none
PowerShell provider MSFT_ScriptResource failed to execute Test-TargetResource functionality with error message: The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command name, a script block, or a C RRS feed

  • Question

  • I found this article, and used it, and it seems as though my script resource node items are being properly expanded, and honestly I think it passes through being loaded up, but then when I go to start it, it fails. so let me put up some links with code and error messages for you all.

    http://social.technet.microsoft.com/Forums/exchange/en-US/2eb97d67-f1fb-4857-8840-de9c4cb9cae0/dsc-configuration-data-for-script-resources

    Ok, so here is my configuration. The idea is that I need some specific permissions set on a specific registry key on my sql servers. This is so I can do the SQL LowPriv monitoring. I'm just setting one key right now, premise is once this is working I can then duplicate that for the remaining keys.

    https://gist.github.com/jeffpatton1971/1bfb19a06782f0975f6e

    When I paste that into the prompt it appears to be perfectly happy

    https://gist.github.com/jeffpatton1971/3aeb568130988a460738

    In fact, the resulting MOF file looks ok to me

    https://gist.github.com/jeffpatton1971/a94858f0c1e9e5612f90

    When I attempt to start the configuration on my local machine, which has the key this is what I get

    https://gist.github.com/jeffpatton1971/82da888bb7aac31ef4ad

    lol...well so it's a different error now, I removed a credential param that I wasn't using, so now i'm left with an & that I can't seem to find anywhere... at any rate...so now my issue has become where is the bad &?I'm going back to the internets to see if there is something akin to this error, and i'm open to any questions the most pressing one is why are my scriptblocks all smooshed together? well, early on I was wondering if random whitespace and extra characters were mucking up the waters. I may actually dial down the script and see if I can add things until I get the error as well.


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Wednesday, July 2, 2014 9:36 PM

Answers

  • Jeffrey was looking at a previous version of the module from the download page. The module must be at least at version 3.0 to use the DSC resources.
    Friday, July 4, 2014 12:24 PM

All replies

  • I looked at the first link, and it looks like you might be missing quotes around the $Node.ActionAccount part of the comparison, which would cause the script block creation to fail. Maybe change the sections that look like this:

    Where-Object {$_.IdentityReference -eq $Node.ActionAccount}

    to this:

    Where-Object {$_.IdentityReference -eq '$Node.ActionAccount'}

    If you're looking to do permission changes with DSC, I'm actually looking for testers for my PowerShellAccessControl module. The 3.0 beta has two DSC resoruces: cAccessControlEntry (lets you make sure an ACE is present or absent) and cSecurityDescriptor (lets you specify an SDDL string for an object). The current cSecurityDescriptor is going to be called cSecurityDescriptorSddl in a future release, and a new cSecurityDescriptor is going to be added that lets you control the different sections without using SDDL. If you were to use it, I think you could change your configuration to the following (at least for the permission part):

    Configuration SQLLowPrivRegistry {
        param(
            [string[]] $ComputerName = "localhost"
        )
    
        Import-DscResource -Module PowerShellAccessControl
    
        Node $ComputerName {
            cAccessControlEntry TopLevelActionAccountPermissions {
                Ensure = "Present"
                Path = "HKLM:\Software\Microsoft\Microsoft SQL Server\"
                ObjectType = "RegistryKey"
                AceType = "AccessAllowed"
                AccessMask = ([System.Security.AccessControl.RegistryRights]::ReadKey)
                Principal = "DOMAIN\SqlDefaultAction_sa"
            }
        }
    }

    What you're doing should work just fine, so I'm not saying you need to use mine. If you do get a chance to look at it, though, please let me know what you think (or if it even works). There are two scripts in the examples folder of the module that demo more with the two resources (hopefully that will do until I finalize the documentation).

    Wednesday, July 2, 2014 11:19 PM
  • Rohn,

    I might agree with you, but if you look at the .MOF that gets created (https://gist.github.com/jeffpatton1971/a94858f0c1e9e5612f90) the variables are all properly expanded that get passed in. That's what that little function Format-DscScriptBlock handles from the forum post I listed earlier.

