Corrective action happens every time

[Andy-Adrian]

This can happen when you're setting the same things in both Puppet and Group Policy. Group Policy has back-end OS hooks to set things in ways that this module can't, so they will continually overwrite each other even though the end settings are functionally identical. If you are required to configure certain things through Group Policy, remove those configurations from your Puppet hieradata to avoid these notices.

That said, however, this does highlight a potential issue in the SID/Name validation function, so I will certainly look into that!

[Andy-Adrian]

yeah, there's definitely something going wrong with the SID/Name validation. If you want to get past this quickly, replace the Group names in your hieradata with its SID

[Andy-Adrian]

For the blank values, you need to provide an empty string for it to write to the INI file:

local_security_policy { 'Create permanent shared objects':
ensure => present,
policy_value => '',
}

[ayohrling]

My guess is that APPServices here is not validating properly and hitting the clause here: https://github.com/ayohrling/local_security_policy/blob/master/lib/puppet_x/lsp/security_policy.rb#L35 when looking up the user; thus just returning the sid itself. Would have to dig into why that is as it's been awhile since looked at that validation.

[Andy-Adrian]

For the empty values, try ensure => absent. That should set it to an appropriate empty value. I have production examples where this works.

[Andy-Adrian]

For the User Rights enforcement, I have confirmed that using groups in the data is not idempotent using either the name or the group SID. Everything is getting resolved correctly, but Windows is resolving the group SID into the name during the secedit export, and the module is always importing the setting as the SID.