search

dsccommunity / SecurityPolicyDsc

A wrapper around secedit.exe to configure local security policies
MIT License
177 stars 53 forks source link

Help required with DSC configs #114

Closed mahantesh2899 closed 4 years ago

mahantesh2899 commented 5 years ago

We have below DSC configurations:

UserRightsAssignment EnsureChangeTheSystemTimeIsConfigured {

       Policy   = "Change_the_system_time"

       Identity = "Administrators", "Server Operators", "LOCAL SERVICE"

       Force    = $true

    }

UserRightsAssignment EnsureGenerateSecurityAuditsIsSetToLOCALSERVICENETWORKSERVICE
    {

       Policy   = "Generate_security_audits"

       Identity = "Local Service", "Network Service", "IIS APPPOOL\\DefaultAppPool"

       Force    = $true

    }

we are getting below error. Can you please help with error please

{ "Exception": { "Message": "PowerShell DSC resource MSFT_UserRightsAssignment failed to execute Test-TargetResource functionality with error message: Could not convert Identity: Server Operators to SID ", "Data": {

                           },
                  "InnerException":  {
                                         "ErrorRecord":  "Could not convert Identity: Server Operators to SID",
                                         "WasThrownFromThrowStatement":  true,
                                         "Message":  "Could not convert Identity: Server Operators to SID",
                                         "Data":  "System.Collections.ListDictionaryInternal",
                                         "InnerException":  "System.Management.Automation.RuntimeException: Could not convert Identity: Server Operators to SID",
                                         "TargetSite":  "System.Collections.ObjectModel.Collection`1[System.Management.Automation.PSObject] Invoke(System.Collections.IEnumerable)",
                                         "StackTrace":  "   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)\r\n   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)\r\n   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)\r\n   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)\r\n   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)\r\n   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)\r\n   at Microsoft.PowerShell.DesiredStateConfiguration.Internal.ResourceProviderAdapter.ExecuteCommand(PowerShell powerShell, ResourceModuleInfo resInfo, String operationCmd, List`1 acceptedProperties, CimInstance nonResourcePropeties, CimInstance resourceConfiguration, LCMDebugMode debugMode, PSInvocationSettings pSInvocationSettings, UInt32\u0026 resultStatusHandle, Collection`1\u0026 result, ErrorRecord\u0026 errorRecord, PSModuleInfo localRunSpaceModuleInfo)",
                                         "HelpLink":  null,
                                         "Source":  "System.Management.Automation",
                                         "HResult":  -2146233087
                                     },
                  "TargetSite":  null,
                  "StackTrace":  null,
                  "HelpLink":  null,
                  "Source":  null,
                  "HResult":  -2146233079
              },
"TargetObject":  null,
"CategoryInfo":  {
                     "Category":  7,
                     "Activity":  "",
                     "Reason":  "InvalidOperationException",
                     "TargetName":  "",
                     "TargetType":  ""
                 },
"FullyQualifiedErrorId":  "ProviderOperationExecutionFailure",
"ErrorDetails":  null,
"InvocationInfo":  null,
"ScriptStackTrace":  null,
"PipelineIterationInfo":  [

                          ]

}

jcwalker commented 5 years ago

What type of security group is "Server Operators", local or domain? If it's a domain group you will need a syntax similar to this: "contoso\Server Operators"

mahantesh2899 commented 5 years ago

Thanks, i will try with domain group.

Ankita-Chaudhari commented 5 years ago

Hi,

I have machines which are not domain join, and I have below DSC config file

UserRightsAssignment Adjustmemoryquotasforaprocess { Policy = 'Adjust_memory_quotas_for_a_process' Identity = 'Administrators, LOCAL SERVICE, NETWORK SERVICE' }

UserRightsAssignment Changethesystemtime { Policy = 'Change_the_system_time' Identity = 'Administrators,LOCAL SERVICE' }

    UserRightsAssignment Changethetimezone {
        Policy   = 'Change_the_time_zone'
        Identity = 'Administrators,LOCAL SERVICE'
    }

UserRightsAssignment Createglobalobjects { Policy = 'Create_global_objects' Identity = 'Administrators,LOCAL SERVICE, NETWORK SERVICE, SERVICE' }

UserRightsAssignment Generatesecurityaudits { Policy = 'Generate_security_audits' Identity = 'LOCAL SERVICE,NETWORK SERVICE' }

