[PUP-6716] Error when purging local users on Windows Created: 2015/11/20  Updated: 2019/07/15  Resolved: 2018/10/09

Status: Resolved
Project: Puppet
Component/s: Windows
Affects Version/s: PUP 4.6.2
Fix Version/s: PUP 5.5.7

Type: Bug Priority: Critical
Reporter: Tim Purkerson Assignee: Scott McClellan
Resolution: Done Votes: 0
Labels: customer, manage-user-group, type_and_provider, user, windows, windows-parity
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Windows server

Issue Links:
is duplicated by PUP-3662 Using the 'resources' resource to man... Closed
relates to PUP-9188 Properly purge non-system users on So... Accepted
Epic Link: WINning
Team: Platform OS
Story Points: 2
Sprint: Platform OS Kanban


This a significant user.


We want to control the local users with Puppet and purge any unmanaged user for audit compliance and security purposes. When I configure this in the below manifest I get the following error:
Error: /Stage[main]/Main/Resources[user]: Failed to generate additional resources using 'generate': comparison of String with 499 failed
Can this please be fixed.


{ ['Administrator', 'guest']: ensure => present }


{ 'user': purge => true }

As a generic rule of thumb you can expect us to use Puppet and all classes on every Windows edition available from 2003 and up, although 2008 and up is really the current scope, don't care too much about 2003. I just tested and this doesn't work on Windows 2012R2 either. I've never tested it before, we're in the process of putting this compliancy rule in Puppet so this is the first time I run into this. It looks like a bug to me, tt work fine (as expected) for for example the group resource or host resource and even type/providers we created ourselves.

Comment by Geoff Nichols [ 2016/09/15 ]

Moses Mendoza to follow up to see if this is still an issue for customer and if fixed in PE 2016-era Puppet. (If still an issue, we should create a PUP ticket).

Comment by Moses Mendoza [ 2016/09/19 ]

Ping Tim Purkerson do you know if the user is still requesting a fix for this?

Is there a related support ticket that could be linked to this?

Comment by Moses Mendoza [ 2016/09/19 ]

I was able to reproduce this issue on HEAD of puppet:

A user to be purged:

C:\Users\moses\development\puppet(master)> be puppet resource user 'blah' ensure=present
DL is deprecated, please use Fiddle
Notice: /User[blah]/ensure: created
user { 'blah':
  ensure => 'present',


