Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Won't Do
-
None
-
None
-
Needs Assessment
-
Reviewed
-
43304
-
1
-
Needs Assessment
Description
- Describe the Bug:
Unable to add account jordi to Local Policy for User Right Assignment (Log on as a service) using the code below - Accounts 'NT SERVICE\ALL SERVICES' and 'cloudbase-init' are already present in the test VM:
dsc_userrightsassignment
{ "add-jordi-to-logon-as-service": dsc_ensure => 'present', dsc_policy => 'Log_on_as_a_service', dsc_identity => ['NT SERVICE\\ALL SERVICES','cloudbase-init','jordi'], }*Expected Behavior:
The code above should add local account jordi with the right to log on as a service along with the existing ones (Accounts 'NT SERVICE\ALL SERVICES' and 'cloudbase-init')
*Steps to Reproduce:
Using Converting to use Puppetized DSC Modules and running puppet agent --debug extracted that the relevant powershell instruction for the code above. Below I am running it in its own PS shell:
PS C:\Users\Administrator> $InvokeParams = @{Name = 'UserRightsAssignment'; Method = 'get'; Property = @
{policy = 'Log_on_as_a_service'; identity = @('PE-201984-WIN2K\jordi')}; ModuleName = @{ModuleName = 'C:\ProgramData\PuppetLabs\puppet\cache\lib\puppet_x\dsc_resources\SecurityPolicyDsc\SecurityPolicyDsc.psd1'; RequiredVersion = '2.7.0.0'}}Invoke-DscResource @InvokeParams -Verbose
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourceget,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer PE-201984-WIN2K with user sid S-1-5-21-1548961487-963197808-2462195979-500.
VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Policy: Log_on_as_a_service. Identity: PE-201984-WIN2K\cloudbase-init NT SERVICE\ALL SERVICES
VERBOSE: [PE-201984-WIN2K]: LCM: [ End Get ] [[UserRightsAssignment]DirectResourceAccess] in 0.7230 seconds.
VERBOSE: [PE-201984-WIN2K]: LCM: [ End Set ] in 1.1130 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
ConfigurationName :
DependsOn :
ModuleName : C:\ProgramData\PuppetLabs\puppet\cache\lib\puppet_x\dsc_resources\SecurityPolicyDsc\SecurityPolicyDsc.psd1
ModuleVersion : 2.7.0.0
PsDscRunAsCredential :
ResourceId :
SourceInfo :
Ensure :
Force :
Identity : {PE-201984-WIN2K\cloudbase-init, NT SERVICE\ALL SERVICES}
Policy : Log_on_as_a_service
PSComputerName : localhost
VERBOSE: Time taken for configuration job to complete is 1.434 seconds
This powershell instruction uses the get method for UserRightsAssignment which just lists the current content of accounts with Log on as service rights.
If we manually update the Powershell instruction to use the set method for UserRightAssignment then we get the desired update - Provide account jordi with Log on a as Service rights as per below:
PS C:\Users\Administrator> $InvokeParams = @{Name = 'UserRightsAssignment'; Method = 'set'; Property = @{policy = 'Log_on_as_a_service'; identity = @('PE-201984-WIN2Kjordi')}
; ModuleName = @{ModuleName = 'C:\ProgramData\PuppetLabs\puppet\cache\lib\puppet_x\dsc_resources\SecurityPolicyDsc\SecurityPolicyDsc.psd1'; RequiredVersion = '2.7.0.0'}}
Invoke-DscResource @InvokeParams -Verbose
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourceset,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer PE-201984-WIN2K with user sid S-1-5-21-1548961487-963197808-2462195979-500.
VERBOSE: [PE-201984-WIN2K]: LCM: [ Start Set ] [[UserRightsAssignment]DirectResourceAccess]
VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Policy: Log_on_as_a_service. Identity: PE-201984-WIN2K\cloudbase-init NT SERVICE\ALL SERVICES
VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Granting Log_on_as_a_service rights to PE-201984-WIN2K\jordi,PE-201984-WIN2K\cloudbase-init,NT SERVICE\ALL SERVICES
VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Attempting to Set PE-201984-WIN2K\jordi,PE-201984-WIN2K\cloudbase-init,NT SERVICE\ALL SERVICES for policy Log_on_as_a_service
VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Testing PE-201984-WIN2K\jordi is present on policy Log_on_as_a_service
VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Task successfully completed
VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] PE-201984-WIN2K\jordi,PE-201984-WIN2K\cloudbase-init,NT SERVICE\ALL SERVICES successfully given rights to Log_on_as_a_service policy
VERBOSE: [PE-201984-WIN2K]: LCM: [ End Set ] [[UserRightsAssignment]DirectResourceAccess] in 5.0460 seconds.
VERBOSE: [PE-201984-WIN2K]: LCM: [ End Set ] in 5.0950 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
RebootRequired
--------------
False
VERBOSE: Time taken for configuration job to complete is 5.321 seconds
If after doing that we run the get method again, the output shows us account jordi has been given Log on as service right as per below:
PS C:\Users\Administrator> $InvokeParams = @{Name = 'UserRightsAssignment'; Method = 'get'; Property = @
{policy = 'Log_on_as_a_service'; identity = @('PE-201984-WIN2K\jordi')}; ModuleName = @{ModuleName = 'C:\ProgramData\PuppetLabs\puppet\cache\lib\puppet_x\dsc_resources\SecurityPolicyDsc\SecurityPolicyDsc.psd1'; RequiredVersion = '2.7.0.0'}}
Invoke-DscResource @InvokeParams -Verbose
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourceget,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer PE-201984-WIN2K with user sid S-1-5-21-1548961487-963197808-2462195979-500.
VERBOSE: [PE-201984-WIN2K]: [[UserRightsAssignment]DirectResourceAccess] Policy: Log_on_as_a_service. Identity: PE-201984-WIN2K\cloudbase-init PE-201984-WIN2K\jordi NT SERVICE\ALL SERVICES
VERBOSE: [PE-201984-WIN2K]: LCM: [ End Get ] [[UserRightsAssignment]DirectResourceAccess] in 0.2580 seconds.
VERBOSE: [PE-201984-WIN2K]: LCM: [ End Set ] in 0.3310 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
ConfigurationName :
DependsOn :
ModuleName : C:\ProgramData\PuppetLabs\puppet\cache\lib\puppet_x\dsc_resources\SecurityPolicyDsc\SecurityPolicyDsc.psd1
ModuleVersion : 2.7.0.0
PsDscRunAsCredential :
ResourceId :
SourceInfo :
Ensure :
Force :
Identity :
Policy : Log_on_as_a_service
PSComputerName : localhost
VERBOSE: Time taken for configuration job to complete is 0.705 seconds
Environment
Version [2019.8.4]
Platform [Windows 2019]
* Please see Zendesk Support tab for further comments and attachments.