Day 22: Managing Linux Users and Groups using PowerShell DSC

As I mentioned in last week’s article, Day 17: Managing Linux Files using PowerShell DSC, this week we’ll be discussing how to manage Linux Users and Groups in Ubuntu and CentOS using PowerShell DSC.

Introduction to the MSFT_nxUserResource Class

By default, the MOF file, MSFT_nxUserResource.schema.mof, is installed in the following path when you install the nx-PSModule:

C:\Windows\System32\WindowsPowerShell\v1.0\Modules\nx\DSCResources\MSFT_nxUserResource

 

The contents of the MOF file are below:

 

Below is a quick breakdown of what’s important:

— We need to provide the UserName of the Account we are referring to.
— We need to provide a value of Present or Absent as to whether we want this account to exist or not.

The rest of the options listed above are optional and should be based upon your requirements. Please note, however, that there are some issues with the Password and PasswordChangeRequired Features that are detailed in the Additional Notes section at the bottom of this post.

Additionally, if you do not include a path for the Home Directory in CentOS, the Users Home directory will be created in the following path:
/home/
Conversely, in Ubuntu, you need to provide the HomeDirectory value or else one will not be created. Additionally, providing the HomeDirectory in Ubuntu after the User has been added will not create the Home Directory Folder.

Upon removal of the User (Ubuntu and CentOS), the User’s home directory will remain in place.

 

Introduction to the MSFT_nxGroupResource Class

By default, the MOF file, MSFT_nxGroupResource.schema.mof, is installed in the following path when you install the nx-PSModule:
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\nx\DSCResources\MSFT_nxGroupResource
The contents of the MOF file are below:

 

Below is a quick breakdown of what’s important:

— We need to provide the name of the Group in the GroupName field.
— We need to provide a value of Present or Absent as to whether we want this group to exist or not.

These are the only two required items in order to create or remove a Group on a Linux Host. However, when utilizing the Members, MembersToInclude, or MembersToExclude values, make sure you create an array list that is formatted as follows:

 

Additionally, Members, MembersToInclude, or MembersToExclude fields cannot be used in the same DSC Configuration. One way to get around this is to create separate DSC Configuration Files for each category for each Group that you are managing.

For example, if I had a Group called twizzlers that I wanted to be comprised of the users red and black but exclude the user purple, I would break up these requirements as follows:

DSC File 1 Configuration – Twizzlers Group: include Red and Black Users

 

DSC File 2 – Twizzlers Group: Exclude the user Purple

 

Although the example used above could be utilized, In most cases it should be sufficient enough to simply manage users using the Members field for managing Groups.

 

Sample Script for managing Linux Users and Groups in Ubuntu 12.04

Below is a sample Script that adds the user account scom-svc-ubuntu to the Ubuntu Host. The Script ensures that the user account is created if it doesn’t exists and sets its Full Name and Description in the process. No Password is set.

Additionally, a Group called scom-svc-users is created and has both the root and scom-svc-ubuntu accounts added to it.

To use this script, first create the following directory on your DSC Scripting Host: C:\LinuxConfigs. Next, replace the value <COMPUTERNAME> in the $LinuxServer variable next to the -ComputerName: switch, with the name of your Ubuntu Host.

 

 

Sample Script for managing Linux Users and Groups in CentOS 6.2

Below is a sample Script that adds the user account, scom-svc-centos to the CentOS Host. The Script ensures that the user account is created if it doesn’t exists and sets its Full Name and Description in the process. No Password is set.

Additionally, a Group called scom-svc-users is created and has both the root and scom-svc-centos accounts added to it.

To use this script, first create the following directory on your DSC Scripting Host: C:\LinuxConfigs. Next, replace the value <COMPUTERNAME> in the $LinuxServer variable next to the -ComputerName: switch, with the name of your CentOS Host.

 

 

Additional Notes

If a user that you are attempting to remove is currently logged in, the removal process invoked by PowerShell DSC will fail with the following error message:

The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/…gurationManager:String) [], CimException
+ FullyQualifiedErrorId : OMI:MI_Result:1
+ PSComputerName : LXDSCCENTOS193.scom.local

 

When attempting to set the Password of the User you are creating, the password will have to be reset from another account with sudo rights or the root account. Attempting to reset the password directly from the User that you created will result in the following error message on the Linux Host:

passwd: Authentication token manipulation error

 

 

Conclusion

Because of the Password limitation described above, in next weeks post we’ll be addressing this issue by pushing out a custom Script using PowerShell DSC that will reset the User’s Password to a specified value. Additionally, Managing Linux Scripts with PowerShell DSC will be the primary focus of next weeks post.

 

Previous Installments

100 Days of DevOps with PowerShell

 

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.