C:\Users\moses\development\puppet(master)> be puppet apply -e "user { ['Administrator', 'Guest', 'moses']: ensure => present } resources { 'user': purge => true }" --debug --trace
Error: /Stage[main]/Main/Resources[user]: Failed to generate additional resources using 'generate': comparison of String with 499 failed
C:/Users/moses/development/puppet/lib/puppet/type/resources.rb:150:in `>'
C:/Users/moses/development/puppet/lib/puppet/type/resources.rb:150:in `user_check'
C:/Users/moses/development/puppet/lib/puppet/type/resources.rb:94:in `check'
C:/Users/moses/development/puppet/lib/puppet/type/resources.rb:113:in `block in generate'
C:/Users/moses/development/puppet/lib/puppet/type/resources.rb:113:in `select'
C:/Users/moses/development/puppet/lib/puppet/type/resources.rb:113:in `generate'
C:/Users/moses/development/puppet/lib/puppet/transaction/additional_resource_generator.rb:19:in `generate_additional_resources'
C:/Users/moses/development/puppet/lib/puppet/transaction.rb:92:in `block in evaluate'
C:/Users/moses/development/puppet/lib/puppet/transaction.rb:92:in `each'
C:/Users/moses/development/puppet/lib/puppet/transaction.rb:92:in `evaluate'
C:/Users/moses/development/puppet/lib/puppet/resource/catalog.rb:222:in `block in apply'
C:/Users/moses/development/puppet/lib/puppet/util/log.rb:155:in `with_destination'
C:/Users/moses/development/puppet/lib/puppet/transaction/report.rb:137:in `as_logging_destination'
C:/Users/moses/development/puppet/lib/puppet/resource/catalog.rb:221:in `apply'
C:/Users/moses/development/puppet/lib/puppet/configurer.rb:171:in `block in apply_catalog'
C:/Users/moses/development/puppet/lib/puppet/util.rb:223:in `block in benchmark'
c:/tools/ruby21-x64/lib/ruby/2.1.0/benchmark.rb:294:in `realtime'
C:/Users/moses/development/puppet/lib/puppet/util.rb:222:in `benchmark'
C:/Users/moses/development/puppet/lib/puppet/configurer.rb:170:in `apply_catalog'
C:/Users/moses/development/puppet/lib/puppet/configurer.rb:343:in `run_internal'
C:/Users/moses/development/puppet/lib/puppet/configurer.rb:221:in `block in run'
C:/Users/moses/development/puppet/lib/puppet/context.rb:65:in `override'
C:/Users/moses/development/puppet/lib/puppet.rb:241:in `override'
C:/Users/moses/development/puppet/lib/puppet/configurer.rb:195:in `run'
C:/Users/moses/development/puppet/lib/puppet/application/apply.rb:350:in `apply_catalog'
C:/Users/moses/development/puppet/lib/puppet/application/apply.rb:274:in `block in main'
C:/Users/moses/development/puppet/lib/puppet/context.rb:65:in `override'
C:/Users/moses/development/puppet/lib/puppet.rb:241:in `override'
C:/Users/moses/development/puppet/lib/puppet/application/apply.rb:225:in `main'
C:/Users/moses/development/puppet/lib/puppet/application/apply.rb:170:in `run_command'
C:/Users/moses/development/puppet/lib/puppet/application.rb:344:in `block in run'
C:/Users/moses/development/puppet/lib/puppet/util.rb:540:in `exit_on_fail'
C:/Users/moses/development/puppet/lib/puppet/application.rb:344:in `run'
C:/Users/moses/development/puppet/lib/puppet/util/command_line.rb:132:in `run'
C:/Users/moses/development/puppet/lib/puppet/util/command_line.rb:72:in `execute'
C:/Users/moses/development/puppet/bin/puppet:5:in `<top (required)>'
C:/Users/moses/development/puppet/.bundle/ruby/2.1.0/bin/puppet:23:in `load'
C:/Users/moses/development/puppet/.bundle/ruby/2.1.0/bin/puppet:23:in `<main>'
Debug: Loaded transaction store file in 0.00 seconds
Info: Applying configuration version '1474330653'
Debug: Finishing transaction 50243080
Debug: Storing state
Debug: Stored state in 0.01 seconds

Comment by Moses Mendoza [ 2016/09/19 ]

The workaround is to specify `unless_system_user => false` , i.e,

be puppet apply -e "user { ['Administrator', 'Guest', 'moses']: ensure => present } resources { 'user': purge => true, unless_system_user => false }" --debug --trace

This appears to purge users successfully.

The reason this is failing is that the `unless_system_user` check defaults to doing a numeric comparison against *nix-style UIDs, but on Windows the User resource UID property is a string, e.g., something like "S-1-5-21-2968830994-1408266442-3936550459-1045"

In lib/puppet/type/resources.rb the class method `systems_user_max_uid` returns a default int of `999` (bsd) or `499` which becomes the value compared to the windows uid string, causing the failure.

For this to work, the logic around system user check would have to be refactored a bit I think, perhaps to check explicitly for well-known SIDs for system accounts?

Comment by Moses Mendoza [ 2016/09/19 ]

Moved to PUP project

Comment by Enis Inan [ 2018/10/09 ]

Scott McClellan Can you add release notes to this ticket please? Thanks!

Comment by Josh Cooper [ 2019/07/15 ]

Merged to 5.5.x in https://github.com/puppetlabs/puppet/commit/46de26c468fc78ae0a0ab8ad9aa1eb5ed8a819e9 and first released in 5.5.7

Generated at Sun Oct 13 17:58:57 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.