search

dsccommunity / ComputerManagementDsc

DSC resources for for configuration of a Windows computer. These DSC resources allow you to perform computer management tasks, such as renaming the computer, joining a domain and scheduling tasks as well as configuring items such as virtual memory, event logs, time zones and power settings.
https://dsccommunity.org
MIT License
295 stars 81 forks source link

FilterAdministratorToken of UserAccountControl #412

Closed schnyders closed 2 months ago

schnyders commented 1 year ago

Problem description

Based on MS documentation FilterAdministratorToken (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/7c705718-f58e-4886-8057-37c8fd9aede1) is a registry key of type REG_DWORD. The key does not exists by default. Resource is creating a registry key with type REG_SZ instead of REG_DWORD

Verbose logs

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/Des
iredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer WIN-P0TLB4V9T38 with user sid S-1-5-21-4088093647-3395588363-3915767082-500.
VERBOSE: [WIN-P0TLB4V9T38]: LCM:  [ Start  Set      ]
VERBOSE: [WIN-P0TLB4V9T38]: LCM:  [ Start  Resource ]  [[UserAccountControl]FilterAdministratorTokenTest]
VERBOSE: [WIN-P0TLB4V9T38]: LCM:  [ Start  Test     ]  [[UserAccountControl]FilterAdministratorTokenTest]
VERBOSE: [WIN-P0TLB4V9T38]:                            [[UserAccountControl]FilterAdministratorTokenTest] Testing User Account Control state. (UAC0003)
VERBOSE: [WIN-P0TLB4V9T38]:                            [[UserAccountControl]FilterAdministratorTokenTest] Getting the current notification level of the User Account Control. (UAC0001)
VERBOSE: [WIN-P0TLB4V9T38]:                            [[UserAccountControl]FilterAdministratorTokenTest] The User Account Control property 'FilterAdministratorToken' was '', but expected it to be '0'. (U
AC0008)
VERBOSE: [WIN-P0TLB4V9T38]: LCM:  [ End    Test     ]  [[UserAccountControl]FilterAdministratorTokenTest]  in 0.3110 seconds.
VERBOSE: [WIN-P0TLB4V9T38]: LCM:  [ Start  Set      ]  [[UserAccountControl]FilterAdministratorTokenTest]
VERBOSE: [WIN-P0TLB4V9T38]:                            [[UserAccountControl]FilterAdministratorTokenTest] Setting User Account Control state. (UAC0002)
VERBOSE: [WIN-P0TLB4V9T38]:                            [[UserAccountControl]FilterAdministratorTokenTest] Getting the current notification level of the User Account Control. (UAC0001)
VERBOSE: [WIN-P0TLB4V9T38]:                            [[UserAccountControl]FilterAdministratorTokenTest] Setting the property 'FilterAdministratorToken' to the value '0'. (UAC0009)
VERBOSE: [WIN-P0TLB4V9T38]: LCM:  [ End    Set      ]  [[UserAccountControl]FilterAdministratorTokenTest]  in 0.1020 seconds.
VERBOSE: [WIN-P0TLB4V9T38]: LCM:  [ End    Resource ]  [[UserAccountControl]FilterAdministratorTokenTest]
VERBOSE: [WIN-P0TLB4V9T38]:                            [] A reboot is required to progress further. Please reboot the system.
WARNING: [WIN-P0TLB4V9T38]:                            [] A reboot is required to progress further. Please reboot the system.
VERBOSE: [WIN-P0TLB4V9T38]: LCM:  [ End    Set      ]
VERBOSE: [WIN-P0TLB4V9T38]: LCM:  [ End    Set      ]    in  3.4110 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 3.475 seconds

DSC configuration

Configuration TestConfig
{
    Import-DscResource -Module ComputerManagementDsc -ModuleVersion 9.0.0

    Node 'localhost'
    {
        UserAccountControl 'FilterAdministratorTokenTest'
        {
            IsSingleInstance = 'Yes'
            FilterAdministratorToken = 0
        }
    }
}

Suggested solution

Create the registry key with the right type.

Operating system the target node is running

OsName               : Microsoft Windows Server 2022 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

ame                           Value                                                                                                                                                                       
----                           -----                                                                                                                                                                       
PSVersion                      5.1.20348.1366                                                                                                                                                              
PSEdition                      Desktop                                                                                                                                                                     
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                     
BuildVersion                   10.0.20348.1366                                                                                                                                                             
CLRVersion                     4.0.30319.42000                                                                                                                                                             
WSManStackVersion              3.0                                                                                                                                                                         
PSRemotingProtocolVersion      2.3                                                                                                                                                                         
SerializationVersion           1.1.0.1

ComputerManagementDsc version

Name                  Version Path                                                                                             
----                  ------- ----                                                                                             
ComputerManagementDsc 9.0.0   C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\9.0.0\ComputerManagementDsc.psd1
Borgquite commented 2 months ago

Looks like they're coming up against the issue described below where PowerShell has inconsistent behaviour when Type is not defined for Set-ItemProperty

Pull request should fix

https://stackoverflow.com/questions/16787365/set-itemproperty-sets-registry-value-as-string-on-some-systems-instead-of-dword

johlju commented 2 months ago

Thanks to @Borgquite for fixing this. Please test and verify that it works by using the preview that will be released shortly.