Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AccountPolicy: Account_lockout_duration Errors when Set to Zero #140

Closed
jeremyhagan opened this issue Dec 13, 2019 · 1 comment · Fixed by #148
Closed

AccountPolicy: Account_lockout_duration Errors when Set to Zero #140

jeremyhagan opened this issue Dec 13, 2019 · 1 comment · Fixed by #148
Assignees
Labels
in progress The issue is being actively worked on by someone.

Comments

@jeremyhagan
Copy link

jeremyhagan commented Dec 13, 2019

Details of the scenario you tried and the problem that is occurring

I'm trying to use the AccountPolicy resource and if I include any of the Account Lockout settings the application of the resource fails with the error below. The examples don't include these settings, so I am not sure if I got the syntax correct, but it looks the same as other people with issues. I;ve tried the values with and without quotes.

PowerShell DSC resource MSFT_AccountPolicy failed to execute Set-TargetResource functionality with error message: Failed to update Account
Policy Account_lockout_duration,Reset_account_lockout_counter_after. Refer to %windir%\security\logs\scesrv.log for details.

Verbose logs showing the problem

The log file in question shows:

----Configure Security Policy...
	Configure password information.
Error 87: The parameter is incorrect.
 	Error configuring account lockout information.
Error 1: Incorrect function.
	System Access configuration was completed with one or more errors.

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here
Configuration PasswordPolicy {
    Import-DscResource -ModuleName PsDesiredStateConfiguration
    Import-DscResource -ModuleName AuditPolicyDsc
    Import-DscResource -ModuleName SecurityPolicyDsc
    AccountPolicy AccountPolicies
    {
        Name                                        = 'PasswordPolicies'
        Enforce_password_history                    = 24
        Maximum_Password_Age                        = 42
        Minimum_Password_Age                        = 0
        Minimum_Password_Length                     = 10
        Password_must_meet_complexity_requirements  = 'Enabled'
        Store_passwords_using_reversible_encryption = 'Disabled'
        Account_lockout_duration                    = '0'
        Account_lockout_threshold                   = '5'
        Reset_account_lockout_counter_after         = '30'
    }
}

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}`

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.592
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.592
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

master

@jeremyhagan
Copy link
Author

I can confirm that this is the same as Issue 121.

In WS2019 1809 when I configure the local security policy with infinite lockout, then export the policy, the value in the exported inf is -1

[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 10
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 5
ResetLockoutCount = 30
LockoutDuration = -1

@X-Guardian X-Guardian self-assigned this May 15, 2020
@X-Guardian X-Guardian added the in progress The issue is being actively worked on by someone. label May 15, 2020
@X-Guardian X-Guardian changed the title Account lockout policies fail to apply AccountPolicy: Account_lockout_duration Errors when Set to Zero May 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in progress The issue is being actively worked on by someone.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants