search

PowerShell / PSDscResources

MIT License
129 stars 53 forks source link

Partial Security Template not processed. Test passes so nothing is set #178

Closed jeremyhagan closed 4 years ago

jeremyhagan commented 4 years ago

Details of the scenario you tried and the problem that is occurring

I am using the Security Template resource to import an INF file which contains only setting in the [System Access] and [Registry Values] sections. Using secedit to import the template works fine, but if I try to use the SecurityTemplate option, the output is as shown below.

Verbose logs showing the problem

[SCCMTEST2]: LCM: [ Start Resource ] [[SecurityTemplate]SecurityOptions] [SCCMTEST2]: LCM: [ Start Test ] [[SecurityTemplate]SecurityOptions] [SCCMTEST2]: LCM: [ End Test ] [[SecurityTemplate]SecurityOptions] in 0.6400 seconds. [SCCMTEST2]: LCM: [ Skip Set ] [[SecurityTemplate]SecurityOptions] [SCCMTEST2]: LCM: [ End Resource ] [[SecurityTemplate]SecurityOptions]

Suggested solution to the issue

In reading the PowerShell (correct me if I am wrong) it seems that the Test section only looks at the USER_RIGHTS section of the exported policy as a comparison. Since my policy doesn't contain that section, there is nothing to compare and so the test succeeds.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

SecurityTemplate SecurityOptions
    {
        Path = "$PolicyFile"
        IsSingleInstance = 'Yes'
    }

Here is the inf file [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [System Access] MinimumPasswordAge = 0 MaximumPasswordAge = 60 MinimumPasswordLength = 15 PasswordComplexity = 1 PasswordHistorySize = 24 LockoutBadCount = 5 ResetLockoutCount = 30 LockoutDuration = -1 LSAAnonymousNameLookup = 0 EnableGuestAccount = 0 [Registry Values] machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4,1 machine\software\microsoft\windows\currentversion\policies\system\dontdisplayusername=4,1 machine\software\microsoft\windows\currentversion\policies\system\DontDisplayLockedUserId=4,3 machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,1 machine\software\microsoft\windows\currentversion\policies\system\inactivitytimeoutsecs=4,900 machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,"1" machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature=4,1 machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0 machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4,1 machine\system\currentcontrolset\control\lsa\restrictanonymoussam=4,1 machine\system\currentcontrolset\control\lsa\restrictanonymous=4,1 machine\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess=4,1 machine\system\currentcontrolset\control\lsa\nolmhash=4,1 machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,5 machine\system\currentcontrolset\services\ldap\ldapclientintegrity=4,1 machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec=4,537395200 machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec=4,537395200 machine\system\currentcontrolset\control\session manager\protectionmode=4,1 machine\software\microsoft\windows\currentversion\policies\system\filteradministratortoken=4,1 machine\software\microsoft\windows\currentversion\policies\system\enablevirtualization=4,1 machine\software\microsoft\windows\currentversion\policies\system\enablesecureuiapaths=4,1 machine\software\microsoft\windows\currentversion\policies\system\enablelua=4,1 machine\software\microsoft\windows\currentversion\policies\system\enableinstallerdetection=4,1 machine\software\microsoft\windows\currentversion\policies\system\consentpromptbehavioruser=4,0 machine\software\microsoft\windows\currentversion\policies\system\consentpromptbehavioradmin=4,2

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Standard OsOperatingSystemSKU : StandardServerEdition OsArchitecture : 64-bit WindowsVersion : 1809 WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434 OsLanguage : en-US OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 5.1.17763.771 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.17763.771 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

2.10.0.0

PlagueHO commented 4 years ago

Hi @jeremyhagan,

Sorry about the delay in getting back to you:

This resource module doesn't contain a SecurityTemplate resource - where is this resource from?

jeremyhagan commented 4 years ago

Looks like I ended up posting this in the wrong resource. Sorry. It's meant to be in here: https://github.com/dsccommunity/SecurityPolicyDsc