Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

win_lgpo: User Rights Assignment policies #48661

Closed
mike2523 opened this issue Jul 18, 2018 · 3 comments

Comments

Projects
None yet
4 participants
@mike2523
Copy link

commented Jul 18, 2018

When making changes or changes required, always returns true. But no change happened. User rights assignments exists in Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignent

Before: (using lgpo.get machine)

Backup files and directories:
     - BUILTIN\Backup Operators
     - BUILTIN\Administrators

in SLS file:

user_rights_assignments:
  lgpo.set:
    - computer_policy:
        "Backup files and directories":
            - BUILTIN\Administrators

output:

----------
          ID: user_rights_assignments
    Function: lgpo.set
      Result: True
     Comment:
     Started: 13:20:04.467000
    Duration: 38200.0 ms
     Changes:

Summary for local
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:  38.200 s

Result is same as before using lgpo.get

        Backup files and directories:
            - BUILTIN\Backup Operators
            - BUILTIN\Administrators

secedit /export looks the same as before:

SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551

If an item is already in the desired state, STDOUT says the proper comment field:

local:
----------
          ID: user_rights_assignments
    Function: lgpo.set
      Result: True
     Comment: "Take ownership of files and other objects" is already set."Profile single process" is already set.
     Started: 11:31:31.307000
    Duration: 44233.0 ms
     Changes:

Summary for local
------------
Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: 1.10.0
       cherrypy: 10.2.1
       dateutil: 2.6.1
      docker-py: Not Installed
          gitdb: 2.0.3
      gitpython: 2.1.3
          ioflo: Not Installed
         Jinja2: 2.9.6
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.6
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.17
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.14 (v2.7.14:84471935ed, Sep 16 2017, 20:25:58) [MSC v.1500 64 bit (AMD64)]
   python-gnupg: 0.4.1
         PyYAML: 3.12
          PyZMQ: 16.0.3
           RAET: Not Installed
          smmap: 2.0.3
        timelib: 0.2.4
        Tornado: 4.5.1
            ZMQ: 4.1.6

System Versions:
           dist:
         locale: cp1252
        machine: AMD64
        release: 10
         system: Windows
        version: 10 10.0.17134  Multiprocessor Free
@garethgreenaway

This comment has been minimized.

Copy link
Member

commented Jul 19, 2018

@twangboy @dwoz Thoughts?

@mike2523

This comment has been minimized.

Copy link
Author

commented Jul 20, 2018

Another observation that may narrow down TS. This observation happens on sporadic line items in local gpedit(s). In this particular example, its in Windows Updates.

SLS file:

select_when_quality_updates_are_received:
  lgpo.set:
    - computer_policy:
        "Windows Components\\Windows Update\\Windows Update for Business\\Select when Quality Updates are received":
            "After a quality update is released, defer receiving it for this many days": 0
            "Pause Quality Updates starting": ''

When above setting is already in desired state:

local:
----------
          ID: select_when_quality_updates_are_received
    Function: lgpo.set
      Result: True
     Comment: "Windows Components\Windows Update\Windows Update for Business\Select when Quality Updates are received" is already set.
     Started: 14:31:07.535000
    Duration: 14941.0 ms
     Changes:

Summary for local
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:  14.941 s

when changes are needed:

local:
----------
          ID: select_when_quality_updates_are_received
    Function: lgpo.set
      Result: False
     Comment: An exception occurred in this state: Traceback (most recent call last):
                File "C:\salt\bin\lib\site-packages\salt\state.py", line 1905, in call
                  **cdata['kwargs'])
                File "C:\salt\bin\lib\site-packages\salt\loader.py", line 1830, in wrapper
                  return f(*args, **kwargs)
                File "C:\salt\bin\lib\site-packages\salt\states\win_lgpo.py", line 306, in set_
                  adml_language=adml_language)
                File "C:\salt\bin\lib\site-packages\salt\modules\win_lgpo.py", line 5556, in set_
                  raise CommandExecutionError(msg)
              CommandExecutionError: Error while attempting to write Administrative Template Policy data.  Some changes may not be applied as expected
     Started: 14:31:52.245000
    Duration: 32197.0 ms
     Changes:

Summary for local
------------
Succeeded: 0
Failed:    1
------------
Total states run:     1
Total run time:  32.197 s
@lomeroe

This comment has been minimized.

Copy link
Contributor

commented Oct 4, 2018

@mike2523 User rights assignments are cumulative by default (think you already know this based on #49582), so if you're wanting to remove Backup Operators (i.e. only grant the users in your state the rights), you'll have to do:

user_rights_assignments:
  lgpo.set:
    - computer_policy:
        "Backup files and directories":
            - BUILTIN\Administrators
    - cumulative_rights_assignments: False

I will look at the comment output though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.