search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Install Salt from the Salt package repositories here:
https://docs.saltproject.io/salt/install-guide/en/latest/
Apache License 2.0
14.19k stars 5.48k forks source link

Unable to set LGPO for "Take ownership of files or other objects" #46478

Closed doesitblend closed 6 years ago

doesitblend commented 6 years ago

Description of Issue/Question

Trying to configure "Take ownership of files or other objects" and getting 

[root@winmaster ~]# salt 'win2016-3' state.apply take_owner
win2016-3:
----------
          ID: configure_take_ownership
    Function: lgpo.set
      Result: False
     Comment: Unable to find Machine policy Take ownership of files or other objects
     Started: 23:31:26.537162
    Duration: 515.883 ms
     Changes:   

Summary for win2016-3
------------
Succeeded: 0
Failed:    1
------------
Total states run:     1
Total run time: 515.883 ms
ERROR: Minions returned with non-zero exit code

Reviewing the code in win_lgpo.py it appears there is an entry for this policy to be configured. However, there are no settings for it. I think this may be the cause for the policy "Not Found" error. The code for this appears to be the same between the develop branch and the 2017.7.4 branch.

Setup

Install the Python 3 version of 2017.7.4 minion on Windows Server 2016.

Try to execute the following state:

configure_take_ownership: 
  lgpo.set: 
    - computer_policy: 
        Take ownership of files or other objects: Administrators

Versions Report

win2016-3:
    Salt Version:
               Salt: 2017.7.4

    Dependency Versions:
               cffi: 1.10.0
           cherrypy: unknown
           dateutil: 2.6.0
          docker-py: Not Installed
              gitdb: 2.0.3
          gitpython: 2.1.3
              ioflo: Not Installed
             Jinja2: 2.9.6
            libgit2: Not Installed
            libnacl: Not Installed
           M2Crypto: Not Installed
               Mako: 1.0.6
       msgpack-pure: Not Installed
     msgpack-python: 0.4.8
       mysql-python: Not Installed
          pycparser: 2.17
           pycrypto: 2.6.1
       pycryptodome: Not Installed
             pygit2: Not Installed
             Python: 3.5.3 (v3.5.3:1880cb95a742, Jan 16 2017, 16:02:32) [MSC v.1900 64 bit (AMD64)]
       python-gnupg: 0.4.0
             PyYAML: 3.12
              PyZMQ: 16.0.2
               RAET: Not Installed
              smmap: 2.0.3
            timelib: 0.2.4
            Tornado: 4.5.1
                ZMQ: 4.1.6

    System Versions:
               dist:   
             locale: cp1252
            machine: AMD64
            release: 2016Server
             system: Windows
            version: 2016Server 10.0.14393 SP0 Multiprocessor Free
twangboy commented 6 years ago

@doesitblend I am able to reproduce this. I don't see an obvious fix right now, but as a workaround, you could use the short name like this:

configure_take_ownership:
  lgpo.set:
    - computer_policy:
        SeTakeOwnershipPrivilege: Administrators

@lomeroe Do you see anything here? Everything looks right to me.

lomeroe commented 6 years ago

The policy's "name" in the module is incorrectly "Take ownership of files and other objects"

                    'SeTakeOwnershipPrivilege': {
                        'Policy': 'Take ownership of files and other objects',
                        'lgpo_section': self.user_rights_assignment_gpedit_path,
                        'Settings': None,
                        'LsaRights': {
                            'Option': 'SeTakeOwnershipPrivilege'
                        },
twangboy commented 6 years ago

@lomeroe Crap. I went over that thing a hundred times (or so it seemed). Thanks! I should have caught that.