Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PowerShellExecutionPolicy doesn't allow multiple 'CurrentUser' assignments #394

Open
kfsone opened this issue Oct 30, 2022 · 3 comments
Open

PowerShellExecutionPolicy doesn't allow multiple 'CurrentUser' assignments #394

kfsone opened this issue Oct 30, 2022 · 3 comments
Labels
breaking change When used on an issue, the issue has been determined to be a breaking change. enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.

Comments

@kfsone
Copy link

kfsone commented Oct 30, 2022

Problem description

Powershell 5.1 DSC doesn't allow you to specify the same ExecutionPolicy for ExecutionPolicyScope 'CurrentUser' but different PsRunAsCredentials, meaning you can't assign it to multiple specific users.

Verbose logs

Test-ConflictingResources : A conflict was detected between resources '[PowerShellExecutionPolicy]Builder (::8::5::PowerShellExecutionPolicy)' and '[PowerShellExecutionPolicy]Publisher
(::9::5::PowerShellExecutionPolicy)' in node 'localhost'. Resources have identical key properties but there are differences in the following non-key properties: 'PsDscRunAsCredential'.
Values 'System.Management.Automation.PSCredential' don't match values 'System.Management.Automation.PSCredential'. Please update these property values so that they are identical in both
cases.
At line:289 char:9
+         Test-ConflictingResources $keywordName $canonicalizedValue $k ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], InvalidOperationException
    + FullyQualifiedErrorId : ConflictingDuplicateResource,Test-ConflictingResources
Compilation errors occurred while processing configuration 'FailSample'. Please review the errors reported in error stream and modify your configuration code appropriately.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917 char:5
+     throw $ErrorRecord
+     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (FailSample:String) [], InvalidOperationException
    + FullyQualifiedErrorId : FailToProcessConfiguration

DSC configuration

{
  Param([Parameter(Mandatory)][PSCredential]$Builder, [Parameter(Mandatory)][PSCredential]$Publisher)
  Import-DscResource -ModuleName ComputerManagementDsc
  Node localhost
  {
    PowerShellExecutionPolicy Builder { ExecutionPolicy='RemoteSigned'; ExecutionPolicyScope='CurrentUser'; PsDscRunAsCredential = $Builder }
    PowerShellExecutionPolicy Publisher { ExecutionPolicy='RemoteSigned'; ExecutionPolicyScope='CurrentUser'; PsDscRunAsCredential = $Publisher }
  }
}


Sample -Verbose -ConfigurationData:@{AllNodes=@(@{NodeName='localhost'; PsDscAllowPlainTextPassword=$true})}

Suggested solution

Add PowerShellUserExecutionPolicy which doesn't take scope and requires a credential.

PowerShellUserExecutionPolicy Builder
{
  ExecutionPolicy = 'RemoteSigned' ; Credential = $builder
}
PowerShellUserExecutionPolicy Publisher
{
  ExecutionPolicy = 'RemoteSigned' ; Credential = $publisher
}

Operating system the target node is running

OsName               : Microsoft Windows 10 Pro
OsOperatingSystemSKU : 48
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

PSVersion                      5.1.19041.1682
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.1682
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

ComputerManagementDsc version

Name                  Version Path
----                  ------- ----
ComputerManagementDsc 8.5.0   C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\8.5.0\ComputerManage
mentDsc.psd1
@kfsone
Copy link
Author

kfsone commented Oct 30, 2022

In my case, we already have machine and user policies, these two users have a need to specifically allow differently policies unique to their two accounts. Not sure what the point of specifying a run-as credential is, if using different credentials doesn't change who 'CurrentUser' is.

@johlju
Copy link
Member

johlju commented Dec 20, 2022
edited

Would it be possible to make a composite resource that adds a property Credential as key property. The credential property could then maybe be added to PsDscRunAsCredential? 🤔 If that works we would not need to make a breaking change,

@johlju johlju added enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community. breaking change When used on an issue, the issue has been determined to be a breaking change. labels Dec 20, 2022
@kfsone
Copy link
Author

kfsone commented Jan 28, 2023

(Just playing catch up after a very hectic "holiday", heh)

That's not possible because Credential just isn't part of the underlying separators, so the composite would simply cause the problem - at least, my attempts to make one seemed to bear this out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking change When used on an issue, the issue has been determined to be a breaking change. enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kfsone @johlju