Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Server 2022 - "Cannot find an appropriate constructor for type System.Security.Principal.NTAccount" #1360

Open
Wheels387 opened this issue Jun 17, 2024 · 3 comments
Open

Windows Server 2022 - "Cannot find an appropriate constructor for type System.Security.Principal.NTAccount" #1360

Wheels387 opened this issue Jun 17, 2024 · 3 comments
Assignees
@erjenkin
Labels
bug Something isn't working
Milestone
4.23.0

Comments

@Wheels387
Copy link

Describe the bug
Attempting to run "Test-DSCConfiguration -ComputerName "localhost" -ReferenceConfiguration ".\localhost.mof" fails with the following errors:

Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : System.Management.Automation.MethodInvocationException,Resolve-Identity
    + PSComputerName        : localhost

A constructor was not found. Cannot find an appropriate constructor for type System.Security.Principal.NTAccount.
    + CategoryInfo          : ObjectNotFound: (:) [], CimException
    + FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
    + PSComputerName        : localhost

The PowerShell DSC resource '[RegistryAccessEntry][V-254254.c][medium][SRG-OS-000324-GPOS-00125]::[WindowsServer]BaseLine'
with SourceInfo 'C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.22.0\DSCResources\Resources\windows.AccessControl.p
s1::15::13::RegistryAccessEntry' threw one or more non-terminating errors while running the Test-TargetResource
functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel
for more details.
    + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

To Reproduce

  1. Install Windows Server 2022 Standard - Desktop Experience
  2. Download / Install PowerShell 7.4.x LTS
  3. Download / Install Terminal
  4. Perform Windows Updates
  5. Open Windows PowerShell as Admin (NOT PowerShell 7.4.x)
  6. Run commands:
Install-Module PowerStig -Scope CurrentUser
winrm quickconfig
Set-NetConnectionProfile -InterfaceAlias 'Ethernet' -NetworkCategory Private
Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 8192
$(Get-Module PowerStig -ListAvailable).RequiredModules | % { $PSITEM | Install-Module -Force }

NOTE: Issue occurs with or without running the final command to install the modules. Unsure if that's just supposed to be executed on remote machines when you're running this from another machine. Seems like the error message I'm seeing is coming from the submodules inside of the PowerStig module.

  1. Close Windows PowerShell
  2. Create C:\temp\conf.ps1 with contents:
configuration Example
{
    param
    (
        [parameter()]
        [string]
        $NodeName = 'localhost'
    )

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
    {
        WindowsServer BaseLine
        {
            OsVersion   = '2022'
            OsRole      = 'MS'
            DomainName  = 'sample.test'
            ForestName  = 'sample.test'
        }
    }
}

Example

NOTE: Found contradictory instructions for Domain Name, Forest Name values. Have tried with those omitted and set to sample.test. Issue happens in both cases.

  1. Open Windows PowerShell as Admin
  2. Run commands:
    . C:\temp\conf.ps1
    Test-DscConfiguration -ComputerName 'localhost' -ReferenceConfiguration <localhost.mof from previous command>

Expected behavior
Return from command indicating most settings are not in compliance.
@erjenkin
Copy link
Contributor

erjenkin commented Jun 18, 2024
edited
Loading

Hello @Wheels387,

Thanks for creating the issue. I confirmed that rule 'v-254254.c' produces the error. The security group "Server Operators" should not be in this 'MS' STIG because it only exists on DomainControllers.

Temp workaround - skip that rule ( you could also use the exception format with PowerSTIG to update that rule to still apply without the "Server Operator" group

configuration Example
{
    param
    (
        [parameter()]
        [string]
        $NodeName = 'localhost'
    )

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
    {
        WindowsServer BaseLine
        {
            OsVersion   = '2022'
            OsRole      = 'MS'
            DomainName  = 'sample.test'
            ForestName  = 'sample.test'
            SkipRules = @('V-254254.c')
        }
    }
}

Example

Fix needed
Update converted STIG for MemberServer 2022, to not include 'Server Operators'

Thanks
Eric

@erjenkin erjenkin added the bug Something isn't working label Jun 18, 2024
@erjenkin erjenkin added this to the 4.23.0 milestone Jun 18, 2024
@erjenkin erjenkin mentioned this issue Jun 18, 2024
Merged
5 tasks
@erjenkin
Copy link
Contributor

Created a PR to fix your issue, which will be released with the next version of PowerSTIG
#1361

Thank you,
Eric

@erjenkin erjenkin self-assigned this Jun 18, 2024
@Wheels387
Copy link
Author

Adding SkipRule = @('V-254254.c') to the configuration allowed everything to run as expected. Thank you for the quick response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@erjenkin erjenkin

Labels
bug Something isn't working
Projects
None yet
Milestone
4.23.0
Development

No branches or pull requests
2 participants
@erjenkin @Wheels387