Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gPCMachineExtensionNames isn't set on GPO attributes, causing them to not show and not apply #39

Closed
mdjx opened this issue Aug 9, 2020 · 3 comments · Fixed by #43
Closed

gPCMachineExtensionNames isn't set on GPO attributes, causing them to not show and not apply #39

mdjx opened this issue Aug 9, 2020 · 3 comments · Fixed by #43
Labels
bug Something isn't working

Comments

@mdjx
Copy link

mdjx commented Aug 9, 2020

Terraform Version and Provider Version

Terraform v0.12.29
provider.ad v0.1.0

Windows Version

Client, Windows 10 1909
Server, 2012 R2, 2019

Affected Resource(s)

ad_gpo_security

Terraform Configuration Files

resource "ad_gpo" "example_gpo" {
    name   = "Event Log Retention Settings"
}

resource "ad_gpo_security" "example_gpo_sec" {
    gpo_container = ad_gpo.example_gpo.id

    application_log {
        maximum_log_size = 50048
    }
    system_log {
        maximum_log_size = 50048
    }
}

Expected Behavior

GPO should be created with the correct event log settings

Actual Behavior

GPO is created, but the settings are not visible in the 'Settings' tab of GPMC. The GPO does not apply correctly when linked.

However, once you edit the GPO, they can be seen.

Steps to Reproduce

  1. terraform apply
  2. Check GPMC

Important Factoids

This condiition is due to a missing gPCMachineExtensionNames value within AD for the GPO. It needs to be set to [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}].

GPO Created with AD Provider:

Working GPO:

This can be corrected with PowerShell:

Set-ADObject -Identity "__GPO__DN__" -Replace @{gPCMachineExtensionNames="[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"}

For User settings, the attribute name is gPCUserExtensionNames.

This issue is more complex then I have presented here, there are GUIDs for different types of settings, a (complete?) list can be found here: https://www.infrastructureheroes.org/microsoft-infrastructure/active-directory/guid-list-of-group-policy-client-extensions/. Different GPO settings will require different CSE GUIDs to be applied to the appropriate attribute (user/machine).

Once the attribute value is set, the GPO shows (and applies) correctly.

References

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@mdjx mdjx added the bug Something isn't working label Aug 9, 2020
@aareet
Copy link
Contributor

aareet commented Aug 12, 2020

Thank you for reporting this @mdjx, we will work to fix this in our September release.

koikonom pushed a commit that referenced this issue Sep 9, 2020
Set Machine Extension Names to the correct value
79a62e6 
In order for the GPO to apply the security settings we need to set the
GPO's relevant field to the correct values.

Fixes #39.
@koikonom koikonom mentioned this issue Sep 9, 2020
Merged
koikonom pushed a commit that referenced this issue Sep 23, 2020
Set Machine Extension Names to the correct value
e0bf8e2 
In order for the GPO to apply the security settings we need to set the
GPO's relevant field to the correct values.

Fixes #39.
koikonom pushed a commit that referenced this issue Sep 23, 2020
@koikonom
Set Machine Extension Names to the correct value
548f288 
In order for the GPO to apply the security settings we need to set the
GPO's relevant field to the correct values.

Fixes #39.
@koikonom
Copy link
Contributor

Hi @mdjx , version 0.2.0 is out and it contains the fix for this issue.

Thank you!

@ghost
Copy link

ghost commented Oct 24, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Oct 24, 2020
nooop3 pushed a commit to nooop3/terraform-provider-ad that referenced this issue Oct 10, 2022
@koikonom
Set Machine Extension Names to the correct value
fa0ddc5 
In order for the GPO to apply the security settings we need to set the
GPO's relevant field to the correct values.

Fixes hashicorp#39.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set Machine Extension Names to the correct value hashicorp/terraform-provider-ad
3 participants
@aareet @koikonom @mdjx