MSFT_GroupResource: SAMR can be blocked by domain controller GPO in Get-TargetResource #206
Description
Details of the scenario you tried and the problem that is occurring
when we use this module, we found it’s blocked by following group policy, which somehow is set on domain controller.
error at function Get-TargetResource in file MSFT_GroupResource.psm1
Verbose logs showing the problem
Network trace shows the SAMR connection failed with status 0x5 which means “Access Denied”. Also it shows the computer account is used. So when the GPO "Restrict clients allowed to make remote calls to SAM" is set on domain controller and not allowing computer account, this DSC command fails when it use function Get-TargetResource.
Suggested solution to the issue
It’s possible some domain admins following CIS recommendation to set it that way – See following picture, althought CIS actually only recommends the “member server” not domain controller.
Would you please consider to change the code from using SAMR to LDAP protocol which won’t be impacted by the GPO?
The DSC configuration that is used to reproduce the issue (as detailed as possible)
We firstly configure a group in Administrators
It runs successfully.
Secondly, add another group, it shows the error.
The operating system the target node is running
Version and build of PowerShell the target node is running
Version of the DSC module that was used ('dev' if using current dev branch)
Not exactly sure, but should be the official version, not dev.