    I'll take a look at your project, I've done a little bit of custom dsc resources as well, was just really hoping that I could just use the script resource. But, I don't know that it's where I need to be, and if it ever will be. In reading last light I came across a couple of articles (Non-MS) that talked about the script resource being useful for small things, but if you needed to do something more complex (say set permissions on registries..lol) that you may be better off rolling your own.


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Thursday, July 3, 2014 12:45 PM
  • Rohn,

    I might agree with you, but if you look at the .MOF that gets created (https://gist.github.com/jeffpatton1971/a94858f0c1e9e5612f90) the variables are all properly expanded that get passed in. That's what that little function Format-DscScriptBlock handles from the forum post I listed earlier.

    I'll take a look at your project, I've done a little bit of custom dsc resources as well, was just really hoping that I could just use the script resource. But, I don't know that it's where I need to be, and if it ever will be. In reading last light I came across a couple of articles (Non-MS) that talked about the script resource being useful for small things, but if you needed to do something more complex (say set permissions on registries..lol) that you may be better off rolling your own.


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    The actual script is valid. I think what's going on, though, is the string that your Format-DscScriptBlock is producing isn't a valid scriptblock because of the missing quotes. It produces a valid string, and when the LCM tries to create a scriptblock, it fails. Run these two lines on your system (the first one should produce an error):

    # Fails because SB creation fails (not quotes around bits string):
    & ([scriptblock]::Create('Get-Service b* | where { $_.Name -eq bits }'))
    
    # Succeeds:
    & ([scriptblock]::Create('Get-Service b* | where { $_.Name -eq "bits" }'))
    

    Thursday, July 3, 2014 1:06 PM
  • Indeed that did work! I'll check that out in my code, in the mean time I've got a weird problem

    PS C:\projects\DSC-WorkInProgress> Import-DscResource -Module PowerShellAccessCo
    ntrol
    Import-DscResource : The term 'Import-DscResource' is not recognized as the
    name of a cmdlet, function, script file, or operable program. Check the
    spelling of the name, or if a path was included, verify that the path is
    correct and try again.
    At line:1 char:1
    + Import-DscResource -Module PowerShellAccessControl
    + ~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Import-DscResource:String) [],
       CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
    
    PS C:\projects\DSC-WorkInProgress> Get-HotFix |Where-Object -Property HotFixID -
    eq kb2883200
    
    Source        Description      HotFixID      InstalledBy          InstalledOn
    ------        -----------      --------      -----------          -----------
    IT08082       Update           KB2883200     it08082\Administr... 9/30/2013 ...
    
    
    PS C:\projects\DSC-WorkInProgress> Get-Command -Module PSDesiredStateConfigurati
    on |Select-Object -Property Name
    
    Name
    ----
    Configuration
    Get-DscConfiguration
    Get-DscLocalConfigurationManager
    Get-DscResource
    New-DSCCheckSum
    Restore-DscConfiguration
    Test-DscConfiguration
    Set-DscLocalConfigurationManager
    Start-DscConfiguration

    I had found an article (http://www.ashleypoole.co.uk/2014/where-is-import-dscresource-in-powershell-dsc/) that mentioned you need kb2883200 in order to see the import-dscresource, but I have that and still no import-dscresource.

    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Thursday, July 3, 2014 1:15 PM
  • Nevermind, I figured out the import-descresource....they should really fix that!

    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Thursday, July 3, 2014 1:18 PM
  • Nevermind, I figured out the import-descresource....they should really fix that!

    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Yeah, I think it only works inside a configuration definition. Is that what you had to to do to fix it?
    Thursday, July 3, 2014 1:19 PM
  • That got rid of the command not found error, I have this module stored in \users\jspatton\documents\windows powershell\modules and i'm getting this when I attempt to compile the mof

    PSDesiredStateConfiguration\Node : The term 'cAccessControlEntry' is not
    recognized as the name of a cmdlet, function, script file, or operable
    program. Check the spelling of the name, or if a path was included, verify
    that the path is correct and try again.
    At line:4 char:5
    +     Node $AllNodes.NodeName
    +     ~~~~
        + CategoryInfo          : ObjectNotFound: (cAccessControlEntry:String) [PS
       DesiredStateConfiguration\node], ParentContainsErrorRecordException
        + FullyQualifiedErrorId : CommandNotFoundException,PSDesiredStateConfigura
       tion\node


