UserRightsAssignment: Inconsistent behaviour when mixing local and domain identities

[janegilring]

Details of the scenario you tried and the problem that is occurring

Scenario:

• Azure Machine Configuration is used to audit and apply security configurations on all Windows VMs across multiple subscriptions, based on CIS baselines.
• Target machines is a mix of domain-joined and workgroup-joined machines.
• The value for the Identity parameter varies depending on which setting is being configured, and can vary with regards to referencing domain groups, domain users, local groups & local users - often a mix.
• It is desired to have one single configuration per Windows version (e.g. Windows Server 2016, 2019, 2022, 2025).
• The problem occurs on workgroup-machines.

Example 1

 Configuration UserRightsAssignment_Basic_Config
{
    Import-DscResource -ModuleName SecurityPolicyDsc

    Node localhost
    {

        UserRightsAssignment AccessComputerFromNetwork
        {
            Policy   = "Access_this_computer_from_the_network"
            Identity = "contoso\TestGroup1", "Administrator"
            Force =             $true
        }
    }
} 

Result:

 VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root
/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer ARCBOX-WIN2K22 with user sid S-1-5-21-3581197829-2064084578-1572391879-500.
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Set      ]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Resource ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Test     ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] Testing contoso\TestGroup1,Administrator is present on policy Access_this_comp
uter_from_the_network
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Test     ]  [[UserRightsAssignment]AccessComputerFromNetwork]  in 0.5200 seconds.
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Skip   Set      ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Resource ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Set      ]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Set      ]    in  1.0200 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.179 seconds 

Example 2

 Configuration UserRightsAssignment_Basic_Config
{
    Import-DscResource -ModuleName SecurityPolicyDsc

    Node localhost
    {

        UserRightsAssignment AccessComputerFromNetwork
        {
            Policy   = "Access_this_computer_from_the_network"
            Identity = "contoso\TestGroup1", "Guests"
            Force =             $true
        }
    }
} 

Result:

 VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSF
T_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer ARCBOX-WIN2K22 with user sid S-1-5-21-3581197829-2064084578-1572391879-500.
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Set      ]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Resource ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Test     ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] Testing contoso\TestGroup
1,Guests is present on policy Access_this_computer_from_the_network
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] BUILTIN\Guests does not h
ave Privilege Access_this_computer_from_the_network
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Test     ]  [[UserRightsAssignment]AccessComputerFromNetwork]  in 0.3050 seconds.
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Set      ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] Policy: Access_this_compu
ter_from_the_network. Identity: ARCBOX-WIN2K22\Administrator
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Set      ]  [[UserRightsAssignment]AccessComputerFromNetwork]  in 0.3150 seconds.
PowerShell DSC resource MSFT_UserRightsAssignment  failed to execute Set-TargetResource functionality with error message: Could 
not convert Identity: contoso\TestGroup1 to SID 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
 
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete. 

Example 3

 Configuration UserRightsAssignment_Basic_Config
{
    Import-DscResource -ModuleName SecurityPolicyDsc

    Node localhost
    {

        UserRightsAssignment AccessComputerFromNetwork
        {
            Policy   = "Access_this_computer_from_the_network"
            Identity = "Guests"
            Force =             $true
        }
    }
} 

Result:

 VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSF
T_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer ARCBOX-WIN2K22 with user sid S-1-5-21-3581197829-2064084578-1572391879-500.
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Set      ]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Resource ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Test     ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] Testing Guests is present
 on policy Access_this_computer_from_the_network
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] BUILTIN\Guests does not h
ave Privilege Access_this_computer_from_the_network
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Test     ]  [[UserRightsAssignment]AccessComputerFromNetwork]  in 0.5210 seconds.
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ Start  Set      ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] Policy: Access_this_compu
ter_from_the_network. Identity: ARCBOX-WIN2K22\Administrator
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] Granting Access_this_comp
uter_from_the_network rights to BUILTIN\Guests
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] Attempting to Set BUILTIN
\Guests for policy Access_this_computer_from_the_network
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] Testing Guests is present
 on policy Access_this_computer_from_the_network
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] Task successfully complet
ed
VERBOSE: [ARCBOX-WIN2K22]:                            [[UserRightsAssignment]AccessComputerFromNetwork] BUILTIN\Guests successful
ly given rights to Access_this_computer_from_the_network policy
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Set      ]  [[UserRightsAssignment]AccessComputerFromNetwork]  in 1.5040 seconds.
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Resource ]  [[UserRightsAssignment]AccessComputerFromNetwork]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Set      ]
VERBOSE: [ARCBOX-WIN2K22]: LCM:  [ End    Set      ]    in  2.5390 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.703 seconds 

Suggested solution to the issue

Update the logic which resolves identities to detect domain membership and ignore domain-identities when the machine is not domain-joined.

The operating system the target node is running

OsName               : Microsoft Windows Server 2022 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US} 
CsWorkgroup          : WORKGROUP 

Version and build of PowerShell the target node is running

 Name                           Value                                                                                            
----                           -----                                                                                            
PSVersion                      5.1.20348.2849                                                                                   
PSEdition                      Desktop                                                                                          
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                          
BuildVersion                   10.0.20348.2849                                                                                  
CLRVersion                     4.0.30319.42000                                                                                  
WSManStackVersion              3.0                                                                                              
PSRemotingProtocolVersion      2.3                                                                                              
SerializationVersion           1.1.0.1         

Version of the DSC module that was used

2.10.0.0

[Gjulem]

Thanks @janegeilring,
Just to clarify when the error is showing up.

• if using both local- and domain group is defined in the same setting, script will fail if the local group is not in local policies. If the local group is already in local policies it will not fail.
• if only local policy is used in the script it will work for both get and set.
• if only domain group is used in the script it will work for both get and set.

[Gjulem]

It seems to help to replace line 420 <throw "$($script:localizedData.ErrorIdToSid -f $Identity)"> to something like <Write-Verbose -Message “Replaced Throw"> in this file:
xxx.zip\Modules\SecurityPolicyDsc\2.10.0.0\Modules\SecurityPolicyResourceHelper
SecurityPolicyResourceHelper.psm1

[Gjulem]

Hi @gaelcolas, is it a possible for some of the DSC members to look into this issue?