Revoking all privileges with DSC resource Carbon_Privilege doesn't work

Issue #178 resolved
Anonymous created an issue

This is on Carbon 2.1.0.

Basically the Example 2 from Carbon_Privilege documentation doesn't work:

Carbon_Privilege RevokePrivileges
{
    Identity = 'CarbonServiceUser'
    Ensure = 'Absent'
}

Similarly another attempt at revoking all privileges doesn't work either (though in this case it's not clear if it should actually work):

Carbon_Privilege RevokePrivileges
{
    Identity = 'CarbonServiceUser'
    Ensure = 'Present'
    Privilege = @()
}

I'm getting the following exception on both configurations (log obfuscated):

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfiguration
Manager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer AC... with user sid S-1-....
VERBOSE: [AC...]: LCM:  [ Start  Set      ]
VERBOSE: [AC...]: LCM:  [ Start  Resource ]  [[Carbon_Privilege]Privilege::[xBuildAgentsGroup]grp]
VERBOSE: [AC...]: LCM:  [ Start  Test     ]  [[Carbon_Privilege]Privilege::[xBuildAgentsGroup]grp]
VERBOSE: [AC...]: LCM:  [ End    Test     ]  [[Carbon_Privilege]Privilege::[xBuildAgentsGroup]grp]  in 0.1410 seconds.
PowerShell DSC resource Carbon_Privilege  failed to execute Test-TargetResource functionality with error message: PowerShell Desired State Configuratio
n does not support execution of commands in an interactive mode. Please ensure that the underlying command is not prompting for user input, such as mis
sing mandatory parameter, confirmation prompt etc. 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

VERBOSE: [AC...]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.953 seconds
PS C:\WINDOWS\system32> $PSVersionTable

Name                           Value                                                                                                                   
----                           -----                                                                                                                   
PSVersion                      5.0.10586.63                                                                                                            
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                 
BuildVersion                   10.0.10586.63                                                                                                           
CLRVersion                     4.0.30319.42000                                                                                                         
WSManStackVersion              3.0                                                                                                                     
PSRemotingProtocolVersion      2.3                                                                                                                     
SerializationVersion           1.1.0.1      

Comments (7)

  1. dbeauchea

    I'm seeing this in 2.4.0.

    One difference between the original bug & what I'm experiencing is that I'm trying to revoke perms on a domain group, and the group already does not have the perms enabled.

    PS C:\Windows\system32> $PSVersionTable; Get-Module -Name Carbon
    
    Name                           Value
    ----                           -----
    PSVersion                      5.0.10586.117
    PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
    BuildVersion                   10.0.10586.117
    CLRVersion                     4.0.30319.42000
    WSManStackVersion              3.0
    PSRemotingProtocolVersion      2.3
    SerializationVersion           1.1.0.1
    
    Name              : Carbon
    Path              : C:\Program Files\WindowsPowerShell\Modules\Carbon\2.4.0\Carbon.psm1
    Description       : Carbon is a PowerShell module for automating the configuration Windows 7, 8, 2008, and 2012 and
                        automation the installation and configuration of Windows applications, websites, and services. It
                        can configure and manage:
    
                         * Local users and groups
                         * IIS websites, virtual directories, and applications
                         * File system, registry, and certificate permissions
                         * Certificates
                         * Privileges
                         * Services
                         * Encryption
                         * Junctions
                         * Hosts file
                         * INI files
                         * Performance counters
                         * Shares
                         * .NET connection strings and app settings
                         * And much more!
    
                        All functions are idempotent: when run multiple times with the same arguments, your system will be
                        in the same state without failing or producing errors.
    Guid              : 075d9444-c01b-48c3-889a-0b3490716fa2
    Version           : 2.4.0
    ModuleBase        : C:\Program Files\WindowsPowerShell\Modules\Carbon\2.4.0
    ModuleType        : Script
    PrivateData       : {PSData}
    AccessMode        : ReadWrite
    ExportedAliases   : {[Add-GroupMembers, Add-GroupMembers], [Add-TrustedHosts, Add-TrustedHosts],
                        [Assert-AdminPrivileges, Assert-AdminPrivileges], [Clear-TrustedHosts, Clear-TrustedHosts]...}
    ExportedCmdlets   : {}
    ExportedFunctions : {[Add-GroupMember, Add-GroupMember], [Add-TrustedHost, Add-TrustedHost], [Assert-AdminPrivilege,
                        Assert-AdminPrivilege], [Assert-FirewallConfigurable, Assert-FirewallConfigurable]...}
    ExportedVariables : {}
    NestedModules     : {}
    PS C:\Users\anadmin\test> gc .\testcarbon.ps1
    Configuration TestCarbon {
            Param (
                    [string] $adminuser,
                    [string] $adminpass
            )
            Import-DSCResource -ModuleName Carbon, PSDesiredStateConfiguration
            Node $AllNodes.NodeName {
                    $secpass = ConvertTo-SecureString $adminpass -AsPlainText -Force
                    $admincred = New-Object System.Management.Automation.PSCredential ($adminuser, $secpass)
    
                    File CreateTestFolder {
                            Ensure = 'Present'
                            Type = 'Directory'
                            DestinationPath = 'C:\TestFolder'
                    }
    
                    Carbon_Permission TestFolderPerms {
                            Identity = 'DOMAIN\User'
                            Path = 'C:\TestFolder'
                            Ensure = 'Absent'
                            #DependsOn = [File]CreateTestFolder
                    }
            }
    }
    
    $confdata =
    @{
            AllNodes = @(
                    @{
                            NodeName = "localhost"
                            PsDscAllowPlainTextPassword = $true
                            PSDscAllowDomainUser = $true
                    }
            )
    }
    PS C:\Users\anadmin\test> . .\testcarbon.ps1
    PS C:\Users\anadmin\test> TestCarbon -adminuser "domain\anadmin" -adminpass "password" -ConfigurationData $confdata
    
    
        Directory: C:\Users\anadmin\test\TestCarbon
    
    
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----       11/15/2016   2:04 PM           2826 localhost.mof
    PS C:\Users\anadmin\test> Start-DscConfiguration -Wait -Path .\TestCarbon -Force -Debug
    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
    SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
    root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer TESTSERVER with user sid
    S-1-5-21-2035199693-1539871568-838266085-3371.
    VERBOSE: [TESTSERVER]: LCM:  [ Start  Set      ]
    VERBOSE: [TESTSERVER]: LCM:  [ Start  Resource ]  [[File]CreateTestFolder]
    VERBOSE: [TESTSERVER]: LCM:  [ Start  Test     ]  [[File]CreateTestFolder]
    VERBOSE: [TESTSERVER]:                            [[File]CreateTestFolder] The destination object was found and no
    action is required.
    VERBOSE: [TESTSERVER]: LCM:  [ End    Test     ]  [[File]CreateTestFolder]  in 0.0160 seconds.
    VERBOSE: [TESTSERVER]: LCM:  [ Skip   Set      ]  [[File]CreateTestFolder]
    VERBOSE: [TESTSERVER]: LCM:  [ End    Resource ]  [[File]CreateTestFolder]
    VERBOSE: [TESTSERVER]: LCM:  [ Start  Resource ]  [[Carbon_Permission]TestFolderPerms]
    VERBOSE: [TESTSERVER]: LCM:  [ Start  Test     ]  [[Carbon_Permission]TestFolderPerms]
    VERBOSE: [TESTSERVER]: LCM:  [ End    Test     ]  [[Carbon_Permission]TestFolderPerms]  in 0.2970 seconds.
    PowerShell DSC resource Carbon_Permission  failed to execute Test-TargetResource functionality with error message:
    PowerShell Desired State Configuration does not support execution of commands in an interactive mode. Please ensure
    that the underlying command is not prompting for user input, such as missing mandatory parameter, confirmation prompt
    etc.
        + CategoryInfo          : InvalidOperation: (:) [], CimException
        + FullyQualifiedErrorId : ProviderOperationExecutionFailure
        + PSComputerName        : localhost
    
    VERBOSE: [TESTSERVER]: LCM:  [ End    Set      ]
    The SendConfigurationApply function did not succeed.
        + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : MI RESULT 1
        + PSComputerName        : localhost
    
    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 0.567 seconds
    
  2. Aaron Jensen repo owner

    I just committed a fix. Should be part of 2.4.1 or 2.5.0 when they come out. Don't have a release date yet.

    In the meantime, you can work around it by giving the Permission property a value. It will be ignored by Carbon_Permission and will get you passed the error, e.g.

                    Carbon_Permission TestFolderPerms {
                            Identity = 'DOMAIN\User'
                            Path = 'C:\TestFolder'
                            Ensure = 'Absent'
                            Permission = @( 'Read' )
                            #DependsOn = [File]CreateTestFolder
                    }
    
  3. Log in to comment