search

dsccommunity / SecurityPolicyDsc

A wrapper around secedit.exe to configure local security policies
MIT License
177 stars 53 forks source link

UserRightsAssignment: Failure When Setting Increase_scheduling_priority Policy on Windows Server Core #150

Open X-Guardian opened 4 years ago

X-Guardian commented 4 years ago

Details of the scenario you tried and the problem that is occurring

The Increase_scheduling_priority User Rights Assignment has a default membership of BUILTIN\Administrators and Window Manager\Window Manager Group.

When trying to modify the Increase_scheduling_priority policy on Windows Server Core, the following error occurs:

Could not translate SID: S-1-5-90-0 on Policy: Increase_scheduling_priority

Verbose logs showing the problem

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceSet,'className' =
MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DC01-2019 with user sid
S-1-5-21-3553084080-2500667019-4197401787-500.
VERBOSE: [DC01-2019]: LCM:  [ Start  Set      ]  [[UserRightsAssignment]DirectResourceAccess]
VERBOSE: [DC01-2019]:                            [[UserRightsAssignment]DirectResourceAccess] Could not translate SID:
S-1-5-90-0 on Policy: Increase_scheduling_priority
VERBOSE: [DC01-2019]:                            [[UserRightsAssignment]DirectResourceAccess] Policy:
Increase_scheduling_priority. Identity: BUILTIN\Administrators S-1-5-90-0
VERBOSE: [DC01-2019]: LCM:  [ End    Set      ]  [[UserRightsAssignment]DirectResourceAccess]  in 0.4680 seconds.
PowerShell DSC resource MSFT_UserRightsAssignment  failed to execute Set-TargetResource functionality with error
message: Could not translate SID: S-1-5-90-0 on Policy: Increase_scheduling_priority
    + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.852 seconds

Suggested solution to the issue

This is caused by the SecurityPolicyDsc internal function ConvertTo-NTAccount attempting to convert the S-1-5-90-0 SID to a friendly name, but fails as this group (Window Manager\Window Manager Group) does not exist on Windows Server Core.

To avoid this failure, mapping of this particular SID to its friendly name needs to be coded into the function.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Invoke-DscResource -Name UserRightsAssignment -Module SecurityPolicyDsc -Method Set -Verbose `
     -Property @{
     Policy   = 'Increase_scheduling_priority'
     Identity = @('BUILTIN\Administrators', 'Builtin\Guests')
 }

The operating system the target node is running

OsName                  : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU    : DatacenterServerEdition
OsArchitecture          : 64-bit
WindowsVersion          : 1809
WindowsInstallationType : Server Core
WindowsBuildLabEx       : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage              : en-US
OsMuiLanguages          : {en-US}

Version and build of PowerShell the target node is running

PSVersion                      5.1.17763.316
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.316
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   2.10.0.0   SecurityPolicyDsc