[PUP-8231] Managing an existing Windows Group resource may error when any of its members is a virtual account (like IIS AppPool\DefaultAppPool or NT Service\Dhcp) - Puppet Tickets

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: PUP 4.10.10, PUP 5.3.4
Fix Version/s: PUP 4.10.11, PUP 5.3.6, PUP 5.5.0
Component/s: None
Labels:
- customer-escalation
Environment:

Any version of Windows including 2008R2 and above (virtual accounts were introduced in 2008R2 / 7)

Template:
PUP Bug Template customfield_10700 225741
Acceptance Criteria:
Hide

An existing group that contains virtual accounts should be modifiable with Puppet without error

Fix should not introduce any backwards incompatible changes to existing Windows Group behavior
Show
An existing group that contains virtual accounts should be modifiable with Puppet without error Fix should not introduce any backwards incompatible changes to existing Windows Group behavior
Epic Link:
Windows user management improvements
Team:
Windows
Sprint:
Windows Kanban
Method Found:
Customer Feedback

CS Priority:
Normal
CS Frequency:
3 - 25-50% of Customers
CS Severity:
3 - Serious
CS Business Value:
5 - $$$$$$
CS Impact:

Hide
The group resource is not working as expected on windows.

A potentially workaround might be to run an exec to add the user to the group after creation.. Not great but might work until it's resolved.

Show
The group resource is not working as expected on windows. A potentially workaround might be to run an exec to add the user to the group after creation.. Not great but might work until it's resolved.

Release Notes:
Bug Fix
Release Notes Summary:

Hide
While Puppet could create new Windows groups containing virtual accounts, it was previously unable to manage groups that contained at least one virtual account. Puppet may also have been unable to correctly manage groups with account names that appeared in both the local computer and in a domain, due to a failure to properly disambiguate the accounts. Both problems are now resolved.

Show
While Puppet could create new Windows groups containing virtual accounts, it was previously unable to manage groups that contained at least one virtual account. Puppet may also have been unable to correctly manage groups with account names that appeared in both the local computer and in a domain, due to a failure to properly disambiguate the accounts. Both problems are now resolved.

Steps to reproduce

1. Create Group "TestGroup" with "IIS AppPool\DefaultAppPool" as a member

group { 'TestGroup':

    name            => 'TestGroup',

    ensure          => present,

    members         => ['IIS AppPool\DefaultAppPool'],

    auth_membership => false,

2. Re-run the same manifest

group { 'TestGroup':

    name            => 'TestGroup',

    ensure          => present,

    members         => ['IIS AppPool\DefaultAppPool'],

    auth_membership => false,

3. Once the group exists on the system, Puppet fails to resolve the virtual account properly and generates an error like:

"Could not resolve name: DefaultAppPool"

duplicates

PUP-8295 Group resource cannot resolve virtual account "NT Service\Servicename"

is duplicated by

PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains

relates to

PUP-7326 Group resource (with auth_membership) fails if local Windows group contains not resolvable Domain accounts