New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[win_lgpo] Causes corrupt Registry.pol file #48782
Comments
Looks like smartscreen configs are the show stopper:
reverting using this fixes all lgpo consecutive run issues(for certain line items). Although Registry.pol will still need to be fixed (deleted or parsed for deletion if it's in an invalid format state):
example line item that this breaks and fixes:
|
@lomeroe ^^^ |
@mike2523 could you possibly share the ADMX/ADML files that have those policies in them with me? The Win10 systems I have have access to don't have the policies available... |
This is on a Windows 10 ENT Build 1803. |
Another SLS that causes issue (this time, gpedit console stopped working when disabled), setting these to
|
Last one i promise :)
when enabling Download mode via gpedit console first, stops lgpo.get module with error below:
|
It looks like there are multiple "Configure Windows Defender SmartScreen" policies, but it isn't being caught.
If you use one of the unique policy aliases, do you get the same results, or does it work as expected? Edit to add: you can also test making the updates from this commit, which should resolve both items you've mentioned here (that commit is for 2017.7, so you'll have to patch your 2018.3 version - you won't be able to take the file wholesale) |
Using unique policy aliases or non-aliases works just fine, but always results in corrupt registry.pol Caveat that happens tho is this:
These paths automatically gets enabled as well (and vise-versa on the above):
I don't know if this automagically enabling the other item is what's causing the corruption... I'll test this out on 2017.7, but worked around this using registry instead for now. Will this be rolled-out to 2018.3 releases? and is the stable release 2017 or 2018? |
@mike2523 -- I finally got back to working on this. I think you're hitting multiple issues, some that were corrected (but perhaps not in an actual release yet) and some new ones. Can you test with this version of win_lgpo.py, it is for 2018.3. If it resolves your issue, I'll backport to 2017.7 as well. https://github.com/lomeroe/salt/blob/issue48782_2018.3/salt/modules/win_lgpo.py Let me know if you have any questions/etc. |
i get this error when trying out that version:
|
@mike2523 is that the only error returned? Is the registry.pol file still corrupt? Do you have user rights assignments with a user/group listed that no longer exists? If so, that error would actually be expected (though it shouldn't keep anything from applying) |
@mike2523 it's likely that the registry.pol could still be corrupted, I found at least one more issue that could have caused it and pushed another update to the above module version. Please test it out again for me... |
my registry.pol is still valid, but still shows up with the trace error on this new update. trace error happens either on an empty registry.pol file or a valid registry.pol file.
here's the full output:
still continues to completion, but error trace everytime. |
@mike2523 Ok, good deal that the registry.pol is good. User rights assignments aren't stored there, so if only user rights assignment changes are being made, the registry.pol shouldn't be modified. In PR #50006, I changed that code to only log a warning instead of an exception, so the inability to convert the SID to a user/group name shouldn't generate a traceback like that... |
@lomeroe Shouldn't it raise an error if it can't resolve the SID? Does it allow you to add a non-existing user/group from the GUI? |
@twangboy No, the _sidConversion function is only used when retrieving the existing user rights assignments (they are stored as SIDs) and converting them to the friendly names for display/etc. To grant a user/group a right, it does have to be a valid group (the _usernamesToSidObjects function will error if the user/group name cannot be converted to a SID when attempting to set a right). |
@lomeroe Excellent. Thanks for the clarification. |
With the merge of #50006 I'm closing this. |
Description of Issue/Question
When applying below SLS files, causes Registry.pol to get corrupted. Using
LGPO.exe /parse /m C:\Windows\System32\GroupPolicy\Machine\Registry.pol
to verify. All other consecutive states afterwards will fail withCommandExecutionError: Error while attempting to write Administrative Template Policy data. Some changes may not be applied as expected
Before:
After
Setup and steps to repo
I have tried this line by line to see which of these items is causing this, but this is the only combo that can do this. I don't know what other combo can cause this. Just need to keep a close eye on the changes we make moving forward.
Step1: Delete
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
, then apply this SLS file firstStep2: Verified that Registry.pol is still valid
Step3: Run this second SLS file:
Step4: Registry.pol file is now corrupt due to
Allow Address bar drop-down list suggestions
being overwritten by this SLS file:Versions Report
The text was updated successfully, but these errors were encountered: