PUP-6483, we found that we could be more specific with our error handling when performing some user password management tasks on Windows.
A few error codes we could explore handling some of the errors and providing better messages around how to correct. Possibly as a separate ticket though.
* ERROR_LAST_ADMIN - 1322 (0x52A) - This operation is disallowed as it could result in an administration account being disabled, deleted or unable to log on. * ERROR_WRONG_PASSWORD - 1323 (0x52B) - Unable to update the password. The value provided as the current password is incorrect. * ERROR_ILL_FORMED_PASSWORD - 1324 (0x52C) - Unable to update the password. The value provided for the new password contains values that are not allowed in passwords. * ERROR_PASSWORD_RESTRICTION - 1325 (0x52D) - Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain. * ERROR_LOGON_FAILURE - 1326 (0x52E) - The user name or password is incorrect. * ERROR_ACCOUNT_RESTRICTION - 1327 (0x52F) - Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced. * ERROR_INVALID_LOGON_HOURS - 1328 (0x530) - Your account has time restrictions that keep you from signing in right now. * ERROR_INVALID_WORKSTATION - 1329 (0x531) - This user isn't allowed to sign in to this computer. * ERROR_PASSWORD_EXPIRED - 1330 (0x532) - The password for this account has expired. * ERROR_ACCOUNT_DISABLED - 1331 (0x533) - This user can't sign in because this account is currently disabled.
- Modify the Puppet Windows user provider or backing libs in puppet/util/windows to detect and surface some or all of the preceding errors to the user when applicable
From - https://github.com/puppetlabs/puppet/pull/5201#discussion_r75033133
ERROR_ACCOUNT_LOCKED_OUT = 1909 - is raised if account is locked out even when supplied login credentials are valid
With both ERROR_ACCOUNT_LOCKED_OUT = 1909 and ERROR_ACCOUNT_EXPIRED = 1793, puppet will proceed to set the password anyway after failed logon.
Both of these (and probably others) are cases we could improve on... for example, puppet should not try to set passwords for expired or locked out accounts, and possibly should log a debug message that this was encountered?
- is cloned by
PUP-9206 Improve error messaging for Windows user management