User: Test-TargetResource throws System.InvalidOperationException when defined user lacks permissions

[djwork]

User: Test-TargetResource throws System.InvalidOperationException when defined user lacks permissions

• Observations

  • Used the User DSCR to create a local user 'NoGroupTest' on the target node (see Example Configuration below), when the example configuration is initially applied there are no errors in the console or Microsoft-Windows-DSC/Operational.
  • However once the LCM auto applies the current config (or a user runs: Start-DscConfiguration -UseExisting -Force -Wait) the LCM will report exceptions thrown by User: Test-TargetResource (see Error Events below)
  • Traced the exception down to the helper function MSFT_UserResource\Test-UserPasswordOnFullSku specifically the call to ValidateCredentials method of the class System.DirectoryServices.AccountManagement.PrincipalContext
  • Tried workarrounds like adding the test user to the local admin group but that made no difference

• Error Events

Log Name:      Microsoft-Windows-DSC/Operational
Source:        Microsoft-Windows-DSC
Date:          05/10/2018 09:06:21
Event ID:      4252
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      
Description:
Job {08D1E018-C82A-11E8-A2D7-00505696187A} : 
MIResult: 1
Error Message: PowerShell DSC resource MSFT_UserResource  failed to execute Test-TargetResource functionality with error message: System.InvalidOperationException: There could be a possible multiple matches exception while trying to use the System.DirectoryServices API's.Exception calling "ValidateCredentials" with "2" argument(s): "Logon failure: the user has not been granted the requested logon type at this computer.
" 
Message ID: ProviderOperationExecutionFailure
Error Category: 7
Error Code: 1
Error Type: MI
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DSC" Guid="{50DF9E12-A8C4-4939-B281-47E1325BA63E}" />
    <EventID>4252</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2018-10-04T23:06:21.635428100Z" />
    <EventRecordID>123440</EventRecordID>
    <Correlation ActivityID="{E4FEAFC0-5B98-0001-77E8-50E5985BD401}" />
    <Execution ProcessID="5856" ThreadID="6104" />
    <Channel>Microsoft-Windows-DSC/Operational</Channel>
    <Computer></Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="JobId">{08D1E018-C82A-11E8-A2D7-00505696187A}</Data>
    <Data Name="MIResult">1</Data>
    <Data Name="ErrorMessage">PowerShell DSC resource MSFT_UserResource  failed to execute Test-TargetResource functionality with error message: System.InvalidOperationException: There could be a possible multiple matches exception while trying to use the System.DirectoryServices API's.Exception calling "ValidateCredentials" with "2" argument(s): "Logon failure: the user has not been granted the requested logon type at this computer.
" </Data>
    <Data Name="MessageID">ProviderOperationExecutionFailure</Data>
    <Data Name="ErrorCategory">7</Data>
    <Data Name="ErrorCode">1</Data>
    <Data Name="ErrorType">MI</Data>
  </EventData>
</Event>

Log Name:      Microsoft-Windows-DSC/Operational
Source:        Microsoft-Windows-DSC
Date:          05/10/2018 09:06:21
Event ID:      4097
Task Category: Send configuration scenario for Local configuration manager
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      
Description:
Job {08D1E018-C82A-11E8-A2D7-00505696187A} : 
This event indicates that failure happens when LCM is processing the configuration. Error Id is 0x1. Error Detail is The SendConfigurationApply function did not succeed.. Resource Id is [User]NoGroupTestUser and Source Info is C:\temp\test.ps1::390::5::User. Error Message is PowerShell DSC resource MSFT_UserResource  failed to execute Test-TargetResource functionality with error message: System.InvalidOperationException: There could be a possible multiple matches exception while trying to use the System.DirectoryServices API's.Exception calling "ValidateCredentials" with "2" argument(s): "Logon failure: the user has not been granted the requested logon type at this computer.
" .
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DSC" Guid="{50DF9E12-A8C4-4939-B281-47E1325BA63E}" />
    <EventID>4097</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>1</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2018-10-04T23:06:21.635417100Z" />
    <EventRecordID>123439</EventRecordID>
    <Correlation ActivityID="{E4FEAFC0-5B98-0001-77E8-50E5985BD401}" />
    <Execution ProcessID="5856" ThreadID="6104" />
    <Channel>Microsoft-Windows-DSC/Operational</Channel>
    <Computer></Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="JobId">{08D1E018-C82A-11E8-A2D7-00505696187A}</Data>
    <Data Name="ComponentName">LCM</Data>
    <Data Name="ErrorId">0x1</Data>
    <Data Name="ErrorDetail">The SendConfigurationApply function did not succeed.</Data>
    <Data Name="ResourceId">[User]NoGroupTestUser</Data>
    <Data Name="SourceInfo">C:\temp\test.ps1::390::5::User</Data>
    <Data Name="ErrorMessage">PowerShell DSC resource MSFT_UserResource  failed to execute Test-TargetResource functionality with error message: System.InvalidOperationException: There could be a possible multiple matches exception while trying to use the System.DirectoryServices API's.Exception calling "ValidateCredentials" with "2" argument(s): "Logon failure: the user has not been granted the requested logon type at this computer.
" </Data>
  </EventData>
</Event>

-Example Configuration

#Requires -Version 5.1
#Requires -RunAsAdministrator

Set-Location $env:TEMP

Configuration TestConfiguration
{
  param
  (
    [string[]]$NodeName = 'localhost',
    [Parameter(Mandatory = $true)]
    [System.Management.Automation.PSCredential]$Creditial
  )

  Import-DscResource -ModuleName PSDscResources
  
  Node $NodeName
  {
    User NoGroupTestUser {
      UserName = 'NoGroupTest'
      Description = 'NoGroupTest'
      Password = $Creditial
      PasswordChangeNotAllowed = $true
      PasswordChangeRequired = $false
      PasswordNeverExpires = $true
      Disabled = $false
      Ensure = 'Present'
    }    
  }
}

$configData = @{
  AllNodes = @(
      @{
          NodeName             = 'localhost';
          PSDscAllowDomainUser = $true
          PSDscAllowPlainTextPassword = $true
      }
  )
}

Add-Type -AssemblyName System.web
[securestring]$testPassword = ConvertTo-SecureString -String ([system.web.security.membership]::GeneratePassword(14, 2)) -AsPlainText -Force -ErrorAction Stop
try {
  [pscredential]$testCredital = [pscredential]::new('NoGroupTest', $testPassword)
}
catch {
  #for some reason I have to catch and rethrow the exception to get the script to break on exception
  throw $_
}

TestConfiguration -Creditial $testCredital -ConfigurationData $configData 

Start-DscConfiguration -Path .\TestConfiguration -Verbose -Wait -Force -ErrorAction Stop

# Start-DscConfiguration -UseExisting -Force -Wait

[DSCLocalConfigurationManager()]
configuration LCMConfig
{
    Node localhost
    {
        Settings
        {
            RefreshMode = 'Push'
            ConfigurationMode = 'ApplyAndAutoCorrect'
            RebootNodeIfNeeded = $true            
        }
    }
}

LCMConfig

Set-DscLocalConfigurationManager -Path .\LCMConfig -ErrorAction Stop

[stale]

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

[stale]

This issue has been automatically closed because it is has not had activity from the community in the last 40 days.