UserRightsAssignment Impersonateaclientafterauthentication { Policy = 'Impersonate_a_client_after_authentication' Identity = 'Administrators,LOCAL SERVICE,NETWORK SERVICE,SERVICE' }

UserRightsAssignment Profilesystemperformance { Policy = 'Profile_system_performance' Identity = 'Administrators,NT SERVICE\WdiServiceHost' }

    UserRightsAssignment Replaceaprocessleveltoken {
        Policy   = 'Replace_a_process_level_token'
        Identity = 'LOCALSERVICE, NETWORK SERVICE'
    }

And I am getting the below error :

{ "Exception": { "Message": "PowerShell DSC resource MSFT_UserRightsAssignment failed to execute Test-TargetResource functionality with error message: Could not convert Identity: Administrators,LOCAL SERVICE,NETWORK SERVICE,SERVICE to SID ", "Data": {

                           },
                  "InnerException":  {
                                         "ErrorRecord":  "Could not convert Identity: Administrators,LOCAL SERVICE,NETWORK SERVICE,SERVICE to SID",
                                         "WasThrownFromThrowStatement":  true,
                                         "Message":  "Could not convert Identity: Administrators,LOCAL SERVICE,NETWORK SERVICE,SERVICE to SID",
                                         "Data":  "System.Collections.ListDictionaryInternal",
                                         "InnerException":  "System.Management.Automation.RuntimeException: Could not convert Identity: Administrators,LOCAL SERVICE,NETWORK SERVICE,SERVICE to SID",
                                         "TargetSite":  "System.Collections.ObjectModel.Collection`1[System.Management.Automation.PSObject] Invoke(System.Collections.IEnumerable)",
                                         "StackTrace":  "   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)\r\n   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)\r\n   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)\r\n   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)\r\n   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)\r\n   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)\r\n   at Microsoft.PowerShell.DesiredStateConfiguration.Internal.ResourceProviderAdapter.ExecuteCommand(PowerShell powerShell, ResourceModuleInfo resInfo, String operationCmd, List`1 acceptedProperties, CimInstance nonResourcePropeties, CimInstance resourceConfiguration, LCMDebugMode debugMode, PSInvocationSettings pSInvocationSettings, UInt32\u0026 resultStatusHandle, Collection`1\u0026 result, ErrorRecord\u0026 errorRecord, PSModuleInfo localRunSpaceModuleInfo)",
                                         "HelpLink":  null,
                                         "Source":  "System.Management.Automation",
                                         "HResult":  -2146233087
                                     },
                  "TargetSite":  null,
                  "StackTrace":  null,
                  "HelpLink":  null,
                  "Source":  null,
                  "HResult":  -2146233079
              },
"TargetObject":  null,
"CategoryInfo":  {
                     "Category":  7,
                     "Activity":  "",
                     "Reason":  "InvalidOperationException",
                     "TargetName":  "",
                     "TargetType":  ""
                 },
"FullyQualifiedErrorId":  "ProviderOperationExecutionFailure",
"ErrorDetails":  null,
"InvocationInfo":  null,
"ScriptStackTrace":  null,
"PipelineIterationInfo":  [

                          ]

}

Can anyone help me with this?

jcwalker commented 5 years ago

Hi @Ankita-Chaudhari try surrounding each identity with quotes like this: Identity = 'Administrators','LOCAL SERVICE', 'NETWORK SERVICE', 'SERVICE'

Ankita-Chaudhari commented 5 years ago

Hi John,

Thank-you!

After your mentioned solution DSC config is working properly.

Regards, Ankita

On Wed 25 Sep, 2019, 5:07 PM Jason Walker, notifications@github.com wrote:

Hi @Ankita-Chaudhari https://github.com/Ankita-Chaudhari try surrounding each identity with quotes like this: Identity = 'Administrators','LOCAL SERVICE', 'NETWORK SERVICE', 'SERVICE'

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/PowerShell/SecurityPolicyDsc/issues/114?email_source=notifications&email_token=ANJSIOUNOCNKO6ZOZXT5B2TQLNEQLA5CNFSM4G7FH6F2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7RSRQA#issuecomment-534980800, or mute the thread https://github.com/notifications/unsubscribe-auth/ANJSIOV5RZNJRQ57TEGEA5LQLNEQLANCNFSM4G7FH6FQ .