2

我正在尝试将此模块用作 AWS 中自动化 AD 的一部分。

脚本

... Install RSAT-AD-PowerShell & xActiveDirectory ... then

Configuration DevAws
{
    Import-DscResource –ModuleName PSDesiredStateConfiguration
    Import-DscResource -Module xActiveDirectory

    Node localhost
    {
        xADUser MattCanty
        {
           UserName = "matt.canty"
           DomainName = "dev.aws"
        }
    }
}

DevAws

Start-DscConfiguration -Path ./DevAws -Wait -Verbose -Force

日志

    Directory: C:\Users\admin\Documents\DevAws


Mode                LastWriteTime         Length Name                                                                                                                    
----                -------------         ------ ----                                                                                                                    
-a----        7/18/2018   5:06 PM           1896 localhost.mof                                                                                                           
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespace
Name' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer EC2AMAZ-75TV86U with user sid S-1-5-21-264491047-2034986546-3023887121-1105.
VERBOSE: [EC2AMAZ-75TV86U]: LCM:  [ Start  Set      ]
VERBOSE: [EC2AMAZ-75TV86U]: LCM:  [ Start  Resource ]  [[xADUser]MattCanty]
VERBOSE: [EC2AMAZ-75TV86U]: LCM:  [ Start  Test     ]  [[xADUser]MattCanty]
VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] Retrieving Active Directory user 'matt.canty' (matt.canty@dev.aws) ...
VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] Active Directory user 'matt.canty' (matt.canty@dev.aws) was NOT present.
VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] User 'Ensure' property is NOT in the desired state. Expected 'Present', actual 'Absent'.
VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] User 'Enabled' property is NOT in the desired state. Expected 'True', actual ''.
VERBOSE: [EC2AMAZ-75TV86U]: LCM:  [ End    Test     ]  [[xADUser]MattCanty]  in 0.5470 seconds.
VERBOSE: [EC2AMAZ-75TV86U]: LCM:  [ Start  Set      ]  [[xADUser]MattCanty]
VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] Retrieving Active Directory user 'matt.canty' (matt.canty@dev.aws) ...
VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] Active Directory user 'matt.canty' (matt.canty@dev.aws) was NOT present.
VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] Adding Active Directory user 'matt.canty'.
Access is denied
    + CategoryInfo          : PermissionDenied: (CN=matt.canty,O...s,DC=dev,DC=aws:) [], CimException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.NewADUser
    + PSComputerName        : localhost

VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] Retrieving Active Directory user 'matt.canty' (matt.canty@dev.aws) ...
VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] Active Directory user 'matt.canty' (matt.canty@dev.aws) was NOT present.
VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] Updating user property 'Enabled' with/to 'True'.
VERBOSE: [EC2AMAZ-75TV86U]:                            [[xADUser]MattCanty] Updating Active Directory user 'matt.canty'.
Cannot find an object with identity: 'matt.canty' under: 'DC=dev,DC=aws'.
    + CategoryInfo          : ObjectNotFound: (matt.canty:) [], CimException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.SetAD 
   User
    + PSComputerName        : localhost

VERBOSE: [EC2AMAZ-75TV86U]: LCM:  [ End    Set      ]  [[xADUser]MattCanty]  in 0.3440 seconds.
The PowerShell DSC resource '[xADUser]MattCanty' with SourceInfo 'C:\Users\admin\Documents\Run-AdDsc.ps1::17::9::xADUser' threw one or more non-terminating errors while 
running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more 
details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

VERBOSE: [EC2AMAZ-75TV86U]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.484 seconds

```

笔记

  • 我以与 AD 连接的域管理员身份登录服务器。
  • 我可以手动添加用户。
  • 我可以通过添加用户New-ADUser

我实际上想通过 CloudFormation 或 Run Command 远程执行此操作,这意味着我可能需要以PSCredential某种方式合并。我看不出DomainAdministratorCredentialonxADUser有什么帮助,因为该属性不在xADGroup...

在我开始推出自己的解决方案之前,任何帮助表示赞赏!

谢谢

4

1 回答 1

1

默认情况下,DSC 作为本地系统帐户执行,因此您将在尝试使用外部资源(AD/FileShare 等)时被拒绝访问

DomainAdministratorCredential是您想要的 xADUser,来自文档:

[PSCredential] DomainAdministratorCredential (Write): User account credentials used to perform the task.

出于某种奇怪的原因,只是调用了 xADGroup 上的属性Credential,尽管它具有相同的目的。

[PSCredential] Credential: User account credentials used to perform the operation.

于 2018-07-20T08:07:16.910 回答