SecurityPolicyDsc
SecurityPolicyDsc copied to clipboard
dsccommunity
Set-TargetResource is not working if we change the default values in AccountPolicy DSCResource
Hi Team,
I am trying to update Password policies using AccountPolicy resource. But if i change the default value in the parameter it fails. Example Minimum_Password_Length from 12 to 16 . When the values match the default values in Password Policy my configuration succeeds(Obviously). Please find the configuration below. WINDOWS SERVER 2012 R2
Import-DscResource -ModuleName SecurityPolicyDsc
Node "localhost"
{
AccountPolicy Account-Policy #ResourceName
{
Name = "PasswordPolicies"
Maximum_Password_Age = 45
Minimum_Password_Age = 1
Minimum_Password_Length = 16
Account_lockout_duration = '600'
Account_lockout_threshold = '5'
Password_must_meet_complexity_requirements = 'Enabled'
Reset_account_lockout_counter_after = '60'
Store_passwords_using_reversible_encryption = 'Disabled'
}
}
}
CIS-AC-POL -OutputPath c:\dsc\
Start-DscConfiguration -Path c:\dsc\ -Wait -Force -Verbose -debug
The above configuration fails with the below log.
PS C:\Windows\system32> C:\Users\Administrator\Documents\Account.ps1
Directory: C:\dsc
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/18/2017 9:21 PM 2584 localhost.mof
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalCon
figurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer IP-0A000174 with user sid S-1-5-21-4016039557-2088680779-57283892-500.
VERBOSE: [IP-0A000174]: LCM: [ Start Set ]
VERBOSE: [IP-0A000174]: LCM: [ Start Resource ] [[AccountPolicy]Account-Policy]
VERBOSE: [IP-0A000174]: LCM: [ Start Test ] [[AccountPolicy]Account-Policy]
VERBOSE: [IP-0A000174]: [[AccountPolicy]Account-Policy] Testing AccountPolicy: Maximum_Password_Age
VERBOSE: [IP-0A000174]: [[AccountPolicy]Account-Policy] Current policy: 42 Desired policy: 45
VERBOSE: [IP-0A000174]: LCM: [ End Test ] [[AccountPolicy]Account-Policy] in 0.3120 seconds.
VERBOSE: [IP-0A000174]: LCM: [ Start Set ] [[AccountPolicy]Account-Policy]
DEBUG: [IP-0A000174]: [[AccountPolicy]Account-Policy] Temp inf C:\Windows\TEMP\SecurityPolicy.inf
VERBOSE: [IP-0A000174]: [[AccountPolicy]Account-Policy] Testing AccountPolicy: Maximum_Password_Age
VERBOSE: [IP-0A000174]: [[AccountPolicy]Account-Policy] Current policy: 42 Desired policy: 45
VERBOSE: [IP-0A000174]: LCM: [ End Set ] [[AccountPolicy]Account-Policy] in 1.6380 seconds.
PowerShell DSC resource MSFT_AccountPolicy failed to execute Set-TargetResource functionality with error message: Failed to update Account
Policy Maximum_Password_Age,Minimum_Password_Age,Minimum_Password_Length. Refer to %windir%\security\logs\scesrv.log for details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost
VERBOSE: [IP-0A000174]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.915 seconds```
DSCConfigurationStatus:
```PS C:\Users\Administrator\Documents> $Status.ResourcesNotInDesiredState
ConfigurationName : CIS-AC-POL
DependsOn :
ModuleName : SecurityPolicyDsc
ModuleVersion : 2.1.0.0
PsDscRunAsCredential :
ResourceId : [AccountPolicy]Account-Policy
SourceInfo : C:\Users\Administrator\Documents\Account.ps1::7::9::AccountPolicy
DurationInSeconds : 1.544
Error : {
"Exception": {
"Message": "PowerShell DSC resource MSFT_AccountPolicy failed to
execute Set-TargetResource functionality with error message: Failed to update Account Policy
Maximum_Password_Age. Refer to %windir%\\security\\logs\\scesrv.log for details. ",
"Data": {
},
"InnerException": {
"ErrorRecord": "Failed to update Account Policy
Maximum_Password_Age. Refer to %windir%\\security\\logs\\scesrv.log for details.",
"WasThrownFromThrowStatement": true,
"Message": "Failed to update Account Policy
Maximum_Password_Age. Refer to %windir%\\security\\logs\\scesrv.log for details.",
"Data":
"System.Collections.ListDictionaryInternal",
"InnerException":
"System.Management.Automation.RuntimeException: Failed to update Account Policy
Maximum_Password_Age. Refer to %windir%\\security\\logs\\scesrv.log for details.",
"TargetSite":
"System.Collections.ObjectModel.Collection`1[System.Management.Automation.PSObject]
Invoke(System.Collections.IEnumerable)",
"StackTrace": " at
System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)\r\n at
System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean
performSyncInvoke)\r\n at
System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace
rsToUse, Boolean isSync)\r\n at
System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1
input, PSDataCollection`1 output, PSInvocationSettings settings)\r\n at
System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input,
PSDataCollection`1 output, PSInvocationSettings settings)\r\n at
System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings
settings)\r\n at Microsoft.PowerShell.DesiredStateConfiguration.Internal.ResourceProviderAdapt
