search

dsccommunity / GPRegistryPolicyDsc

DSC resources used to apply and manage local group policies by modifying the respective .pol file.
MIT License
21 stars 7 forks source link

RegistryPolicyFile: Conflicting Key When Setting Same Policy For Multiple Target Types #23

Open pyrostew opened 4 years ago

pyrostew commented 4 years ago

Details of the scenario you tried and the problem that is occurring

I am trying to set the same user configuration policy for all users of the PC however there is no target type for "All Users" and because the target type is not a Key parameter there can't be multiple instances of the resource with the same parameters named "Key" and "ValueName".

Verbose logs showing the problem

This is the error message:

PSDesiredStateConfiguration\Configuration : A conflict was detected between resources '[RegistryPolicyFile]SetDesktopWallpaperPathForAdmin (C:\Agent-1\_work\4\s\Package Builders\Win10BaseConfig\Config.ps1::164::7::RegistryPolicyFile)' and '[RegistryPolicyFile]SetDesktopWallpaperPath (C:\Agent-1\_work\4\s\Package Builders\Win10BaseConfig\Config.ps1::182::7::RegistryPolicyFile)' in node 'localhost'. Resources have identical key properties but there are differences in the following non-key properties: 'TargetType'. Values 'Administrators' don't match values 'NonAdministrators'. Please update these property values so that they are identical in both cases.

Suggested solution to the issue

Either add a target type that can add a policy for all users Update Target Type to be one of the Key parameters Update the Account Name Parameter to take an array of users and groups.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

RegistryPolicyFile SetDesktopWallpaperStyle
{
  Key         = "Software\Microsoft\Windows\CurrentVersion\Policies\System"
  TargetType  = 'Administrators'
  ValueName   = "WallpaperStyle"
  ValueType   = 'Dword'
  ValueData   = "0"
}
RegistryPolicyFile SetDesktopWallpaperStyle
{
  Key         = "Software\Microsoft\Windows\CurrentVersion\Policies\System"
  TargetType  = 'NonAdministrators'
  ValueName   = "WallpaperStyle"
  ValueType   = 'Dword'
  ValueData   = "0"
}

The operating system the target node is running

OsName               : Microsoft Windows 10 Enterprise LTSC
OsOperatingSystemSKU : 125
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-GB
OsMuiLanguages       : {en-GB}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.1432
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.1432
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

Name                Version Path
----                ------- ----
GPRegistryPolicyDsc 1.2.0   C:\Program Files\WindowsPowerShell\Modules\GPRegistryPolicyDsc\1.2.0\GPRegistryPolicyDsc.psd1
jcwalker commented 4 years ago

Hi @pyrostew, does using UserConfiguration for the targetType give the desired result for your issue?

pyrostew commented 4 years ago

I Tried with the User Configuration as well, but again can only have one instance of the resource because AccountName is not a Key parameter, so at best can only set one group. If the AccountName parameter could take an array of names that would achieve what I need.

jcwalker commented 4 years ago

I would have to test to verify but I think if UserConfiguration is the targetType the policy will apply to all users so it would be unnecessary to apply same policy to multiple accounts. Is your scenario that you want to apply a policy to User1, User2, but not User3?

pyrostew commented 4 years ago

Oooh I see what you mean, sorry I misunderstood your last comment!

I had assumed (perhaps wrongly) that the UserConfiguration would only set the account that is running the config...

I can't test at the moment, my environment is having other issues that I'm currently resolving.

pyrostew commented 4 years ago

I've managed to test your suggestion, and yes it did apply the configuration to all of the users. So my user case at the moment is fine. It still feels like there is a potential gap if a configuration needed to be applied to a number of specific users or groups. But I'll leave you to stew over the value of that.

Thanks for realigning my understanding!