Using Windows PowerShell Desired State Configuration User Resource

 

1.  Introduction of Windows PowerShell “Desired State Configuration”.

2.  Installing Windows PowerShell 4.0 [Windows Management Framework 4.0].

3.  Getting Started With Desired State Configuration: DSC Syntax.

4.  Review of Desired State Configuration: The 3 easy steps.

5.  Write your First Desired State Configuration Script using ROLE Resource.

6.  Run your first "DSC" PowerShell Script.

7.Configuring Dependencies in "Desired State Configuration" script in PowerShell.

8.PowerShell and DSC : Using File Resource

9.Using Registry Resource

10. Using Archive Resource.

11. Using Group Resource.

Hi, in my pervious blog post, I showed how to use the "Group Recourse" of "Desired State Configuration".

Today we are going to use the "User Resource"of "Desired State Configuration" to create a new local user.

Using  DSC's "User Resource" is not simple as like as our previous DSC resource examples.

It is little bit tricky to configure , and the most and the only tricky part is setting the new users password.

The documentation on the "User Resource" on MSDN, doesn't have any example of how to set a password for the new user, which leads to lots of manual and brain work.

Before creating a DSC script for the User Resource it's good to keep in mind  the below point.

1. Choose a complexity and the length of the new User's Password as they defined in the local group  policy.
2. Don't forget to set and run DSC Configuration data.
3. Remember Password parameter of the Users Resource is a PSCredential Object not a plain text.
4. Setting in the ConfigurationData PSDscAllowPlainTextPassword to $true

 

Let's get started.

Syntax:

The Syntax of the User Resource is :

 

What we are trying to achieve.

We are creating a  new local user on our all time favourite server , Posh-Demo.

Before moving forward , let me show you a small demo of the various  errors of the "User Resource".

Error : 1

If you use plain string text in the Password parameter.

Password = "Passw0rd"

Configuration newLocalAdmin
{
  
    
    Node 'Posh-Demo'
    {
        User adminUser
        {
            UserName = "Steve.J"
            Description = "This account is created using DSC"
            Password = "Passw0rd"
            FullName = "Steve Jobs"
            PasswordNeverExpires = $true
            PasswordChangeRequired = $true
            Ensure = 'Present'
        }
    }
}

newLocalAdmin

 

Error : 2

If the  PSDscAllowPlainTextPassword is not set to true.

Configuration newLocalAdmin
{
    $secpasswd = ConvertTo-SecureString "Passw0rd##09" -AsPlainText -Force
    $mycreds = New-Object System.Management.Automation.PSCredential ("Steve.J", $secpasswd)
    
    Node 'R9000W1B-Z'
    {
        User adminUser
        {
            UserName = "Steve.J"
            Description = "This account is created using DSC"
            Password = $mycreds
            FullName = "Steve Jobs"
            PasswordNeverExpires = $true
            PasswordChangeRequired = $true
            Ensure = 'Present'
        }
    }
}
newLocalAdmin

 

Error : 3

If the Password  , you specified in the script. doesn't match with your local password complexity configuration.

and this error logged in the DSC event log too. below is the screenshot of event.

 

Now, really let's get started again.

At, this point you already knew about the gotcha's and the error which you may face using User Resource.

Solving the PSDscAllowPlainTextPassword issue.

The MOF files saved the passwords in the plain text, and the use of  Plain text as passwords are set to true by default in the DSC, we need to enable it, using the configuration data .

 

 

We can enable it by  writing Configuration Data and enable use of pain text in our Posh-demo node like the below code block.

$ConfigData = @{
    AllNodes = @(
        @{
            NodeName="Posh-Demo";
            PSDscAllowPlainTextPassword = $true
         }

)}

 

How to create PSCredentials.

 

it's simple to create PSCredentials Object.

 

You just need a two line code. I am sure that you have seen this before, and there are no need to explain this bit.

 

# in Secpasswd, we are using : Passw0rd##09
$secpasswd = ConvertTo-SecureString "Passw0rd##09" -AsPlainText -Force
# in username we are using our new user as username
$mycreds = New-Object System.Management.Automation.PSCredential ("UserName", $secpasswd)

 

The complete script may look like this.

 

$ConfigData = @{
    AllNodes = @(
        @{
            NodeName="Posh-Demo";
            PSDscAllowPlainTextPassword = $true
         }

)}



Configuration newLocalAdmin
{
    $secpasswd = ConvertTo-SecureString "Passw0rd##09" -AsPlainText -Force
    $mycreds = New-Object System.Management.Automation.PSCredential ("Steve.J", $secpasswd)
    
    Node 'Posh-Demo'
    {
        User adminUser
        {
            UserName = "Steve.J"
            Description = "This account is created using DSC"
            Password = $mycreds
            FullName = "Steve Jobs"
            PasswordNeverExpires = $true

            Ensure = 'Present'
        }
    }
}

# Run the Configuration with the -ConfigurationData parameter and use our configData as argument
newLocalAdmin -ConfigurationData $Config

 

 

 

Always Remember these 4 points regarding User Resource.

	Set PSDscAllowPlainTextPassword  to $True
	Create a PSCredential Object to use in Password parameter.
	In password provide the PSCredential variable , which you created in Step 2
	Run the Configuration with the -ConfigurationData parameter and provide the name of the configuration data.

 

 The name of our script is, newLocaluser. The name of the configuration script block is "newLocalAdmin". we are using the "User Resource"

We are enabling the use of plain text, on Posh-Demo server, and saving the configuration in the $configDatavariable

$ConfigData = @{
    AllNodes = @(
        @{
            NodeName="Posh-Demo";
            PSDscAllowPlainTextPassword = $true
         }

)}

in the below code we are creating a password credential for our new user Steve.J.

$secpasswd = ConvertTo-SecureString "Passw0rd##09" -AsPlainText -Force
  $mycreds = New-Object System.Management.Automation.PSCredential ("Steve.J", $secpasswd)

Rest of all is very self explanatory .

Username is set to : Steve.J

Description is set to : "This account is created using DSC"

Password: Set using the PSCredential variable.

PasswordNeverExpired is set to : true , so that password will be never expired for the current user.

Ensure: Make sure this account is present.

UserName = "Steve.J"
            Description = "This account is created using DSC"
            Password = $mycreds
            FullName = "Steve Jobs"
            PasswordNeverExpires = $true
            Ensure = 'Present'

Please don't forget to use the -ConfigurationData $Config when you run the script.

let's run the script.

I  run the script and you can ,see there are no errors and MOF file is created.

let's deploy it using

Start-DscConfiguration -Path .\newLocalAdmin -Wait -Verbose

 

You, can see that , the cmdlet run successfully and there are no error has occurred.

 

 

 

let's check our server, and see if the user get created. here you go!!, it get created.

 

My last worry is to check if the password set is right as we have provided. To check it, i run the Internet explorer as a Steve.j user. by choosing, "Run as different User" option.

and provide the name of the user and the password  of the user account which we just created.,

and and IE opened successfully. Yayyyy!!!!

That's all for today, and I hope you have enjoyed today's post.

Thanks

Regards

Aman Dhally

If you like, you can follow me on Twitter and Facebook. You can also check my “You Tube” channel for PowerShell video tutorials. You can download all of my scripts from “Microsoft TechNet Gallery”.