search

dsccommunity / SecurityPolicyDsc

A wrapper around secedit.exe to configure local security policies
MIT License
177 stars 53 forks source link

UserRightsAssignment: unable to Force multiple values #129

Open mnotley-reward opened 5 years ago

mnotley-reward commented 5 years ago

Details of the scenario you tried and the problem that is occurring

I am trying to set the value of generatesecurityaudits to two SIDs, however this fails to apply. Force only appears to work when setting a single SID.

Verbose logs showing the problem

Error from the Set-TargetResource:

PowerShell DSC resource MSFT_UserRightsAssignment  failed to execute Set-TargetResource functionality with error message: Could not convert Identity: LOCAL 
SERVICE,NETWORK SERVICE to SID 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

Error from the end of the job:

The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

Suggested solution to the issue

Ideally, when specifying Force = $true, it would wipe out any existing values and replace them only with the ones you specify.

The DSC configuration that is used to reproduce the issue (as detailed as possible)


Configuration CIS_WindowsServer2016_v110_MS_lvl1 {
    param (
        [string[]]$NodeName ='localhost'
        )

    Import-DscResource -ModuleName 'NetworkingDsc'
    Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
    Import-DscResource -ModuleName 'AuditPolicyDsc'
    Import-DscResource -ModuleName 'SecurityPolicyDsc'

    Node $NodeName {
        # Firewall Configuration - adjust interface alias
        NetConnectionProfile DefaultConnectionProfile {
            InterfaceAlias   = 'Ethernet 3'
            NetworkCategory  = 'Private'
        }
        # 2.2.30 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE,NETWORK SERVICE'
        UserRightsAssignment Generatesecurityaudits {
            Policy   = 'Generate_security_audits'
            Identity = 'LOCAL SERVICE,NETWORK SERVICE'
            Force    = $true
        }

The operating system the target node is running

OsName : Microsoft Windows Server 2016 Datacenter OsOperatingSystemSKU : DatacenterServerEdition OsArchitecture : 64-bit WindowsBuildLabEx : 14393.3085.amd64fre.rs1_release.190703-1816 OsLanguage : en-US OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 5.1.14393.3053 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.14393.3053 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

2.9.0.0

jcwalker commented 5 years ago

Hi @mnotley-reward, try updating the Identity property with an array like this: Identity = 'LOCAL SERVICE,NETWORK SERVICE'

X-Guardian commented 4 years ago

@mnotley-reward, can you confirm this resolved your issue?