search

dsccommunity / GPRegistryPolicyDsc

DSC resources used to apply and manage local group policies by modifying the respective .pol file.
MIT License
21 stars 7 forks source link

gpt.ini corruption #40

Open schnyders opened 5 months ago

schnyders commented 5 months ago

Details of the scenario you tried and the problem that is occurring

When gpt.ini already contains another CSE then managed by this resource ({35378EAC-683F-11D2-A89A-00C04FBBCFA2}) gpt.ini gets corrupted.

Steps to reproduce:

  1. Ensure C:\Windows\System32\GroupPolicy is empty (no hidden files or folders)
  2. Open gpedit.msc
  3. in Computer Configuration --> Windows Settings --> Scripts (Start/Shutdown) --> Startup --> Powershell Scripts --> here add a empty powershell file --> ok --> apply --> ok --> close gpedit.msc

C:\Windows\System32\GroupPolicy\gpt.ini should now look like

[General]
gPCMachineExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
Version=2
  1. run dsc conig from below or any other with TargetType ComputerConfiguration
  2. gpt.ini now looks like 
    [General]
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{40B6664F-4972-11D1-A7CA-0000F87571E3}{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]
Version=3
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}]

If you do the exact some thing, but don't do the GPO config using DSC but gpedit.msc the ini will look like

[General]
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
Version=3

Verbose logs showing the problem

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceSet,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'. 
VERBOSE: An LCM method call arrived from computer WIN-Q85JVGSCE32 with user sid S-1-5-21-8231911-2010208343-1302586613-500.                                                                                               
VERBOSE: [WIN-Q85JVGSCE32]: LCM:  [ Start  Set      ]  [[RegistryPolicyFile]DirectResourceAccess]                                                                                                                         
VERBOSE: [WIN-Q85JVGSCE32]:                            [[RegistryPolicyFile]DirectResourceAccess] Retrieving current for Key Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ValueName AllowOnlineTips. (RPF04)
VERBOSE: [WIN-Q85JVGSCE32]:                            [[RegistryPolicyFile]DirectResourceAccess] Adding policy with Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, ValueName: AllowOnlineTips, ValueData: System.String[], ValueType: Dword. (RPF001)
VERBOSE: [WIN-Q85JVGSCE32]:                            [[RegistryPolicyFile]DirectResourceAccess] Gpt.ini gPCMachineExtensionNames CSE GUID updated from [{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}] to [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{40B6664F-4972-11D1-A7CA-0000F87571E3}{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]. (RPF07)
VERBOSE: [WIN-Q85JVGSCE32]:                            [[RegistryPolicyFile]DirectResourceAccess] Gpt.ini gPCUserExtensionNames CSE GUID updated from  to [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}]. (RPF07)
VERBOSE: [WIN-Q85JVGSCE32]:                            [[RegistryPolicyFile]DirectResourceAccess] Gpt.ini Version updated based on ComputerConfiguration from 2 to 3. (RPF08)
VERBOSE: [WIN-Q85JVGSCE32]: LCM:  [ End    Set      ]  [[RegistryPolicyFile]DirectResourceAccess]  in 0.2210 seconds.
VERBOSE: [WIN-Q85JVGSCE32]: LCM:  [ End    Set      ]    in  0.6150 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.

RebootRequired
--------------
False
VERBOSE: Time taken for configuration job to complete is 0.982 seconds

Suggested solution to the issue

Fix handling of gpt.ini so it procudes a valid gpt.ini

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Invoke-DscResource -Name RegistryPolicyFile -ModuleName GPRegistryPolicyDSC -Method Set -Property @{
    Key = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
    TargetType = "ComputerConfiguration"
    ValueName = "AllowOnlineTips"
    ValueData = @("0")
    ValueType = "Dword"
} -Verbose

But at the end it more ore less doesn't matter.

The operating system the target node is running

Name Value
OsName Microsoft Windows Server 2022 Standard
OsOperatingSystemSKU StandardServerEdition
OsArchitecture 64-bit
WindowsVersion 2009
WindowsBuildLabEx 20348.1.amd64fre.fe_release.210507-1500
OsLanguage en-US
OsMuiLanguages {en-US}

Version and build of PowerShell the target node is running

Name Value
PSVersion 5.1.20348.2400
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.20348.2400
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used

Name Version Path
GPRegistryPolicyDsc 1.3.1 C:\Program Files\WindowsPowerShell\Modules\GPRegistryPolicyDsc\1.3.1\GPRegistryPolicyDsc.psd1