er.ExecuteCommand(PowerShell powerShell, ResourceModuleInfo resInfo, String operationCmd,
List`1 acceptedProperties, CimInstance nonResourcePropeties, CimInstance resourceConfiguration,
LCMDebugMode debugMode, PSInvocationSettings pSInvocationSettings, UInt32\u0026
resultStatusHandle, Collection`1\u0026 result, ErrorRecord\u0026 errorRecord, PSModuleInfo
localRunSpaceModuleInfo)",
"HelpLink": null,
"Source": "System.Management.Automation",
"HResult": -2146233087
},
"TargetSite": null,
"StackTrace": null,
"HelpLink": null,
"Source": null,
"HResult": -2146233079
},
"TargetObject": null,
"CategoryInfo": {
"Category": 7,
"Activity": "",
"Reason": "InvalidOperationException",
"TargetName": "",
"TargetType": ""
},
"FullyQualifiedErrorId": "ProviderOperationExecutionFailure",
"ErrorDetails": null,
"InvocationInfo": null,
"ScriptStackTrace": null,
"PipelineIterationInfo": [
]
}
FinalState :
InDesiredState : False
InitialState :
InstanceName : Account-Policy
RebootRequested : False
ResourceName : AccountPolicy
StartDate : 11/18/2017 9:35:45 PM
PSComputerName :
Hi @ppandiya the allowed values are 0 - 14. This is documented here - https://technet.microsoft.com/en-us/library/hh994560(v=ws.11).aspx
Would be good if the documentation was updated with this information. Labeling this as help wanted so that someone in the community can run with this.
@johlju do you think it's feasible to document each and every setting? There is a link on the readme that explains each setting. If the setting is applied in the GUI it also explains it. To me it makes more sense to add a validate set for that parameter
Validate set is good. Looking at this, maybe the problem is that the link is in a section header that is equal "size" of the resource name. It feels that the resource only have one parameter Name.
Maybe it possible to change it to something like this? Other resource modules use this format.
SecurityOption
For explanation of below settings, please consult Security Policy Reference.
[String]Name (Key): Name of security option configuration. This is not used during the configuration process but needed to ensure the resource configuration instance is unique.[String]Accounts_Administrator_account_status (Write): Please see above link for description and possible values.[String]Accounts_Block_Microsoft_accounts (Write): Please see above link for description and possible values.[String]Accounts_Administrator_account_status (Write): Please see above link for description. { Enabled | Disabled }
@johlju
I'm seeing this same issue in the SecurityOption DSC, where options that need to be changed are erroring out with the same error.
Having RTFM, I see that the option of 'Enabled' is valid. I have also confirmed that it's defined in SecurityOptionData.psd1 and MSFT_SecurityOption.schema.mof as a valid option.
DSC Configuration Fragment:
Configuration HardeningV2 {
Import-DscResource -ModuleName @{ModuleName = 'SecurityPolicyDsc'; RequiredVersion = '2.6.0.0'}
Node localhost {
SecurityOption SecurityPolicy
{
Name = 'SecurityPolicy'
Devices_Restrict_floppy_access_to_locally_logged_on_user_only = 'Enabled'
}
}
}
Verbose Output Fragment:
VERBOSE: [SERVER02]: LCM: [ End Set ] [[SecurityOption]SecurityPolicy] in 36.8800 seconds.
PowerShell DSC resource MSFT_SecurityOption failed to execute Set-TargetResource functionality with error message:
Failed to update security option Devices_Restrict_floppy_access_to_locally_logged_on_user_only. Refer to
%windir%\security\logs\scesrv.log for details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost
$env:TEMP\SecEdit-Output.txt:
The data is invalid.
The task has completed with an error.
See log %windir%\security\logs\scesrv.log for detail info.
$env:TEMP\securityOptionsToAdd.inf:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,"1"
$env:TEMP\SecurityPolicy.inf Fragment:
[Unicode]
Unicode=yes
[System Access]
[Event Audit]
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,"0"
[Privilege Rights]
I think this is being addressed in #112 @aydeisen can you confirm your PR fixes this problem? Or are you seeing more problems despite the PR you submitted?
I wasn't able to figure out how to validate some of the more free-form parameters. I've contributed what I could to help with this issue in PR #112, but I personally wouldn't consider this issue fully resolved until all parameters have validation attributes
I am also facing the same issue trying to update Security options policies using Security option resource. if i change the value in the parameter it fails. Example Accounts: Rename administrator account . WINDOWS 7
@manoj2994 are you saying you are trying to rename the administrator account to "WINDOWS 7"?
@manoj2994 are you saying you are trying to rename the administrator account to "WINDOWS 7"?
Yes