Tuesday, May 20, 2014

Using Windows PowerShell Desired State Configuration User Resource

 

1.  Introduction of Windows PowerShell “Desired State Configuration”.

2.  Installing Windows PowerShell 4.0 [Windows Management Framework 4.0].

3.  Getting Started With Desired State Configuration: DSC Syntax.

4.  Review of Desired State Configuration: The 3 easy steps.

5.  Write your First Desired State Configuration Script using ROLE Resource.

6.  Run your first "DSC" PowerShell Script.

7.Configuring Dependencies in "Desired State Configuration" script in PowerShell.

8.PowerShell and DSC : Using File Resource

9.Using Registry Resource

10. Using Archive Resource.

11. Using Group Resource.

Hi, in my pervious blog post, I showed how to use the "Group Recourse" of "Desired State Configuration".

Today we are going to use the "User Resource"of "Desired State Configuration" to create a new local user.

Using  DSC's "User Resource" is not simple as like as our previous DSC resource examples.

It is little bit tricky to configure , and the most and the only tricky part is setting the new users password.

The documentation on the "User Resource" on MSDN, doesn't have any example of how to set a password for the new user, which leads to lots of manual and brain work.

54135986_remember_brain_answer_1_xlarge

Before creating a DSC script for the User Resource it's good to keep in mind  the below point.

  1. Choose a complexity and the length of the new User's Password as they defined in the local group  policy.
  2. Don't forget to set and run DSC Configuration data.
  3. Remember Password parameter of the Users Resource is a PSCredential Object not a plain text.
  4. Setting in the ConfigurationData PSDscAllowPlainTextPassword to $true

 

Let's get started.

Syntax:

The Syntax of the User Resource is :

20-05-2014 16-59-15

 

What we are trying to achieve.

We are creating a  new local user on our all time favourite server , Posh-Demo.

Before moving forward , let me show you a small demo of the various  errors of the "User Resource".

Error : 1

If you use plain string text in the Password parameter.

Password = "Passw0rd"

Configuration newLocalAdmin
{


Node 'Posh-Demo'
{
User adminUser
{
UserName = "Steve.J"
Description = "This account is created using DSC"
Password = "Passw0rd"
FullName = "Steve Jobs"
PasswordNeverExpires = $true
PasswordChangeRequired = $true
Ensure = 'Present'
}
}
}

newLocalAdmin


20-05-2014 17-26-19


 


Error : 2


If the  PSDscAllowPlainTextPassword is not set to true.


Configuration newLocalAdmin
{
$secpasswd = ConvertTo-SecureString "Passw0rd##09" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("Steve.J", $secpasswd)

Node 'R9000W1B-Z'
{
User adminUser
{
UserName = "Steve.J"
Description = "This account is created using DSC"
Password = $mycreds
FullName = "Steve Jobs"
PasswordNeverExpires = $true
PasswordChangeRequired = $true
Ensure = 'Present'
}
}
}
newLocalAdmin


 


20-05-2014 17-34-27


Error : 3


If the Password  , you specified in the script. doesn't match with your local password complexity configuration.


20-05-2014 17-44-32


and this error logged in the DSC event log too. below is the screenshot of event.


20-05-2014 15-56-25


 


Now, really let's get started again.


At, this point you already knew about the gotcha's and the error which you may face using User Resource.


Solving the PSDscAllowPlainTextPassword issue.


The MOF files saved the passwords in the plain text, and the use of  Plain text as passwords are set to true by default in the DSC, we need to enable it, using the configuration data .


 


20-05-2014 17-56-33


 


We can enable it by  writing Configuration Data and enable use of pain text in our Posh-demo node like the below code block.


$ConfigData = @{
AllNodes = @(
@{
NodeName="Posh-Demo";
PSDscAllowPlainTextPassword = $true
}

)}


 

How to create PSCredentials.

 

it's simple to create PSCredentials Object.

 

You just need a two line code. I am sure that you have seen this before, and there are no need to explain this bit.

 

# in Secpasswd, we are using : Passw0rd##09
$secpasswd = ConvertTo-SecureString "Passw0rd##09" -AsPlainText -Force
# in username we are using our new user as username
$mycreds = New-Object System.Management.Automation.PSCredential ("UserName", $secpasswd)


 

The complete script may look like this.

 

$ConfigData = @{
AllNodes = @(
@{
NodeName="Posh-Demo";
PSDscAllowPlainTextPassword = $true
}

)}



Configuration newLocalAdmin
{
$secpasswd = ConvertTo-SecureString "Passw0rd##09" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("Steve.J", $secpasswd)

Node 'Posh-Demo'
{
User adminUser
{
UserName = "Steve.J"
Description = "This account is created using DSC"
Password = $mycreds
FullName = "Steve Jobs"
PasswordNeverExpires = $true

Ensure = 'Present'
}
}
}

# Run the Configuration with the -ConfigurationData parameter and use our configData as argument
newLocalAdmin -ConfigurationData $Config


 

 

Picture1

 

Always Remember these 4 points regarding User Resource.















1

Set PSDscAllowPlainTextPassword  to $True
 
Picture2


Create a PSCredential Object to use in Password parameter.
Picture3

In password provide the PSCredential variable , which you created in Step 2
Picture4


Run the Configuration with the -ConfigurationData parameter and provide the name of the configuration data.

 


 The name of our script is, newLocaluser. The name of the configuration script block is "newLocalAdmin". we are using the "User Resource"


We are enabling the use of plain text, on Posh-Demo server, and saving the configuration in the $configDatavariable


$ConfigData = @{
AllNodes = @(
@{
NodeName="Posh-Demo";
PSDscAllowPlainTextPassword = $true
}

)}











in the below code we are creating a password credential for our new user Steve.J.


$secpasswd = ConvertTo-SecureString "Passw0rd##09" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("Steve.J", $secpasswd)


Rest of all is very self explanatory .


Username is set to : Steve.J


Description is set to : "This account is created using DSC"


Password: Set using the PSCredential variable.


PasswordNeverExpired is set to : true , so that password will be never expired for the current user.


Ensure: Make sure this account is present.


UserName = "Steve.J"
Description = "This account is created using DSC"
Password = $mycreds
FullName = "Steve Jobs"
PasswordNeverExpires = $true
Ensure = 'Present'


Please don't forget to use the -ConfigurationData $Config when you run the script.


let's run the script.


I  run the script and you can ,see there are no errors and MOF file is created.


20-05-2014 18-56-20


let's deploy it using


Start-DscConfiguration -Path .\newLocalAdmin -Wait -Verbose


 


You, can see that , the cmdlet run successfully and there are no error has occurred.


 


 


20-05-2014 18-58-23


 


let's check our server, and see if the user get created. here you go!!, it get created.


 


20-05-2014 19-00-30


My last worry is to check if the password set is right as we have provided. To check it, i run the Internet explorer as a Steve.j user. by choosing, "Run as different User" option.


20-05-2014 19-03-51


and provide the name of the user and the password  of the user account which we just created.,


20-05-2014 19-04-48


and and IE opened successfully. Yayyyy!!!!


20-05-2014 19-06-42


That's all for today, and I hope you have enjoyed today's post.


Thanks


thank-you-notes


Regards



Aman Dhally



If you like, you can follow me on Twitter and Facebook. You can also check my “You Tube channel for PowerShell video tutorials. You can download all of my scripts from “Microsoft TechNet Gallery”.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.