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Thursday, July 3, 2014 1:20 PM
  • That got rid of the command not found error, I have this module stored in \users\jspatton\documents\windows powershell\modules and i'm getting this when I attempt to compile the mof

    PSDesiredStateConfiguration\Node : The term 'cAccessControlEntry' is not
    recognized as the name of a cmdlet, function, script file, or operable
    program. Check the spelling of the name, or if a path was included, verify
    that the path is correct and try again.
    At line:4 char:5
    +     Node $AllNodes.NodeName
    +     ~~~~
        + CategoryInfo          : ObjectNotFound: (cAccessControlEntry:String) [PS
       DesiredStateConfiguration\node], ParentContainsErrorRecordException
        + FullyQualifiedErrorId : CommandNotFoundException,PSDesiredStateConfigura
       tion\node


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    I remember having some issues getting it to notice where the resources were located until I moved the module to "C:\Program Files\WindowsPowerShell\Modules". I think it needs to be in a system wide location so that the LCM can access it when it runs the configuration. I'm still pretty new to DSC myself, so take that with a grain of salt.
    Thursday, July 3, 2014 1:23 PM
  • I have my rig setup for signed modules, since that's how we roll them internally..sigh..i always forget that. I"ll be happy to test out your stuff, why don't you shoot me an email or something

    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Thursday, July 3, 2014 1:26 PM
  • I moved import-dscresource down inside the configuration section, and now I have red wavy's after it

    https://gist.github.com/jeffpatton1971/d1756016a2d5ad27843f

    I feel as though i'm missing something stupid. I'm running windows 8.1 enterprise and windows 8.1 pro and am getting this on both systems. both systems are all patched up to my knowledge i'm running powershell 4

    Name             : ConsoleHost
    Version          : 4.0
    InstanceId       : fcc8b5f6-d373-4f8b-8ab3-09c9aa89373b
    UI               : System.Management.Automation.Internal.Host.InternalHostUserI
                       nterface
    CurrentCulture   : en-US
    CurrentUICulture : en-US
    PrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
    IsRunspacePushed : False
    Runspace         : System.Management.Automation.Runspaces.LocalRunspace


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Thursday, July 3, 2014 1:36 PM
  • I moved import-dscresource down inside the configuration section, and now I have red wavy's after it

    https://gist.github.com/jeffpatton1971/d1756016a2d5ad27843f

    I feel as though i'm missing something stupid. I'm running windows 8.1 enterprise and windows 8.1 pro and am getting this on both systems. both systems are all patched up to my knowledge i'm running powershell 4

    Name             : ConsoleHost
    Version          : 4.0
    InstanceId       : fcc8b5f6-d373-4f8b-8ab3-09c9aa89373b
    UI               : System.Management.Automation.Internal.Host.InternalHostUserI
                       nterface
    CurrentCulture   : en-US
    CurrentUICulture : en-US
    PrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
    IsRunspacePushed : False
    Runspace         : System.Management.Automation.Runspaces.LocalRunspace


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Hmmm. Do you see either of the resources (cSecurityDescriptor or cAccessControlEntry) when you run Get-DscResource? Have you tried one of the example scripts included in the module? I've only tested these on three computers, but moving it to the second and third systems just consisted of putting the module in the Program Files location. I'll have to test in on a fresh VM later to see if it fails.

    Is your e-mail address on your website?

    Thursday, July 3, 2014 1:50 PM
  • No, not seeing anything cAccesscontrolentry is not recognized as the name of a cmdlet...

    it's Jeffrey @ patton-tech . com


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Thursday, July 3, 2014 1:52 PM
  • Last thing I can think of: try to explicitly import the module or use one of the commands from the module, e.g., 'Get-AccessControlEntry c:\'.

    I'll send you an e-mail and we can try to work this out there. If we get it working, we can update this post.

    Thursday, July 3, 2014 1:54 PM
  • Jeffrey was looking at a previous version of the module from the download page. The module must be at least at version 3.0 to use the DSC resources.
    Friday, July 4, 2014 12:24 PM