ADObjectPermissionEntry: (Regression in 6.6.1) Cannot find a provider with the name 'DC=contoso,DC=local,Microsoft.ActiveDirectory.Management.dll\ActiveDirectory'

[Yvand]

Problem description

Using ADObjectPermissionEntry on Windows Server 2025 to grant a service account the permission replicating directory changes, I get this error:
Cannot find a provider with the name 'DC=contoso,DC=local,Microsoft.ActiveDirectory.Management.dll\ActiveDirectory'.

Verbose logs

VERBOSE: [2025-03-17 09:54:12Z] [VERBOSE] [SP]: LCM:  [ Start  Test     ]  
[[ADObjectPermissionEntry]GrantReplicatingDirectoryChanges]
VERBOSE: [2025-03-17 09:54:12Z] [VERBOSE] [SP]:                            
[[ADObjectPermissionEntry]GrantReplicatingDirectoryChanges] Retrieved the AD Drive full PSPath of 'Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/'. (OPE0008)
VERBOSE: [2025-03-17 09:54:12Z] [VERBOSE] [SP]: LCM:  [ End    Test     ]  
[[ADObjectPermissionEntry]GrantReplicatingDirectoryChanges]  in 0.2260 seconds.
VERBOSE: [2025-03-17 09:54:13Z] [ERROR] PowerShell DSC resource MSFT_ADObjectPermissionEntry  failed to execute Test-TargetResource functionality with error message: Cannot find a provider with the name 'DC=contoso,DC=local,Microsoft.ActiveDirectory.Management.dll\ActiveDirectory'.

DSC configuration

ADObjectPermissionEntry GrantReplicatingDirectoryChanges
{
	Ensure                             = 'Present'
	Path                               = "DC=contoso,DC=local"
	IdentityReference                  = "serviceAccountName"
	ActiveDirectoryRights              = 'ExtendedRight'
	AccessControlType                  = 'Allow'
	ObjectType                         = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" # Replicate Directory Changes Permission
	ActiveDirectorySecurityInheritance = 'All'
	InheritedObjectType                = '00000000-0000-0000-0000-000000000000'
	PsDscRunAsCredential               = $DomainAdminCredsQualified
}

Suggested solution

It seems to happen because the path contains the domain's DN as a prefix, which was not present in the previous versions of the module:
DC=contoso,DC=local,

Show the PSPath value for AD:

Import-Module ActiveDirectory
(Get-Item -Path 'AD:').PSPath
Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/

Operating system the target node is running

OsName               : Microsoft Windows Server 2025 Datacenter Azure Edition
OsOperatingSystemSKU : DatacenterAzureServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 26100.1.amd64fre.ge_release.240331-1435
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

PSVersion                      5.1.26100.2161
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.26100.2161
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

ActiveDirectoryDsc version

Name               Version Path
----               ------- ----
ActiveDirectoryDsc 6.6.1   C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\ActiveDirectoryDsc.psd1

[Yvand]

@Borgquite @johlju FYI

[Borgquite]

@Yvand So sorry about this. I switched to using Join-Path and presumed all was well since the integration tests passed.

Turns out Join-Path won't work here, and there aren't any integration tests for ADObjectPermissionEntry. 🤦‍♂️

Can you let me know if the supplied pull seems to fix it for you? #728

Apologies again,

[Borgquite]

@johlju If @Yvand confirms this is working OK can we do a quick release here? The version we've put out, just doesn't work :/

[Yvand]

@Borgquite no worries at all, I fully understand the reasons why this can happen, since it already happened to me also.
I will test it today and let you know asap

[Yvand]

@Borgquite I confirm the change in #728 works fine:

VERBOSE: [2025-03-17 14:04:09Z] [VERBOSE] [SP]: LCM:  [ Start  Set      ]  
[[ADObjectPermissionEntry]GrantReplicatingDirectoryChanges]
VERBOSE: [2025-03-17 14:04:09Z] [VERBOSE] [SP]:                            
[[ADObjectPermissionEntry]GrantReplicatingDirectoryChanges] Retrieved the AD Drive full PSPath of 
'Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/'. (OPE0008)
VERBOSE: [2025-03-17 14:04:09Z] [VERBOSE] [SP]:                            
[[ADObjectPermissionEntry]GrantReplicatingDirectoryChanges] Adding object permission entry to object 
'DC=contoso,DC=local'. (OPE0003)
VERBOSE: [2025-03-17 14:04:09Z] [VERBOSE] [SP]: LCM:  [ End    Set      ]  
[[ADObjectPermissionEntry]GrantReplicatingDirectoryChanges]  in 0.1290 seconds.
VERBOSE: [2025-03-17 14:04:09Z] [VERBOSE] [SP]: LCM:  [ End    Resource ]  
[[ADObjectPermissionEntry]GrantReplicatingDirectoryChanges]

[johlju]

Yes I will merge and release a new version 😊