Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10969

Unable to update UserRightAssignment - Log on as service rights

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Do
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: dsc
    • Labels:
    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • CS Priority:
      Reviewed
    • Zendesk Ticket IDs:
      43304
    • Zendesk Ticket Count:
      1
    • QA Risk Assessment:
      Needs Assessment

      Description

      • Describe the Bug:
        Unable to add account jordi to Local Policy for User Right Assignment (Log on as a service) using the code below - Accounts 'NT SERVICE\ALL SERVICES' and 'cloudbase-init' are already present in the test VM:

      dsc_userrightsassignment

      { "add-jordi-to-logon-as-service": dsc_ensure => 'present', dsc_policy => 'Log_on_as_a_service', dsc_identity => ['NT SERVICE\\ALL SERVICES','cloudbase-init','jordi'], }

      *Expected Behavior:
      The code above should add local account jordi with the right to log on as a service along with the existing ones (Accounts 'NT SERVICE\ALL SERVICES' and 'cloudbase-init')

      *Steps to Reproduce:
      Using Converting to use Puppetized DSC Modules and running puppet agent --debug extracted that the relevant powershell instruction for the code above. Below I am running it in its own PS shell:

      PS C:\Users\Administrator> $InvokeParams = @{Name = 'UserRightsAssignment'; Method = 'get'; Property = @

      {policy = 'Log_on_as_a_service'; identity = @('PE-201984-WIN2K\jordi')}; ModuleName = @{ModuleName = 'C:\ProgramData\PuppetLabs\puppet\cache\lib\puppet_x\dsc_resources\SecurityPolicyDsc\SecurityPolicyDsc.psd1'; RequiredVersion = '2.7.0.0'}}
      Invoke-DscResource @InvokeParams -Verbose
      VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourceget,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
      VERBOSE: An LCM method call arrived from computer PE-201984-WIN2K with user sid S-1-5-21-1548961487-963197808-2462195979-500.
      VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Policy: Log_on_as_a_service. Identity: PE-201984-WIN2K\cloudbase-init NT SERVICE\ALL SERVICES
      VERBOSE: [PE-201984-WIN2K]: LCM: [ End Get ] [[UserRightsAssignment]DirectResourceAccess] in 0.7230 seconds.
      VERBOSE: [PE-201984-WIN2K]: LCM: [ End Set ] in 1.1130 seconds.
      VERBOSE: Operation 'Invoke CimMethod' complete.
      ConfigurationName :
      DependsOn :
      ModuleName : C:\ProgramData\PuppetLabs\puppet\cache\lib\puppet_x\dsc_resources\SecurityPolicyDsc\SecurityPolicyDsc.psd1
      ModuleVersion : 2.7.0.0
      PsDscRunAsCredential :
      ResourceId :
      SourceInfo :
      Ensure :
      Force :
      Identity : {PE-201984-WIN2K\cloudbase-init, NT SERVICE\ALL SERVICES}
      Policy : Log_on_as_a_service
      PSComputerName : localhost
      VERBOSE: Time taken for configuration job to complete is 1.434 seconds

      This powershell instruction uses the get method for UserRightsAssignment which just lists the current content of accounts with Log on as service rights.

      If we manually update the Powershell instruction to use the set method for UserRightAssignment then we get the desired update - Provide account jordi with Log on a as Service rights as per below:

      PS C:\Users\Administrator> $InvokeParams = @{Name = 'UserRightsAssignment'; Method = 'set'; Property = @{policy = 'Log_on_as_a_service'; identity = @('PE-201984-WIN2Kjordi')}

