Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADManagedServiceAccount: Add support for setting the SAM account name and (common) name separately #644

Closed
Antiohne opened this issue Jan 20, 2021 · 5 comments · Fixed by #661 · May be fixed by #659
Closed

ADManagedServiceAccount: Add support for setting the SAM account name and (common) name separately #644

Antiohne opened this issue Jan 20, 2021 · 5 comments · Fixed by #661 · May be fixed by #659
Labels
enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.

Comments

@Antiohne
Copy link
Contributor

Antiohne commented Jan 20, 2021
edited

Details of the scenario you tried and the problem that is occurring

The ADManagedServiceAccount DSC resource configures Managed Service Accounts via the ServiceAccountName parameter only with the Security Account Manager (SAM) account name and the specified value is also applied to the (common) name of the object. When using the New-ADServiceAccount cmdlet you have to configure the SAM account name with it's 15 character limit but you can also configure the (common) name with a longer more friendly name.

Example:

New-ADServiceAccount -Name "MyMoreFancyServiceLongName01" -SamAccountName "Service01" -DNSHostName "MyMoreFancyServiceLongName01.mydomain.com"

This results in a Managed Service Account with a distinguished name of CN=MyMoreFancyServiceLongName01,CN=Managed Service Accounts,DC=mydomain=DC=com instead of CN=Service01,CN=Managed Service Accounts,DC=mydomain=DC=com which is generated by the current DSC resource. Trying to use the longer name with the DSC task will result in a fault that indicates the length restriction regarding SAM account names.

Verbose logs showing the problem

N/A

Suggested solution to the issue

Please add an option to specify the SAM account name and the name separately in the ADManagedServiceAccount DSC resource.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
    Import-DscResource -Module ActiveDirectoryDsc

    Node localhost
    {
        ADManagedServiceAccount 'ExampleStandaloneMSA'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service01'
            AccountType = 'Standalone'
        }
    }
}

The operating system the target node is running

Windows Server 2019

Version and build of PowerShell the target node is running

PSVersion: 5.1.17763.1490
PSEdition: Desktop
PSCompatibleVersions: {1.0, 2.0, 3.0, 4.0...}
BuildVersion: 10.0.17763.1490
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1

Version of the DSC module that was used

6.0.1
@johlju johlju added enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community. labels Jan 23, 2021
@Antiohne
Copy link
Contributor Author

The requested behavior is similar to AD User. I did some research how to implement this feature. Based on the implementation of the code in ActiveDirectoryDsc.Common.psm1 and MSFT_ADUser.ps1 a CommonName parameter implementation should be added to ADManagedServiceAccount for the long name. The ServiceAccountName will set the SamAccountName and the CommonName if no CommonName is specified. This behavior is already implemented in ActiveDirectoryDsc.Common.psm1 so only modifications in the MSFT_ADManagedServiceAccounts.psm1 file and it's Pester tests are expected.

Configuration ADManagedServiceAccount_CreateManagedServiceAccount_Config
{
    Import-DscResource -Module ActiveDirectoryDsc

    Node localhost
    {
        ADManagedServiceAccount 'ExampleStandaloneMSA'
        {
            Ensure = 'Present'
            ServiceAccountName = 'Service01'
            CommonName = 'MyMoreFancyServiceLongName01'
            AccountType = 'Standalone'
        }
    }
}

@Antiohne
Copy link
Contributor Author

Antiohne commented Feb 6, 2021

I am trying to implement it based on the ADUser implementation.

@gaelicWizard gaelicWizard mentioned this issue May 20, 2021
Closed
9 tasks
@gaelicWizard
Copy link

@Antiohne, I've just put in a PR which I believe addresses this use case. If you have time, could you look if it would solve your need?

@gaelicWizard gaelicWizard mentioned this issue May 22, 2021
Open
9 tasks
@Antiohne
Copy link
Contributor Author

@gaelicWizard, I've just tested the code from your PR and my reaction you can find there.

@Antiohne Antiohne mentioned this issue Jun 5, 2021
Merged
9 tasks
@Antiohne
Copy link
Contributor Author

Antiohne commented Jun 5, 2021

@gaelicWizard @johlju I've just opened PR #661 which implements the requested behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
3 participants
@gaelicWizard @Antiohne @johlju