SecurityPolicyDsc icon indicating copy to clipboard operation
SecurityPolicyDsc copied to clipboard

Published 20 hours ago verified publisher icon dsccommunity

Interactive_logon_Message_text_for_users_attempting_to_log_on: A blank line causes the resource to fail even though it worked

Open jeremyhagan opened this issue 7 months ago • 4 comments

Details of the scenario you tried and the problem that is occurring

If you want to use a blank line in the text, the correct syntax is to include '," ",' in your text. When this is passed to the resource it successfully puts the correct value in the registry, however the DSC Resource reports a failure and suggests checking '%windir%\se curity\logs\scesrv.log' However there are no errors in this log either. Secondly, if you try to pass in a here string with a blank line, the Format-LogonMessage function doesn't account for blank lines.

Verbose logs showing the problem

VERBOSE: [2024-07-11 01:53:15Z] [VERBOSE] An LCM method call arrived from computer JEREMYDSCTEST with user sid S-1-5-18. VERBOSE: [2024-07-11 01:53:15Z] [VERBOSE] [JEREMYDSCTEST]: LCM: [ Start Set ] VERBOSE: [2024-07-11 01:53:15Z] [VERBOSE] [JEREMYDSCTEST]: LCM: [ Start Resource ] [[SecurityOption]SecurityOpions] VERBOSE: [2024-07-11 01:53:15Z] [VERBOSE] [JEREMYDSCTEST]: LCM: [ Start Test ] [[SecurityOption]SecurityOpions] VERBOSE: [2024-07-11 01:53:15Z] [VERBOSE] [JEREMYDSCTEST]: [[SecurityOption]SecurityOpions] Testing SecurityOption: Interactive_logon_Message_text_for_users_attempting_to_log_on VERBOSE: [2024-07-11 01:53:15Z] [VERBOSE] [JEREMYDSCTEST]: [[SecurityOption]SecurityOpions] Current policy: Foo, ,Bar Desired policy: Foo," ",Bar VERBOSE: [2024-07-11 01:53:15Z] [VERBOSE] [JEREMYDSCTEST]: [[SecurityOption]SecurityOpions] Testing SecurityOption: Interactive_logon_Message_title_for_users_attempting_to_log_on VERBOSE: [2024-07-11 01:53:15Z] [VERBOSE] [JEREMYDSCTEST]: [[SecurityOption]SecurityOpions] Current policy: ATTENTION NETWORK USER Desired policy: ATTENTION NETWORK USER VERBOSE: [2024-07-11 01:53:15Z] [VERBOSE] [JEREMYDSCTEST]: LCM: [ End Test ] [[SecurityOption]SecurityOpions] in 1.3590 seconds. VERBOSE: [2024-07-11 01:53:15Z] [VERBOSE] [JEREMYDSCTEST]: LCM: [ Start Set ] [[SecurityOption]SecurityOpions] VERBOSE: [2024-07-11 01:53:16Z] [VERBOSE] [JEREMYDSCTEST]: [[SecurityOption]SecurityOpions] Testing SecurityOption: Interactive_logon_Message_text_for_users_attempting_to_log_on VERBOSE: [2024-07-11 01:53:16Z] [VERBOSE] [JEREMYDSCTEST]: [[SecurityOption]SecurityOpions] Current policy: Foo, ,Bar Desired policy: Foo," ",Bar VERBOSE: [2024-07-11 01:53:16Z] [VERBOSE] [JEREMYDSCTEST]: [[SecurityOption]SecurityOpions] Testing SecurityOption: Interactive_logon_Message_title_for_users_attempting_to_log_on VERBOSE: [2024-07-11 01:53:16Z] [VERBOSE] [JEREMYDSCTEST]: [[SecurityOption]SecurityOpions] Current policy: ATTENTION NETWORK USER Desired policy: ATTENTION NETWORK USER VERBOSE: [2024-07-11 01:53:16Z] [VERBOSE] [JEREMYDSCTEST]: LCM: [ End Set ] [[SecurityOption]SecurityOpions] in 2.3000 seconds. VERBOSE: [2024-07-11 01:53:16Z] [ERROR] PowerShell DSC resource MSFT_SecurityOption failed to execute Set-TargetResource functionality with error message: Failed to update security option Interactive_logon_Message_text_for_users_attempting_to_log_on. Refer to %windir%\security\logs\scesrv.log for details.

VERBOSE: [2024-07-11 01:53:16Z] [VERBOSE] [JEREMYDSCTEST]: LCM: [ End Set ] VERBOSE: [2024-07-11 01:53:16Z] [ERROR] The SendConfigurationApply function did not succeed. VERBOSE: [2024-07-11 01:53:17Z] [VERBOSE] Operation 'Invoke CimMethod' complete. VERBOSE: [2024-07-11 01:53:17Z] [VERBOSE] Time taken for configuration job to complete is 4.617 seconds

Suggested solution to the issue

  1. Adjust the Format-LogonMessage so that it supports blank lines in here strings properly. Presently the following happens:
PS>$str = @'
foo

bar
 '@
PS>Format-LogonMessage $str
foo,,bar

The outtput should be foo," ",bar 2. Work out the exit code (or whatever) issue which is leading the resource to think SecEdit is failing.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration LegalNoticeTest {
    Import-DscResource -ModuleName SecurityPolicyDsc
    SecurityOption 'SecurityOpions'	{
		Name = 'SecurityOptions'
		Interactive_logon_Message_text_for_users_attempting_to_log_on   = 'Foo," ",Bar'
		Interactive_logon_Message_title_for_users_attempting_to_log_on  = 'ATTENTION NETWORK USER'
	}
}

The operating system the target node is running

OsName : Microsoft Windows Server 2022 Datacenter OsOperatingSystemSKU : DatacenterServerEdition OsArchitecture : 64-bit WindowsVersion : 2009 WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500 OsLanguage : en-US OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 5.1.20348.2400 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.20348.2400 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

Version of the DSC module that was used

2.10.0

jeremyhagan avatar Jul 11 '24 02:07 jeremyhagan