Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9206

Improve error messaging for Windows user management

    Details

    • Template:
    • Team:
      Platform OS

      Description

      Cloning PUP-6569; the fix covered the basics of disabled, expired and locked accounts. More work in this area is warranted as time permits, and is detailed below.

      While investigating PUP-6483, we found that we could be more specific with our error handling when performing some user password management tasks on Windows.

      Per Rob Reynolds in PUP-6483:

      A few error codes we could explore handling some of the errors and providing better messages around how to correct. Possibly as a separate ticket though.
      https://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx

      * ERROR_LAST_ADMIN  - 1322 (0x52A) - This operation is disallowed as it could result in an administration account being disabled, deleted or unable to log on.
      * ERROR_WRONG_PASSWORD - 1323 (0x52B) - Unable to update the password. The value provided as the current password is incorrect.
      * ERROR_ILL_FORMED_PASSWORD - 1324 (0x52C) - Unable to update the password. The value provided for the new password contains values that are not allowed in passwords.
      * ERROR_PASSWORD_RESTRICTION - 1325 (0x52D) - Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
      * ERROR_LOGON_FAILURE - 1326 (0x52E) - The user name or password is incorrect.
      * ERROR_ACCOUNT_RESTRICTION - 1327 (0x52F) - Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced.
      * ERROR_INVALID_LOGON_HOURS - 1328 (0x530) - Your account has time restrictions that keep you from signing in right now.
      * ERROR_INVALID_WORKSTATION - 1329 (0x531) - This user isn't allowed to sign in to this computer.
      * ERROR_PASSWORD_EXPIRED - 1330 (0x532) - The password for this account has expired.
      * ERROR_ACCOUNT_DISABLED - 1331 (0x533) - This user can't sign in because this account is currently disabled.
      

      In Scope

      • Modify the Puppet Windows user provider or backing libs in puppet/util/windows to detect and surface some or all of the preceding errors to the user when applicable

      Notes
      From - https://github.com/puppetlabs/puppet/pull/5201#discussion_r75033133

      ERROR_ACCOUNT_LOCKED_OUT = 1909 - is raised if account is locked out even when supplied login credentials are valid

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  jonathan.morris Jonathan Morris
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:

                    Zendesk Support