search

dsccommunity / SecurityPolicyDsc

A wrapper around secedit.exe to configure local security policies
MIT License
177 stars 53 forks source link

AccountPolicy: Get-PolicyOptionData fails on PowerShell 4.0 #124

Closed dbaileyut closed 4 years ago

dbaileyut commented 5 years ago

Details of the scenario you tried and the problem that is occurring

Trying to use AccountPolicy on Windows 2012R2 with PowerShell 4.0

Cannot process argument transformation on parameter 'FilePath'. Cannot convert the "C:\Program 
Files\WindowsPowerShell\Modules\SecurityPolicyDsc\DscResources\MSFT_AccountPolicy\AccountPolicyData.psd1" value of 
type "System.String" to type "System.Collections.Hashtable".

Verbose logs showing the problem

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'class
Name' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer WIN-OQJMU19QPA0 with user sid S-1-5-21-2478489807-2373884848-1657894
518-500.
VERBOSE: [WIN-OQJMU19QPA0]: LCM:  [ Start  Set      ]
VERBOSE: [WIN-OQJMU19QPA0]: LCM:  [ Start  Resource ]  [[AccountPolicy]BaseAccountPolicy]
VERBOSE: [WIN-OQJMU19QPA0]: LCM:  [ Start  Test     ]  [[AccountPolicy]BaseAccountPolicy]
Cannot process argument transformation on parameter 'FilePath'. Cannot convert the "C:\Program 
Files\WindowsPowerShell\Modules\SecurityPolicyDsc\DscResources\MSFT_AccountPolicy\AccountPolicyData.psd1" value of 
type "System.String" to type "System.Collections.Hashtable".
    + CategoryInfo          : InvalidData: (:) [], CimException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-PolicyOptionData
    + PSComputerName        : localhost

Key cannot be null.
Parameter name: key
    + CategoryInfo          : OperationStopped: (:) [], CimException
    + FullyQualifiedErrorId : System.ArgumentNullException
    + PSComputerName        : localhost

# Key cannot be null error repeats a lot

VERBOSE: [WIN-OQJMU19QPA0]: LCM:  [ End    Test     ]  [[AccountPolicy]BaseAccountPolicy]  in 0.1250 seconds.
The PowerShell DSC resource MSFT_AccountPolicy threw one or more non-terminating errors while running the 
Test-TargetResource functionality. These errors are logged to the ETW channel called 
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.157 seconds

Suggested solution to the issue

It looks like ArgumentToConfigurationDataTransformation requires PowerShell 5.x?

Maybe load the hashtable in AccountPolicyData.psd1 without it? Less preferred: Increase the minimum PowerShell/DSC version for the module.

https://github.com/PowerShell/SecurityPolicyDsc/blob/bf628170a2d51efb282c3b33a10fb29d7bc5af51/Modules/SecurityPolicyResourceHelper/SecurityPolicyResourceHelper.psm1#L435-L447

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here
Configuration SecurityBaseline {

    # Import the module that contains the resources we're using.
    Import-DscResource -ModuleName SecurityPolicyDsc

    # The Node statement specifies which targets this configuration will be applied to.
    Node 'localhost' {

        AccountPolicy BaseAccountPolicy {
            Name = 'MyAccountPolicy'

        }     
    }
}

The operating system the target node is running

OSName : Windows Server 2012R2 OSArchitecture : 64-bit WindowsVersion: 6.3 (Build 9600) OsLanguage: en-us

Patched up to May 2019

Version and build of PowerShell the target node is running

PSVersion 4.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.42000
BuildVersion 6.3.9600.19170
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion 2.2

Version of the DSC module that was used ('dev' if using current dev branch)

SecurityPolicyDsc 2.8.0.0

dbaileyut commented 5 years ago

Hmm, actually, there's some weirdness because I can run

Get-PolicyOptionData -FilePath 'C:\Program Files\WindowsPowerShell\Modules\SecurityPolicyDsc\DSCResources\MSFT_AccountPolicy\AccountPolicyData.psd1'

from powershell.exe or the ISE.

If I modify Get-PolicyOptionData by removing (or moving) the hashtable type from the -FilePath parameter the configuration applies successfully.

Removing:

function Get-PolicyOptionData
{
    [OutputType([hashtable])]
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory = $true)]
        [Microsoft.PowerShell.DesiredStateConfiguration.ArgumentToConfigurationDataTransformation()]
        #[hashtable] # < removing this works
        $FilePath
    )
    return $FilePath
}

Moving:

function Get-PolicyOptionData
{
    [OutputType([hashtable])]
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory = $true)]
        [hashtable] # < moving this here works
        [Microsoft.PowerShell.DesiredStateConfiguration.ArgumentToConfigurationDataTransformation()]
        $FilePath
    )
    return $FilePath
}
X-Guardian commented 4 years ago

Hi @dbaileyut, the minimum PowerShell version for this module is now 5.1.