PSDscResources icon indicating copy to clipboard operation
PSDscResources copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

Group resource: Failing when using "NT Service\" account

Open djobin opened this issue 6 years ago • 2 comments

Hi,

I'm having issues when trying to add a 'NT Service' virtual account to a local group with the Group resource. I'm using PSDscResources 2.9.0.0.

The sample config installs Windows Internal Database. Then it tries to add the 'NT Service\MSSQL$MICROSOFT##WID' created by the install process, to a local group. (this is needed for our business policies)

Configuration MyConfig
{ 
    Import-DscResource –ModuleName 'PSDSCResources'
    
    Group LocalGroup
    {
        GroupName = "MyLocalGroup"
        Ensure = 'Present'
        MembersToInclude = 'NT Service\MSSQL$MICROSOFT##WID'
        DependsOn = '[WindowsFeature]InstallWID'
    }

    WindowsFeature InstallWID
    {
        Ensure = "Present"
        Name   = "Windows-Internal-Database"
    }
}
MyConfig -OutputPath $env:TEMP
Start-DscConfiguration -Path $env:TEMP -Verbose -Wait -Force

It fails with :

VERBOSE: [SERVER1]: LCM:  [ Start  Resource ]  [[Group]LocalGroup]
VERBOSE: [SERVER1]: LCM:  [ Start  Test     ]  [[Group]LocalGroup]
VERBOSE: [SERVER1]:                            [[Group]LocalGroup] Invoking the function Test-TargetResourceOnFullSKU for the group MyLocalGroup.
VERBOSE: [SERVER1]:                            [[Group]LocalGroup] A group with the name MyLocalGroup does not exist.
VERBOSE: [SERVER1]: LCM:  [ End    Test     ]  [[Group]LocalGroup]  in 5.0310 seconds.
VERBOSE: [SERVER1]: LCM:  [ Start  Set      ]  [[Group]LocalGroup]
VERBOSE: [SERVER1]:                            [[Group]LocalGroup] Begin executing Set functionality on the group MyLocalGroup.
VERBOSE: [SERVER1]:                            [[Group]LocalGroup] Performing the operation "Add" on target "Group: MyLocalGroup".
VERBOSE: [SERVER1]:                            [[Group]LocalGroup] Resolving MSSQL$MICROSOFT##WID as a local account.
VERBOSE: [SERVER1]: LCM:  [ End    Set      ]  [[Group]LocalGroup]  in 2.7650 seconds.
PowerShell DSC resource MSFT_GroupResource  failed to execute Set-TargetResource functionality with error message: Exception calling "FindByIdentity" with "2" 
argument(s): "Unable to cast object of type 'System.Boolean' to type 'System.DirectoryServices.DirectoryEntry'." 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
 
VERBOSE: [SERVER1]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

I have pin pointed the code behind this error :

Line: 1965 Module: \PSDscResources\2.9.0.0\DscResources\MSFT_GroupResource\MSFT_GroupResource.psm1

$principal = Find-Principal -PrincipalContext $principalContext -IdentityValue $identityValue

More precisely: Line: 2342

[System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($PrincipalContext, $IdentityValue)

If you run this line of code by replacing $identityValue with 'MSSQL$MICROSOFT##WID' , you get the error.

if you run using another local account, say 'administrator', it works fine. it seems the method FindByIdentity cannot resolve those 'virtual account' like 'NT Service' because they're in fact not listed as local users on the system. If you try Get-LocalUser, you'll see that the account isn't list.

But, using other techniques, the user can be exposed :

[System.Security.Principal.NTAccount]$Identity = 'MSSQL$MICROSOFT##WID'
$SID = $Identity.Translate([System.Security.Principal.SecurityIdentifier])
$NTAccount = $SID.Translate([System.Security.Principal.NTAccount])
$OutputObject = [PSCustomObject]@{Name = $NTAccount.Value; SID = $SID.Value}
$OutputObject

Name                            SID                                                            
----                            ---                                                            
NT SERVICE\MSSQL$MICROSOFT##WID S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534

There is a module in the PowershellGallery that works fine with this scenario : cLocalGroup, version 1.0.1 It use an internal "Resolve-IdentityReference" function that uses the technique above to resolve the user and returns the user and SID of that user.

So that's it. Hope this helps someone to maybe find a fix that can be implemented in this module.

Thank you.

djobin avatar Dec 17 '18 19:12 djobin

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

stale[bot] avatar Jan 17 '19 11:01 stale[bot]

Thanks for raising this @djobin

It sounds like we might need to look at extending/changing the Find-Principal function to support the 'MSSQL$MICROSOFT##WID' format principle. It looks like we might be able to refactor this function to support this using the code you've suggested.

I'll tag this and we'll hopefully get to it in the short term.

PlagueHO avatar Jan 19 '19 07:01 PlagueHO