dsccommunity
PowerShellExecutionPolicy doesn't allow multiple 'CurrentUser' assignments
Problem description
Powershell 5.1 DSC doesn't allow you to specify the same ExecutionPolicy for ExecutionPolicyScope 'CurrentUser' but different PsRunAsCredentials, meaning you can't assign it to multiple specific users.
Verbose logs
Test-ConflictingResources : A conflict was detected between resources '[PowerShellExecutionPolicy]Builder (::8::5::PowerShellExecutionPolicy)' and '[PowerShellExecutionPolicy]Publisher
(::9::5::PowerShellExecutionPolicy)' in node 'localhost'. Resources have identical key properties but there are differences in the following non-key properties: 'PsDscRunAsCredential'.
Values 'System.Management.Automation.PSCredential' don't match values 'System.Management.Automation.PSCredential'. Please update these property values so that they are identical in both
cases.
At line:289 char:9
+ Test-ConflictingResources $keywordName $canonicalizedValue $k ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
+ FullyQualifiedErrorId : ConflictingDuplicateResource,Test-ConflictingResources
Compilation errors occurred while processing configuration 'FailSample'. Please review the errors reported in error stream and modify your configuration code appropriately.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917 char:5
+ throw $ErrorRecord
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (FailSample:String) [], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessConfiguration
DSC configuration
{
Param([Parameter(Mandatory)][PSCredential]$Builder, [Parameter(Mandatory)][PSCredential]$Publisher)
Import-DscResource -ModuleName ComputerManagementDsc
Node localhost
{
PowerShellExecutionPolicy Builder { ExecutionPolicy='RemoteSigned'; ExecutionPolicyScope='CurrentUser'; PsDscRunAsCredential = $Builder }
PowerShellExecutionPolicy Publisher { ExecutionPolicy='RemoteSigned'; ExecutionPolicyScope='CurrentUser'; PsDscRunAsCredential = $Publisher }
}
}
Sample -Verbose -ConfigurationData:@{AllNodes=@(@{NodeName='localhost'; PsDscAllowPlainTextPassword=$true})}
Suggested solution
Add PowerShellUserExecutionPolicy which doesn't take scope and requires a credential.
PowerShellUserExecutionPolicy Builder
{
ExecutionPolicy = 'RemoteSigned' ; Credential = $builder
}
PowerShellUserExecutionPolicy Publisher
{
ExecutionPolicy = 'RemoteSigned' ; Credential = $publisher
}
Operating system the target node is running
OsName : Microsoft Windows 10 Pro
OsOperatingSystemSKU : 48
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage : en-US
OsMuiLanguages : {en-US}
PowerShell version and build the target node is running
PSVersion 5.1.19041.1682
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.1682
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
ComputerManagementDsc version
Name Version Path
---- ------- ----
ComputerManagementDsc 8.5.0 C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\8.5.0\ComputerManage
mentDsc.psd1
In my case, we already have machine and user policies, these two users have a need to specifically allow differently policies unique to their two accounts. Not sure what the point of specifying a run-as credential is, if using different credentials doesn't change who 'CurrentUser' is.
Would it be possible to make a composite resource that adds a property Credential as key property. The credential property could then maybe be added to PsDscRunAsCredential? 🤔 If that works we would not need to make a breaking change,
(Just playing catch up after a very hectic "holiday", heh)
That's not possible because Credential just isn't part of the underlying separators, so the composite would simply cause the problem - at least, my attempts to make one seemed to bear this out.