Closed begna112 closed 4 years ago
I was able to verify that running the following as a local administrator gives the same error:
$Args = "/configure /db C:\Windows\TEMP\secedit\DscSecedit.sdb /cfg C:\Windows\TEMP\secedit\accountPolicyToAdd.inf"
Invoke-Expression -Command "secedit $Args"
Is it possible that the sdb is malformed?
I think I've discovered the core of this issue.
I set the setting how I want them in local group policy and then used mmc + the Security Configuration and Teemplate snap-in to export my current settings.
What it exported was this:
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = -1
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
NewAdministratorName = "Administrator"
NewGuestName = "Guest"
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableAdminAccount = 1
EnableGuestAccount = 0
Note that MaximumPasswordAge = -1
.
When I manually edit the accountPolicyToAdd.inf to change that value from 0
to -1
, secedit works as expected.
Looking at the documentation, it seems to imply that expected values are 0-999, but it also says -1 is equivalent to 0. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh994573(v%3dws.10) However, this seems to not actually be the case and secedit requires the -1, not 0, at least in Server 2016.
Unfortunately, this dsc resource does not support a value of -1 for the field:
System.Management.Automation.RuntimeException error processing property 'Maximum_Password_Age' OF TYPE 'AccountPolicy': Cannot convert value "-1" to type "System.UInt64". Error: "Value was either too large or too small for a UInt64."
In this project's code, the issue is created by these lines:
[Parameter()]
[ValidateRange(0, 999)]
[System.UInt32]
$Maximum_Password_Age,
At the very least this validate range need to be set to -1 through 999 and the type changed to System.Int32 or a translation built in somewhere to change a value of 0 to -1.
Tried making the change myself but I think it's just a bit over my head and requires more changes than just the lines I pointed out above.
I changed [System.Uint32]
to [System.Int32]
and [ValidateRange(0,999)]
to [ValidateRange(-1,999)]
in both the Set and Test-TargetResource functions of MSFT_AccountPolicy.psm1. That resulted in this error:
ConvertTo-MOFInstance : System.Management.Automation.RuntimeException error processing property 'Maximum_Password_Age' OF TYPE 'AccountPolicy': Cannot convert value "-1" to type "System.UInt64". Error: "Value was either too large or too small for a UInt64."At C:\workspaces\MerchFTDS2\src\MerchFTDS2\Merch\SecurityPoliciesMOF.ps1:18 char:9
+ AccountPolicy
At line:341 char:16
+ $aliasId = ConvertTo-MOFInstance $keywordName $canonicalizedValue
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance
Compilation errors occurred while processing configuration 'SecurityPolicies'. Please review the errors reported in error stream and modify your configuration code appropriately.
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917 char:5
+ throw $ErrorRecord
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (SecurityPolicies:String) [], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessConfiguration
I additionally tried changing the MSFT_AccountPolicy.schema.mof to account for the type change:
[Write] Uint32 Maximum_Password_Age;
to [Write] Int32 Maximum_Password_Age;
but received these errors:
ImportCimAndScriptKeywordsFromModule : Cim deserializer threw an error when deserializing file C:\Program Files\WindowsPowerShell\Modules\SecurityPolicyDsc\2.8.0.3\DSCResources\MSFT_Acco
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:2120 char:50
+ ... dResource = ImportCimAndScriptKeywordsFromModule -Module $mod -Resour ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], PSInvalidOperationException
+ FullyQualifiedErrorId : System.Management.Automation.PSInvalidOperationException,ImportCimAndScriptKeywordsFromModule
ImportCimAndScriptKeywordsFromModule : Syntax error:
At line:7, char:40
Buffer:
ger Maximum_Password_Age^;
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:2120 char:50
+ ... dResource = ImportCimAndScriptKeywordsFromModule -Module $mod -Resour ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], CimException
+ FullyQualifiedErrorId : Microsoft.Management.Infrastructure.CimException,ImportCimAndScriptKeywordsFromModule
PSDesiredStateConfiguration\Node : The term 'SecurityPolicyDsc\AccountPolicy' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\workspaces\MerchFTDS2\src\MerchFTDS2\Merch\SecurityPoliciesMOF.ps1:15 char:5
+ Node localhost {
+ ~~~~
+ CategoryInfo : ObjectNotFound: (SecurityPolicyDsc\AccountPolicy:String) [PSDesiredStateConfiguration\node], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : CommandNotFoundException,PSDesiredStateConfiguration\node
Compilation errors occurred while processing configuration 'SecurityPolicies'. Please review the errors reported in error stream and modify your configuration code appropriately.
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917 char:5
+ throw $ErrorRecord
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (SecurityPolicies:String) [], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessConfiguration
@begna112 thanks for reporting the issue and the detailed repro! I'll do my best to look into a solution as soon as work allows it.
I have the same issue when applying the setting 'Store_passwords_using_reversible_encryption'. Receiving the following error message:
Cannot convert value "-1" to type "System.UInt64". Error: "Value was either too large or too small for a UInt64."
to fix that, not only you'd have to change the psm1 as @begna112 did, you'd also need to change the MOF Schema here: https://github.com/dsccommunity/SecurityPolicyDsc/blob/dev/DSCResources/MSFT_AccountPolicy/MSFT_AccountPolicy.schema.mof#L8
You can't use -1 for an unsigned 32bit Integer. I am not familiar enough with the code so I don't know why UInt32 was chosen (usually because that's how Windows API enums are using for bitwise operations), but using something like Int should be fine if the value range is only -1..999.
The issue described here was fixed in 2.9.0.0.
@rdtechie if you're still having your issue, you might want to open another issue.
Closing this issue.
Details of the scenario you tried and the problem that is occurring
I'm having an issue that may or may not be the same as #119. In my case, the mof is being applied by the LocalSystem user on Windows 2016. I've tried using the
PsDscRunAsCredential
parameter but this resource doesn't seem to support it.Verbose logs showing the problem
Here's some relevant logs:
scesrv.log includes:
Secedit-OutPut.txt:
This is the accountPolicyToAdd.inf that it generates:
Suggested solution to the issue
If the issue is that it's being run by LocalSystem, please support running with PsDscRunAsCredential. I can't really test this as I'm applying it with a service.
The DSC configuration that is used to reproduce the issue (as detailed as possible)
My configuration:
The operating system the target node is running
Version and build of PowerShell the target node is running
Version of the DSC module that was used ('dev' if using current dev branch)
2.8.0.0