Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6569

Improve error messaging for Windows user management

    Details

    • Template:
    • Epic Link:
    • Team:
      Platform OS
    • Sprint:
      Platform OS Kanban

      Description

      While investigating PUP-6483, we found that we could be more specific with our error handling when performing some user password management tasks on Windows.

      Per Rob Reynolds in PUP-6483:

      A few error codes we could explore handling some of the errors and providing better messages around how to correct. Possibly as a separate ticket though.
      https://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx

      * ERROR_LAST_ADMIN  - 1322 (0x52A) - This operation is disallowed as it could result in an administration account being disabled, deleted or unable to log on.
      * ERROR_WRONG_PASSWORD - 1323 (0x52B) - Unable to update the password. The value provided as the current password is incorrect.
      * ERROR_ILL_FORMED_PASSWORD - 1324 (0x52C) - Unable to update the password. The value provided for the new password contains values that are not allowed in passwords.
      * ERROR_PASSWORD_RESTRICTION - 1325 (0x52D) - Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
      * ERROR_LOGON_FAILURE - 1326 (0x52E) - The user name or password is incorrect.
      * ERROR_ACCOUNT_RESTRICTION - 1327 (0x52F) - Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced.
      * ERROR_INVALID_LOGON_HOURS - 1328 (0x530) - Your account has time restrictions that keep you from signing in right now.
      * ERROR_INVALID_WORKSTATION - 1329 (0x531) - This user isn't allowed to sign in to this computer.
      * ERROR_PASSWORD_EXPIRED - 1330 (0x532) - The password for this account has expired.
      * ERROR_ACCOUNT_DISABLED - 1331 (0x533) - This user can't sign in because this account is currently disabled.
      

      In Scope

      • Modify the Puppet Windows user provider or backing libs in puppet/util/windows to detect and surface some or all of the preceding errors to the user when applicable

      Notes
      From - https://github.com/puppetlabs/puppet/pull/5201#discussion_r75033133

      ERROR_ACCOUNT_LOCKED_OUT = 1909 - is raised if account is locked out even when supplied login credentials are valid
      With both ERROR_ACCOUNT_LOCKED_OUT = 1909 and ERROR_ACCOUNT_EXPIRED = 1793, puppet will proceed to set the password anyway after failed logon.
      Both of these (and probably others) are cases we could improve on... for example, puppet should not try to set passwords for expired or locked out accounts, and possibly should log a debug message that this was encountered?

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  casey.williams Casey Williams
                  Reporter:
                  moses Moses Mendoza
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: