Skip to content
This repository has been archived by the owner on Jun 14, 2024. It is now read-only.

Service : can't set local account like NT SERVICE\MsDtsServer110 #108

Closed
Francois-Rousseau opened this issue Jul 5, 2018 · 7 comments
Closed
Labels
needs more information The issue needs more information from the author or the community. stale The issue or pull request was marked as stale because there hasn't been activity from the community.

Comments

@Francois-Rousseau
Copy link

Using Service Resource, I'm not able to set services with local account like NT SERVICE\MsDtsServer110, with no password:

  • I can't create a credential with an empty password (is it a way of doing that?)
  • If I create a dummy password, it's trying to validate the credential and I got this error :
    PowerShell DSC resource MSFT_ServiceResource failed to execute Set-TargetResource functionality with error message: Failed to change 'Credential' property. Message: 'The 'Change' method of
    'Win32_Service' failed with error code: '22'.'
    Which means : The account under which this service runs is either invalid or lacks the permissions to run the service.

I can set this account manually in services.msc with no problem, with or without password.
I think the Service resource should handle that, like the SqlServiceAccount from SQL module do.
If the account is NT Authority or NT SERVICE, the password should be ignored?

Thank you!

@johlju
Copy link
Contributor

johlju commented Jul 6, 2018

The resource SqlServiceAccount using the SQL Server SMO object model to set the service account, and the object model probably has this built-in since we do nothing special to handle this in the resource. So the same functionality can not be reused. But similar could be added as an enhancement to this resource or it's equivalent xService in xPSDesiredStateConfiguration.

@kwirkykat Do you see this as an potential enhancement that the community could add to this resource, or do you rather see this added to xService in xPSDesiredStateConfiguration?

@johlju johlju added needs more information The issue needs more information from the author or the community. needs investigation The issue needs to be investigated by the maintainers or/and the community. and removed needs more information The issue needs more information from the author or the community. labels Jul 6, 2018
@stale
Copy link

stale bot commented Aug 5, 2018

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

@stale stale bot added the stale The issue or pull request was marked as stale because there hasn't been activity from the community. label Aug 5, 2018
@johlju
Copy link
Contributor

johlju commented Aug 6, 2018

We are still waiting for response from @kwirkykat as per previous comment. Comment so that the issues keeps open.

@stale stale bot removed the stale The issue or pull request was marked as stale because there hasn't been activity from the community. label Aug 6, 2018
@kwirkykat
Copy link
Member

@Francois-Rousseau @johlju
You can create a PSCredential with no password:
New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList @("NT SERVICE\MsDtsServer110", (New-Object System.Security.SecureString))

I would try using that with the resource first to see if it works.
My guess is that it will work since for the 3 built-in accounts we do allow, we also just set the password to a blank.

If it doesn't work, it doesn't look like it would be a very hard change.
We could just remove the ValidateSet from the BuiltInAccount parameter to allow the user to specify whatever built in account they want to run with rather than limiting them to only the basic 3.
I think most of the logic will still work if we just take out that limitation.
I don't think that would constitute as a breaking change since all past scripts would still work with this update.
So I would accept this change here.
But please make sure that it is necessary to make the change first.

@johlju johlju added needs more information The issue needs more information from the author or the community. and removed needs investigation The issue needs to be investigated by the maintainers or/and the community. labels Aug 29, 2018
@johlju
Copy link
Contributor

johlju commented Aug 29, 2018

@Francois-Rousseau relabeled this as 'needs more information' until the suggestion from @kwirkykat has been evaluated by you. Let's us know your findings. Thank you!

@stale
Copy link

stale bot commented Sep 28, 2018

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

@stale stale bot added the stale The issue or pull request was marked as stale because there hasn't been activity from the community. label Sep 28, 2018
@stale
Copy link

stale bot commented Nov 7, 2018

This issue has been automatically closed because it is has not had activity from the community in the last 40 days.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
needs more information The issue needs more information from the author or the community. stale The issue or pull request was marked as stale because there hasn't been activity from the community.
Projects
None yet
Development

No branches or pull requests

3 participants