[PUP-6569] Improve error messaging for Windows user management Created: 2016/08/01  Updated: 2019/10/15  Resolved: 2018/10/09

Status: Resolved
Project: Puppet
Component/s: Types and Providers, Windows
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Normal
Reporter: Moses Mendoza Assignee: Casey Williams
Resolution: Done Votes: 0
Labels: type_and_provider, user, windows
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is cloned by PUP-9206 Improve error messaging for Windows u... Accepted
relates to PUP-6483 "puppet resource user", when run in W... Closed
relates to PUP-6586 User resource always reports password... Closed
relates to PUP-9206 Improve error messaging for Windows u... Accepted
Epic Link: WINning
Team: Platform OS
Sprint: Platform OS Kanban


While investigating PUP-6483, we found that we could be more specific with our error handling when performing some user password management tasks on Windows.

Per Rob Reynolds in PUP-6483:

A few error codes we could explore handling some of the errors and providing better messages around how to correct. Possibly as a separate ticket though.

* ERROR_LAST_ADMIN  - 1322 (0x52A) - This operation is disallowed as it could result in an administration account being disabled, deleted or unable to log on.
* ERROR_WRONG_PASSWORD - 1323 (0x52B) - Unable to update the password. The value provided as the current password is incorrect.
* ERROR_ILL_FORMED_PASSWORD - 1324 (0x52C) - Unable to update the password. The value provided for the new password contains values that are not allowed in passwords.
* ERROR_PASSWORD_RESTRICTION - 1325 (0x52D) - Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
* ERROR_LOGON_FAILURE - 1326 (0x52E) - The user name or password is incorrect.
* ERROR_ACCOUNT_RESTRICTION - 1327 (0x52F) - Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced.
* ERROR_INVALID_LOGON_HOURS - 1328 (0x530) - Your account has time restrictions that keep you from signing in right now.
* ERROR_INVALID_WORKSTATION - 1329 (0x531) - This user isn't allowed to sign in to this computer.
* ERROR_PASSWORD_EXPIRED - 1330 (0x532) - The password for this account has expired.
* ERROR_ACCOUNT_DISABLED - 1331 (0x533) - This user can't sign in because this account is currently disabled.

In Scope

  • Modify the Puppet Windows user provider or backing libs in puppet/util/windows to detect and surface some or all of the preceding errors to the user when applicable

From - https://github.com/puppetlabs/puppet/pull/5201#discussion_r75033133

ERROR_ACCOUNT_LOCKED_OUT = 1909 - is raised if account is locked out even when supplied login credentials are valid
With both ERROR_ACCOUNT_LOCKED_OUT = 1909 and ERROR_ACCOUNT_EXPIRED = 1793, puppet will proceed to set the password anyway after failed logon.
Both of these (and probably others) are cases we could improve on... for example, puppet should not try to set passwords for expired or locked out accounts, and possibly should log a debug message that this was encountered?

Comment by Jonathan Morris [ 2018/10/03 ]

Disabled, expired and locked accounts are detected; passwords cannot be changed for accounts in these states and a warning is reported. More expansive error reporting will be addressed in a separate ticket.

Comment by Enis Inan [ 2018/10/09 ]

Casey Williams Can you please add release notes to this ticket? Thanks!

Generated at Mon Jan 20 06:26:34 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.