4900 seconds.
VERBOSE: [dc01]: LCM: [ End Resource ] [[ADManagedServiceAccount]ExampleStandaloneMSA]
VERBOSE: [dc01]: LCM: [ End Set ]
VERBOSE: [dc01]: LCM: [ End Set ] in 1.3590 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.215 secondsWhen looking to the attributes of the created Managed Service account the values are as following: In summary, the definition of the SamAccountName property has no effect. |
Antiohne
reviewed
May 23, 2021
| Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName | ||
| 'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20 characters | ||
| or less. Once created, the user's SamAccountName and CN cannot be changed. | ||
| Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is 'name'. Once created, the account's Name cannot be changed. Once created, the user's SamAccountName and CN cannot be changed. |
There was a problem hiding this comment.
Add line breaks around 120 characters
Antiohne
reviewed
May 23, 2021
| Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName | ||
| 'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20 | ||
| characters or less. Once created, the user's SamAccountName and CN cannot be changed. | ||
| Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is 'name'. Once created, the account's Name cannot be changed. Once created, the user's SamAccountName and CN cannot be changed. |
There was a problem hiding this comment.
Add line breaks around 120 characters
Antiohne
reviewed
May 23, 2021
| Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName | ||
| 'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20 | ||
| characters or less. Once created, the user's SamAccountName and CN cannot be changed. | ||
| Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is 'name'. Once created, the account's Name cannot be changed. Once created, the user's SamAccountName and CN cannot be changed. |
There was a problem hiding this comment.
Add line breaks around 120 characters
|
@Antiohne, thank you for testing this! I haven't been testing with an account created by DSC (my use case is an account created by an external installer invoked by xPackage). It's a bit of a giant gaping hole that I need to work out.. Thanks, |
X-Guardian
requested changes
Jul 4, 2021
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 4 unresolved discussions (waiting on @gaelicWizard)
a discussion (no related file):
This PR needs integration tests.
Have you tested this change through the full lifecycle of an ADManagedServiceAccount object and this additional property? i.e. addition, modification and deletion of an ADManagedServiceAccount with and without this property, and addition, modification and deletion of this property. This must be a non-breaking change to current usage of this resource.
X-Guardian
added
waiting for code fix
|
Labeling this pull request (PR) as abandoned since it has gone 14 days or more since the last update. An abandoned PR can be continued by another contributor. The abandoned label will be removed if work on this PR is taken up again. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request (PR) description
Adds optional parameter SamAccountName to ADManagedServiceAccount resource to allow setting this property separately. This requires that ServiceAccountName be specified using something other than the SamAccountName, e.g. SID, DN, UPN, &c.
This Pull Request (PR) fixes the following issues
Task list
file CHANGELOG.md. Entry should say what was changed and how that
affects users (if applicable), and reference the issue being resolved
(if applicable).
and comment-based help.
This change is