[PUP-9206] Improve error messaging for Windows user management Created: 2018/10/03  Updated: 2020/03/04

Status: Accepted
Project: Puppet
Component/s: Types and Providers, Windows
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Normal
Reporter: Jonathan Morris Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: cli, platform-os, type_and_provider, user, ux, windows
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
clones PUP-6569 Improve error messaging for Windows u... Resolved
relates to PUP-6569 Improve error messaging for Windows u... Resolved
Team: Night's Watch


Cloning PUP-6569; the fix covered the basics of disabled, expired and locked accounts. More work in this area is warranted as time permits, and is detailed below.

While investigating PUP-6483, we found that we could be more specific with our error handling when performing some user password management tasks on Windows.

Per Rob Reynolds in PUP-6483:

A few error codes we could explore handling some of the errors and providing better messages around how to correct. Possibly as a separate ticket though.

* ERROR_LAST_ADMIN  - 1322 (0x52A) - This operation is disallowed as it could result in an administration account being disabled, deleted or unable to log on.
* ERROR_WRONG_PASSWORD - 1323 (0x52B) - Unable to update the password. The value provided as the current password is incorrect.
* ERROR_ILL_FORMED_PASSWORD - 1324 (0x52C) - Unable to update the password. The value provided for the new password contains values that are not allowed in passwords.
* ERROR_PASSWORD_RESTRICTION - 1325 (0x52D) - Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
* ERROR_LOGON_FAILURE - 1326 (0x52E) - The user name or password is incorrect.
* ERROR_ACCOUNT_RESTRICTION - 1327 (0x52F) - Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced.
* ERROR_INVALID_LOGON_HOURS - 1328 (0x530) - Your account has time restrictions that keep you from signing in right now.
* ERROR_INVALID_WORKSTATION - 1329 (0x531) - This user isn't allowed to sign in to this computer.
* ERROR_PASSWORD_EXPIRED - 1330 (0x532) - The password for this account has expired.
* ERROR_ACCOUNT_DISABLED - 1331 (0x533) - This user can't sign in because this account is currently disabled.

In Scope

  • Modify the Puppet Windows user provider or backing libs in puppet/util/windows to detect and surface some or all of the preceding errors to the user when applicable

From - https://github.com/puppetlabs/puppet/pull/5201#discussion_r75033133

ERROR_ACCOUNT_LOCKED_OUT = 1909 - is raised if account is locked out even when supplied login credentials are valid

Generated at Sun May 31 18:25:07 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.