      ; ModuleName = @{ModuleName = 'C:\ProgramData\PuppetLabs\puppet\cache\lib\puppet_x\dsc_resources\SecurityPolicyDsc\SecurityPolicyDsc.psd1'; RequiredVersion = '2.7.0.0'}}
      Invoke-DscResource @InvokeParams -Verbose
      VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourceset,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
      VERBOSE: An LCM method call arrived from computer PE-201984-WIN2K with user sid S-1-5-21-1548961487-963197808-2462195979-500.
      VERBOSE: [PE-201984-WIN2K]: LCM: [ Start Set ] [[UserRightsAssignment]DirectResourceAccess]
      VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Policy: Log_on_as_a_service. Identity: PE-201984-WIN2K\cloudbase-init NT SERVICE\ALL SERVICES
      VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Granting Log_on_as_a_service rights to PE-201984-WIN2K\jordi,PE-201984-WIN2K\cloudbase-init,NT SERVICE\ALL SERVICES
      VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Attempting to Set PE-201984-WIN2K\jordi,PE-201984-WIN2K\cloudbase-init,NT SERVICE\ALL SERVICES for policy Log_on_as_a_service
      VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Testing PE-201984-WIN2K\jordi is present on policy Log_on_as_a_service
      VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Task successfully completed
      VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] PE-201984-WIN2K\jordi,PE-201984-WIN2K\cloudbase-init,NT SERVICE\ALL SERVICES successfully given rights to Log_on_as_a_service policy
      VERBOSE: [PE-201984-WIN2K]: LCM: [ End Set ] [[UserRightsAssignment]DirectResourceAccess] in 5.0460 seconds.
      VERBOSE: [PE-201984-WIN2K]: LCM: [ End Set ] in 5.0950 seconds.
      VERBOSE: Operation 'Invoke CimMethod' complete.
      RebootRequired
      --------------
      False
      VERBOSE: Time taken for configuration job to complete is 5.321 seconds

      If after doing that we run the get method again, the output shows us account jordi has been given Log on as service right as per below:

      PS C:\Users\Administrator> $InvokeParams = @{Name = 'UserRightsAssignment'; Method = 'get'; Property = @

      {policy = 'Log_on_as_a_service'; identity = @('PE-201984-WIN2K\jordi')}

      ; ModuleName = @{ModuleName = 'C:\ProgramData\PuppetLabs\puppet\cache\lib\puppet_x\dsc_resources\SecurityPolicyDsc\SecurityPolicyDsc.psd1'; RequiredVersion = '2.7.0.0'}}
      Invoke-DscResource @InvokeParams -Verbose
      VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourceget,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
      VERBOSE: An LCM method call arrived from computer PE-201984-WIN2K with user sid S-1-5-21-1548961487-963197808-2462195979-500.
      VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Policy: Log_on_as_a_service. Identity: PE-201984-WIN2K\cloudbase-init PE-201984-WIN2K\jordi NT SERVICE\ALL SERVICES
      VERBOSE: [PE-201984-WIN2K]: LCM: [ End Get ] [[UserRightsAssignment]DirectResourceAccess] in 0.2580 seconds.
      VERBOSE: [PE-201984-WIN2K]: LCM: [ End Set ] in 0.3310 seconds.
      VERBOSE: Operation 'Invoke CimMethod' complete.
      ConfigurationName :
      DependsOn :
      ModuleName : C:\ProgramData\PuppetLabs\puppet\cache\lib\puppet_x\dsc_resources\SecurityPolicyDsc\SecurityPolicyDsc.psd1
      ModuleVersion : 2.7.0.0
      PsDscRunAsCredential :
      ResourceId :
      SourceInfo :
      Ensure :
      Force :
      Identity :

      {PE-201984-WIN2K\cloudbase-init, PE-201984-WIN2K\jordi, NT SERVICE\ALL SERVICES}

      Policy : Log_on_as_a_service
      PSComputerName : localhost
      VERBOSE: Time taken for configuration job to complete is 0.705 seconds
      Environment
      Version [2019.8.4]
      Platform [Windows 2019]

      * Please see Zendesk Support tab for further comments and attachments.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              michael.lombardi Michael Lombardi
              Reporter:
              jordi.garcia Jordi Garcia
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support