[PUP-4373] Windows ADSI User groups property should behave similarly to Groups members property Created: 2015/04/03  Updated: 2015/06/08  Resolved: 2015/05/20

Status: Closed
Project: Puppet
Component/s: Types and Providers, Windows
Affects Version/s: None
Fix Version/s: PUP 4.1.0

Type: Bug Priority: Minor
Reporter: Rob Reynolds Assignee: Unassigned
Resolution: Done Votes: 0
Labels: windows
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to PUP-3653 Unable to create/force empty Windows ... Closed
relates to PUP-3804 User resource cannot add DOMAIN\User ... Closed
Template:
Story Points: 2
Sprint: Windows 2015-04-08, Windows 2015-04-22, Windows 2015-05-06, Windows 2015-05-20
Release Notes: Bug Fix
QA Contact: Eric Thompson

 Description   

When setting groups using the User resource:

user { "bud":
  ensure => present,
  groups => ['BUILTIN\Administrators'],
}

it runs into issues because it is trying to compare names and not SIDs like the users in a group resource do. It also doesn't allow empty groups like can be done with PUP-3653.

We should enhance it so it has more parity with the groups resource.



 Comments   
Comment by Rob Reynolds [ 2015/04/09 ]

Josh Cooper / Ethan Brown - this is ready to be looked over.

Comment by Kurt Wall [ 2015/05/18 ]

Before the fix (puppet-3.8.0-43.msi), the following manifest causes an error. After the fix, it doesn't.

C:\>type x.pp
user { 'timmy':
  ensure => present,
  groups => ['BUILTIN\Administrators', 'users'],
}
 
C:\>puppet apply x.pp --verbose
Notice: Compiled catalog for dd4lxjvwfzaiy1z.delivery.puppetlabs.net in environment production in 0.20 seconds
Info: Applying configuration version '1431980977'
Error: ADSI connection error: failed to parse display name of moniker `WinNT://./BUILTIN\Administrators,group'
    HRESULT error code:0x800708ac
      The group name could not be found.
Wrapped exception:
failed to parse display name of moniker `WinNT://./BUILTIN\Administrators,group'
    HRESULT error code:0x800708ac
      The group name could not be found.
Error: /Stage[main]/Main/User[timmy]/ensure: change from absent to present failed: ADSI connection error: failed to parse display name of moniker `WinNT://./BUILTIN\Administrators,group'
    HRESULT error code:0x800708ac
      The group name could not be found.
Notice: Finished catalog run in 0.11 seconds

After the fix (puppet-agent):

ruby 2.1.6p336 (2015-04-13 revision 50298) [i386-mingw32]
 
C:\Program Files (x86)\Puppet Labs\Puppet\bin>puppet --version
4.0.0
 
C:\Program Files (x86)\Puppet Labs\Puppet\bin>cd c:\
 
C:\>puppet apply x.pp --verbose
Notice: Compiled catalog for dd4lxjvwfzaiy1z.delivery.puppetlabs.net in environm
ent production in 0.83 seconds
Info: Applying configuration version '1431983111'
Notice: /Stage[main]/Main/User[timmy]/groups: groups changed '' to ['BUILTIN\Adm
inistrators']
Info: Creating state file C:/Documents and Settings/All Users/Application Data/P
uppetLabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.08 seconds

Comment by Kurt Wall [ 2015/05/18 ]

Fixed based on previous comments.

Comment by Kurt Wall [ 2015/05/18 ]

It is also possible to use and emtpy group list:

# x.pp
C:\>type x.pp
user { "johnny":
  ensure => present,
  groups => [],
}
 
C:\>puppet apply x.pp --verbose
Notice: Compiled catalog for dd4lxjvwfzaiy1z.delivery.puppetlabs.net in environm
ent production in 0.80 seconds
Info: Applying configuration version '1431983948'
Notice: /Stage[main]/Main/User[johnny]/ensure: created
Notice: Applied catalog in 0.12 seconds

Generated at Mon Dec 09 12:32:15 PST 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.