Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UserRightsAssignment: Allow unresolvable SIDs found in local security policy #161

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

UserRightsAssignment: Allow unresolvable SIDs found in local security policy #161

wants to merge 5 commits into from

Conversation

ShawnHardwick
Copy link

@ShawnHardwick ShawnHardwick commented Mar 30, 2021
edited
Loading

Pull Request (PR) description

Do not attempt to translate identities returned by local security policy when setting the resource. If the identity returned is an unresolvable SID (usually due to deleted/orphaned AD objects), then the resource will throw a translation error.

I also thought of changing the ConvertTo-NTAccount function to never throw but instead log verbosely for all scope types, but felt that the implementation in this PR was more precise.

SecurityPolicyDsc/source/Modules/SecurityPolicyResourceHelper/SecurityPolicyResourceHelper.psm1

Lines 369 to 377 in b29bdf8

if ($Scope -eq 'Get')
{
Write-Verbose -Message ($script:localizedData.ErrorSidTranslation -f $sidId, $Policy)
$result += $sidId.Value
}
else
{
throw "$($script:localizedData.ErrorSidTranslation -f $sidId, $Policy)"
}

The resource will still translate any identities given to the resource by the user.

Neither secedit nor Windows care about the presence of unresolved SIDs in a security policy. During a configure operation (secedit.exe /configure), secedit will happily accept either style in the .inf file. It will also accept and de-duplicate security principals that are specified as an account name and SID in the same line item under the [Privileges] section.

First attempt at using Pester unit testing before. I don't have a way to test locally due to permission restrictions.

This Pull Request (PR) fixes the following issues

Task list

  • Added an entry to the change log under the Unreleased section of the file CHANGELOG.md.
    Entry should say what was changed and how that affects users (if applicable), and
    reference the issue being resolved (if applicable).
  • Resource documentation added/updated in README.md.
  • Resource parameter descriptions added/updated in README.md, schema.mof and comment-based
    help.
  • Comment-based help added/updated.
  • Localization strings added/updated in all localization files as appropriate.
  • Examples appropriately added/updated.
  • Unit tests added/updated. See DSC Community Testing Guidelines.
  • Integration tests added/updated (where possible). See DSC Community Testing Guidelines.
  • New/changed code adheres to DSC Community Style Guidelines.

This change is Reviewable

Shawn Hardwick added 4 commits March 30, 2021 13:57
Remove conversion of user rights identities when setting user rights …
811082d 
…resource; Unresolvable SIDs found on local machine would cause resource to fail. During a configure operation (secedit.exe /configure), secedit will happily accept either style in the .inf file. It will also accept and de-duplicate security principals that are specified as an account name and SID in the same line item under the [Privileges] section.
Update CHANGELOG.md
38883c1
Add unit tests
59aef67
Fix unit test for unresolvable SIDs
52b8200
@codecov
Copy link

codecov bot commented Mar 31, 2021
edited
Loading

Codecov Report

Merging #161 (620a4ef) into master (44acc25) will increase coverage by 0%.
The diff coverage is 66%.

Impacted file tree graph

@@          Coverage Diff          @@
##           master   #161   +/-   ##
=====================================
  Coverage      89%    89%           
=====================================
  Files           5      5           
  Lines         577    579    +2     
=====================================
+ Hits          517    520    +3     
+ Misses         60     59    -1

@ShawnHardwick
Copy link
Author

I believe this PR is ready for review. It is my understanding that the currently failing CI tests are not related to my PR.

@ShawnHardwick
Copy link
Author

Is there anything missing that I need to address to have this reviewed?

@jdwhited
Copy link

Can this be reviewed for merge? I would like to utilize this. Thanks!

@gaelcolas gaelcolas closed this May 20, 2021
@gaelcolas gaelcolas reopened this May 20, 2021
@gaelcolas
Copy link
Member

I've just kicked another build to check, but please make sure all the test pass for starter.
I think some High Quality Resource Modules were not passing.

@gaelcolas
Copy link
Member

Ok they're passing.
@bcwilhite could you check this PR please and review the proposal please?

@ShawnHardwick
Copy link
Author

Still looking to get this reviewed. :)

@jdwhited
Copy link

jdwhited commented Jul 9, 2021

Can this be reviewed please?

@jdwhited
Copy link

Bump.... Would really like to see this merged.

@japatton
Copy link

japatton commented Dec 2, 2021

Bump for release.

@ShawnHardwick
Copy link
Author

Still looking for someone to review this lol. We've forked this internally, but would see benefit in having this merged.

@gaelcolas
Copy link
Member

Will bump this in the #DSC channel of the PowerShell slack/discord

@ghost
Copy link

ghost commented Feb 14, 2023

Hi there. Any updates on this? Facing the same problem.

@ghost
Copy link

ghost commented Feb 23, 2023

We're hitting the same problem also, would be good to get a fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@ShawnHardwick @jdwhited @gaelcolas @japatton