search

dsccommunity / SecurityPolicyDsc

A wrapper around secedit.exe to configure local security policies
MIT License
177 stars 53 forks source link

UserRightsAssignment AccountPolicy SecurityTemplate: this resources are note compiled by the module #169

Open fullenw1 opened 2 years ago

fullenw1 commented 2 years ago

Details of the scenario you tried and the problem that is occurring

The modules compiles the SecurityOption resource fine. But no trace of the 3 other resources in the MOF file:

I tried to remove them all and add them again one by one to see if the issue is related to one of them, but even this way they don't appear in the MOF output.

Verbose logs showing the problem

MOF content:

instance of MSFT_SecurityOption as $MSFT_SecurityOption1ref
{
Network_access_Let_Everyone_permissions_apply_to_anonymous_users = "Disabled";
 Domain_controller_LDAP_server_signing_requirements = "Require Signing";
 Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts = "Enabled";
 Name = "Global";
 ResourceID = "[SecurityOption]Global";
 Network_security_LDAP_client_signing_requirements = "Require Signing";
 Network_access_Shares_that_can_be_accessed_anonymously = "lsass,netlogon,samr";
 Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares = "Enabled";
 Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares = "Enabled";
 SourceInfo = "::2::2::SecurityOption";
 ModuleVersion = "2.10.0.0";
 ModuleName = "SecurityPolicyDsc";
 Network_access_Allow_anonymous_SID_Name_translation = "Disabled";

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

This is the YAML configuration (DATUM)

SecurityPolicyDsc:
  SecurityOption:
    - Name: Global
      Domain_controller_LDAP_server_signing_requirements: Require Signing
      Network_access_Allow_anonymous_SID_Name_translation: Disabled
      Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts: Enabled
      Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares: Enabled
      Network_access_Let_Everyone_permissions_apply_to_anonymous_users: Disabled
      Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares: Enabled
      Network_access_Shares_that_can_be_accessed_anonymously: "lsass,netlogon,samr"
      Network_security_LDAP_client_signing_requirements: Require Signing
  UserRightsAssignment:
    - Policy: Enable_computer_and_user_accounts_to_be_trusted_for_delegation
      Identity: 'Builtin\Administrators'
      Ensure: Present
    - Policy: Access_this_computer_from_the_network
      Identity: 'Builtin\Administrators, NT Authority\Enterprise Domain Controllers, Authenticated Users'
      Ensure: Present
  AccountPolicy:
    - Name: Global
      Enforce_user_logon_ restrictions: Enabled
  SecurityTemplate:
    - IsSingleInstance: Yes
      Path: 'C:\Temp\Template.inf'

The DATUM resolution sees all objects:

PS> Resolve-NodeProperty -DatumTree $Datum -Node $Node -PropertyPath   SecurityPolicyDsc

Name                           Value                                                                                                                                                                                                 
----                           -----                                                                                                                                                                                                 
SecurityOption                 {System.Collections.Specialized.OrderedDictionary}                                                                                                                                                    
UserRightsAssignment           {System.Collections.Specialized.OrderedDictionary, System.Collections.Specialized.OrderedDictionary}                                                                                                  
AccountPolicy                  {System.Collections.Specialized.OrderedDictionary}                                                                                                                                                    
SecurityTemplate               {System.Collections.Specialized.OrderedDictionary}

The operating system the target node is running

OsName               : Microsoft Windows Server 2012 R2 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 9600.20090.amd64fre.winblue_ltsb.210709-1700
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.14409.1018
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1018
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   2.10.0.0   SecurityPolicyDsc