search

microsoft / BaselineManagement

Conversion tool used to Convert Group Policy baselines into DSC
MIT License
266 stars 52 forks source link

Not compatible with MS Baseline GPOs User Rights Rules #5

Closed hpaul-osi closed 4 years ago

hpaul-osi commented 7 years ago

The Microsoft security baselines have User Right Assignment rules in terms of a string of comma delimited SIDs and the SecurityPolicyDsc module expects an array of display names. As a result, if you convert the baseline GPO to DSC with the BaselineManagement module, all User Right Assignment rules will fail when calling Start-DscConfiguration targeting the resulting MOF file.

For example, the BaselineManagement module conversion has the following rule.

UserRightsAssignment 'INF_Access_this_computer_from_the_network'
{
    Policy = 'Access_this_computer_from_the_network'
    Identity = '*S-1-5-11,*S-1-5-32-544'
}

The above will fail to accurately evaluate the current setting or apply the desired state, but works if switched to the below.

UserRightsAssignment 'INF_Access_this_computer_from_the_network'
{
    Policy = 'Access_this_computer_from_the_network'
    Identity = 'Builtin\Administrators','NT Authority\Authenticated Users'
}
bobbytreed commented 5 years ago

I believe this has been resolved in later versions of SecurityPolicyDSC, let me know if it is not.