Windows - Remove domain groups from local group failure

We appear to have stumbled upon a bug with the GROUP resource block.

When we remove users from a local group like this, it fails. But when we run a create it works fine. So install works ok, remove doesn't. The variables are domain accounts.

log 'Remove service account to Users group - Start'
group "USERS" do
append true
members ["#{AppPoolAccount1}", "#{AppPoolAccount4}", "#{AppPoolAccount2}"]
action :remove
end
log 'Remove service account to Users group - End'

Is there a fix for this?

[2018-09-03T11:34:33+01:00] FATAL: Stacktrace dumped to C:/chef/cache/chef-stacktrace.out

[2018-09-03T11:34:33+01:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report

[2018-09-03T11:34:33+01:00] FATAL: ArgumentError: group[USERS] (postbuild_w2k12_agency_1_0::remove line 83) had an error

: ArgumentError: Cannot perform this operation on built-in accounts.

---- Begin Win32 API output ----

System Error Code: 1371

System Error Message: Cannot perform this operation on built-in accounts.

---- End Win32 API output ---

That error looks legitimate to me as the Users group cannot be removed. You're running the :remove action on the group named "Users".

Have a read of the docs (https://docs.chef.io/resource_group.html) - perhaps you need the :manage action and the excluded_members property of the user resource instead so that the resource can use the members property in the way you intended?

Stuart

Thank you. I have to admit I didn't understand the docs but after some playing I have fixed it.

Thanks again.