UserRightsAssignment not able to Force resource

[SteveC83]

Details of the scenario you tried and the problem that is occurring

Tested against an on-prem 2019 server in a push configuration and an Azure based 2016 server in a push configuration to rule out setup.

Tried against localhost node and hostname node.

Configuration is a variation of teh ocnfig found here https://github.com/NVISOsecurity/posh-dsc-windows-hardening/blob/master/CIS_WindowsServer2019_v110.ps1

The configuration says its applies fine but doeesn't seem to make any changes to the UserRightsAssignment Accessthiscomputerfromthenetwork policy.

It should be removing the default and only allowing adminstrators and authenticated users but when I check secpol.msc I see the default ones:

Everyone BUILTIN\Administrators BUILTIN\Users BUILTIN\Backup Operators

Verbose logs showing the problem

VERBOSE: []: LCM: [ Start Resource ] [[UserRightsAssignment]Accessthiscomputerfromthenetwork] VERBOSE: []: LCM: [ Start Test ] [[UserRightsAssignment]Accessthiscomputerfromthenetwork] VERBOSE: []: [[UserRightsAssignment]Accessthiscomputerfromthenetwork] Testing BUILTIN\Administrators,NT AUTHORITY\Authenticated Users is present on policy Access_this_computer_from_the_network VERBOSE: []: LCM: [ End Test ] [[UserRightsAssignment]Accessthiscomputerfromthenetwork] True in 0.2500 seconds. VERBOSE: []: LCM: [ End Resource ] [[UserRightsAssignment]Accessthiscomputerfromthenetwork]

Checking secpol.msc: Everyone BUILTIN\Administrators BUILTIN\Users BUILTIN\Backup Operators

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# 2.2.2 (L1) Configure 'Access this computer from the network'
        UserRightsAssignment Accessthiscomputerfromthenetwork {
            Policy   = 'Access_this_computer_from_the_network'
            Identity = 'BUILTIN\Administrators,NT AUTHORITY\Authenticated Users'
        }

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Standard OsOperatingSystemSKU : StandardServerEdition OsArchitecture : 64-bit WindowsVersion : 1809 WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434 OsLanguage : en-US OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

---

PSVersion 5.1.17763.2183 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.17763.2183 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

Version of the DSC module that was used

SecurityPolicyDsc 2.10.0.0

[SteveC83]

OK so after correctly reading the Wiki I realised that I needed to set Force = $true to actually make it apply the change however there still appears to eb an issue

VERBOSE: []: LCM: [ Start Resource ] [[UserRightsAssignment]Accessthiscomputerfromthenetwork] VERBOSE: []: LCM: [ Start Test ] [[UserRightsAssignment]Accessthiscomputerfromthenetwork] VERBOSE: []: [[UserRightsAssignment]Accessthiscomputerfromthenetwork] Testing Administrators,Authenticated Users is present on policy Access_this_computer_from_the_network VERBOSE: []: [[UserRightsAssignment]Accessthiscomputerfromthenetwork] Everyone,BUILTIN\Administrators,BUILTIN\Users,BUILTIN\Backup Operators are users that should not have rights to Access_this_computer_from_the_network policy VERBOSE: []: LCM: [ End Test ] [[UserRightsAssignment]Accessthiscomputerfromthenetwork] in 0.2340 seconds. VERBOSE: []: LCM: [ Start Set ] [[UserRightsAssignment]Accessthiscomputerfromthenetwork] VERBOSE: []: [[UserRightsAssignment]Accessthiscomputerfromthenetwork] Policy: Access_this_computer_from_the_network. Identity: Everyone BUILTIN\Administrators BUILTIN\Users BUILTIN\Backup Operators VERBOSE: []: LCM: [ End Set ] [[UserRightsAssignment]Accessthiscomputerfromthenetwork] in 0.3440 seconds. PowerShell DSC resource MSFT_UserRightsAssignment failed to execute Set-TargetResource functionality with error message: Could not convert Identity: Administrators,Authenticated Users to SID

• CategoryInfo : InvalidOperation: (:) [], CimException
• FullyQualifiedErrorId : ProviderOperationExecutionFailure
• PSComputerName : PowerShell DSC resource MSFT_UserRightsAssignment failed to execute Set-TargetResource functionality with error message: Could not convert Identity: Administrators,Authenticated Users to SID
• CategoryInfo : InvalidOperation: (:) [], CimException
• FullyQualifiedErrorId : ProviderOperationExecutionFailure
• PSComputerName :

[SteveC83]

Actually I've found the issue now it was the same as this closed one: https://github.com/dsccommunity/SecurityPolicyDsc/issues/114 Each group had to quoted individually to convert to a SID.