SecurityPolicyDsc icon indicating copy to clipboard operation
SecurityPolicyDsc copied to clipboard
verified publisher icon dsccommunity

UserRightsAssignment : Multiple identities don't work when using "Force"

Open mmtechconsulting opened this issue 2 years ago • 1 comments

Details of the scenario you tried and the problem that is occurring

So i am applying Microsoft Security Baseline and i have got User rights assignments like :

(EXAMPLE 1)

   UserRightsAssignment Impersonateaclientafterauthentication 
   {
      Policy       = 'Impersonate_a_client_after_authentication'
      Identity     = 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

(EXAMPLE 2) }

   UserRightsAssignment Increaseschedulingpriority 
   {
      Policy       = 'Increase_scheduling_priority'
      Identity     = 'Users'
	   Force    = $true
   }

On the second example observe that i have "Force = $True". That works perfectly if there is only one identity involved. The module will set that without issue.

On EXAMPLE1 if i add force, the script will fail. If i leave it as it is and change an identity DSC will report compliance even though Local Sec Pol will not reflect any change

So lets for example take this setting : This is the default out of the box image

This is now my script 👍 image

I have added the "Force" into it and i compiled it to .mof

then i run it:

image

Is this how it is supposed to work or i am missing something here?

Another example image I removed all the groups from there

then run my script that contains:

image

Did check for compliance using : Test-DscConfiguration -Detailed | ft ResourcesNotInDesiredState image

and all seems ok, however if i switch back to the gui and hit "reload" there is nothing there image

So to double check i did a SecEdit.exe /export /areas USER_RIGHTS /cfg C:\t\u.txt and looked into the file to see if SeRemoteShutdownPrivilege is there and it is actually not.

I am a bit lost to be honest. Everything else seems to be working ok, however User Rights Assignment are a bit quirky and hit and miss.

Verbose logs showing the problem

Suggested solution to the issue

i have none!

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

The operating system the target node is running

OsName : Microsoft Windows Server 2022 Standard OsOperatingSystemSKU : StandardServerEdition OsArchitecture : 64-bit WindowsVersion : 2009 WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500 OsLanguage : en-US OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 5.1.20348.1 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.20348.1 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

Version of the DSC module that was used

mmtechconsulting avatar Apr 18 '23 19:04 mmtechconsulting