Composite Resources like ADObjectPermissionEntry Are Not Implemented Properly

[NautaSquid]

Describe the Bug

"Composite" DSC resources (like ADObjectPermissionEntry) can't be retrieved or managed properly due to being unsupported by the Invoke-DSCResource cmdlet

Expected Behavior

Auto generated DSC modules should be able to manage composite DSC resources like any other DSC resource, otherwise they should be excluded from autogenerated modules and documentation, like in this case where dsc_adobjectpermissionentry is documented even though it will never work in the current state.

Additional Context

For context, I have been trying to use the dsc/activedirectorydsc module to manage ADObjectPermissionEntry resources where I have been getting failed runs.

After validating I am formatting the resource parameters correctly in my puppet class, I reviewed the debug logs and found the issue is occurring when puppet tries to call the Invoke-DscResource cmdlet.

I followed the testing steps outlined in Steps to Reproduce below and determined the actual DSC resource seems to work fine when called directly so I suspected this was an issue with the Invoke-DscResource cmdlet handling the input so I reached out to Microsoft Support with the same details, and they ultimately told me the following:

The Invoke-DscResource cmdlet is intended for use with native DSC resources, but it does not support composite or parameterized configurations. Resources like ADObjectPermissionEntry, while not formally marked as composite, are implemented in a way that requires them to be managed as part of a full DSC configuration document.

This limitation is documented in the official Invoke-DscResource documentation, which states:

“This cmdlet doesn't work with composite resources. Composite resources are parameterized configurations. Using composite resources requires the LCM (Local Configuration Manager).”

Directly invoking the ADObjectPermissionEntry resource using Invoke-DscResource will result in serialization errors and is not a supported scenario.

Based on this it sounds like the ADObjectPermissionEntry DSC resource, and any other "Composite" resources can't be retrieved or managed properly with the Invoke-DSCResource cmdlet.

Steps to Reproduce

I wrote a basic PowerShell script that should recreate the PowerShell commands puppet is running when it tried to get the current state and encounters an error

$Identity = <Group Name>
$OuDistinguishedName = <OU=ExampleOU>

$ModuleName = 'ActiveDirectoryDsc'
$LatestModuleVersion = (Find-Module -Name $ModuleName).Version
$LatestVersionInstalled = [bool](Get-InstalledModule | Where { $_.Name -eq $ModuleName -and $_.Version -eq $LatestModuleVersion })
if (-not $LatestVersionInstalled) { Install-Module -Name $ModuleName -RequiredVersion $LatestModuleVersion -Force }
Import-Module $ModuleName

$Domain = Get-ADDomain
$AccessControlType                  = 'Allow'
$ActiveDirectorySecurityInheritance = 'Descendents'
$IdentityReference                  = "$($env:USERDOMAIN)\$($Identity)"
$InheritedObjectType                = '00000000-0000-0000-0000-000000000000'
$ObjectType                         = 'bf967a0a-0de6-11d0-a285-00aa003049e2' # "pwdLastSet" as an example
$Path                               = "$($OuDistinguishedName),$($Domain.DistinguishedName)"

$InvokeParams = @{
    Name = 'ADObjectPermissionEntry'
    Method = 'get'
    Property = @{
        accesscontroltype                  = $AccessControlType
        activedirectorysecurityinheritance = $ActiveDirectorySecurityInheritance
        identityreference                  = $IdentityReference
        inheritedobjecttype                = $InheritedObjectType
        objecttype                         = $ObjectType
        path                               = $Path
    }
    ModuleName = $ModuleName
}

$Result = Invoke-DscResource @InvokeParams -Verbose

Sure enough! The Invoke-DscResource command encounters an error "Failed to serialize properties into a CIM Instance”

To validate this wasn't an issue with the activedirectorydsc module, I tried importing the dsc resource directly to a working powershell session and running the get command directly.

$Identity = <Group Name>
$OuDistinguishedName = <OU=ExampleOU>

$ModuleName = 'ActiveDirectoryDsc'
$LatestModuleVersion = (Find-Module -Name $ModuleName).Version
$LatestVersionInstalled = [bool](Get-InstalledModule | Where { $_.Name -eq $ModuleName -and $_.Version -eq $LatestModuleVersion })
if (-not $LatestVersionInstalled) { Install-Module -Name $ModuleName -RequiredVersion $LatestModuleVersion -Force }
Import-Module "C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\6.6.2\DSCResources\MSFT_ADObjectPermissionEntry\MSFT_ADObjectPermissionEntry.psm1"

$Domain = Get-ADDomain
$AccessControlType                  = 'Allow'
$ActiveDirectorySecurityInheritance = 'Descendents'
$IdentityReference                  = "$($env:USERDOMAIN)\$($Identity)"
$InheritedObjectType                = '00000000-0000-0000-0000-000000000000'
$ObjectType                         = 'bf967a0a-0de6-11d0-a285-00aa003049e2' # "pwdLastSet" as an example
$Path                               = "$($OuDistinguishedName),$($Domain.DistinguishedName)"

$Params = @{
    accesscontroltype                  = $AccessControlType
    activedirectorysecurityinheritance = $ActiveDirectorySecurityInheritance
    identityreference                  = $IdentityReference
    inheritedobjecttype                = $InheritedObjectType
    objecttype                         = $ObjectType
    path                               = $Path
}

$Result = Get-TargetResource @Params -Verbose

Lo and behold! This returns an instance of the DSC resource as expected.

Environment

• Puppet Agent 8.10.0
• Tested on Windows Server 2019 and 2022

[NautaSquid]

Based on the ADObjectPermissionEntry schema.mof it seems like this isn't a composite resource so I don't understand if that module itself just has incorrect values in the schema or there is as underlying edge case that isn't accounted for from this module.

[NautaSquid]

Per Microsoft Support

While ADObjectPermissionEntry is not formally a composite resource (like those built using CompositeResource.psm1 or nested configurations), it is sufficiently complex and parameterized that Microsoft’s DSC engine does not support using it with Invoke-DscResource.

This limitation arises because Invoke-DscResource only supports native resources with primitive (single value, non-array, non-object) parameters, and does not provide the broader context and serialization capabilities of the Local Configuration Manager (LCM).

As a result, resources with advanced parameterization or which rely on arrays, nested types, or embedded configuration logic—such as ADObjectPermissionEntry—must be used via a full DSC configuration document and applied by the LCM.