SecurityPolicyDsc icon indicating copy to clipboard operation
SecurityPolicyDsc copied to clipboard

Published 20 hours ago verified publisher icon dsccommunity

UserRightsAssignment: unable to Force multiple values

Open mnotley-reward opened this issue 6 years ago • 2 comments

Details of the scenario you tried and the problem that is occurring

I am trying to set the value of generatesecurityaudits to two SIDs, however this fails to apply. Force only appears to work when setting a single SID.

Verbose logs showing the problem

Error from the Set-TargetResource:

PowerShell DSC resource MSFT_UserRightsAssignment  failed to execute Set-TargetResource functionality with error message: Could not convert Identity: LOCAL 
SERVICE,NETWORK SERVICE to SID 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

Error from the end of the job:

The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

Suggested solution to the issue

Ideally, when specifying Force = $true, it would wipe out any existing values and replace them only with the ones you specify.

The DSC configuration that is used to reproduce the issue (as detailed as possible)


Configuration CIS_WindowsServer2016_v110_MS_lvl1 {
    param (
        [string[]]$NodeName ='localhost'
        )

    Import-DscResource -ModuleName 'NetworkingDsc'
    Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
    Import-DscResource -ModuleName 'AuditPolicyDsc'
    Import-DscResource -ModuleName 'SecurityPolicyDsc'

    Node $NodeName {
        # Firewall Configuration - adjust interface alias
        NetConnectionProfile DefaultConnectionProfile {
            InterfaceAlias   = 'Ethernet 3'
            NetworkCategory  = 'Private'
        }
        # 2.2.30 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE,NETWORK SERVICE'
        UserRightsAssignment Generatesecurityaudits {
            Policy   = 'Generate_security_audits'
            Identity = 'LOCAL SERVICE,NETWORK SERVICE'
            Force    = $true
        }

The operating system the target node is running

OsName : Microsoft Windows Server 2016 Datacenter OsOperatingSystemSKU : DatacenterServerEdition OsArchitecture : 64-bit WindowsBuildLabEx : 14393.3085.amd64fre.rs1_release.190703-1816 OsLanguage : en-US OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 5.1.14393.3053 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.14393.3053 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

2.9.0.0

mnotley-reward avatar Aug 15 '19 09:08 mnotley-reward

Hi @mnotley-reward, try updating the Identity property with an array like this: Identity = 'LOCAL SERVICE,NETWORK SERVICE'

jcwalker avatar Sep 03 '19 17:09 jcwalker

@mnotley-reward, can you confirm this resolved your issue?

X-Guardian avatar May 15 '20 16:05 X-Guardian