Set Machine Extension Names to the correct value

In order for the GPO to apply the security settings we need to set the GPO's relevant field to the correct values. Fixes hashicorp#39.
nooop3 · Sep 23, 2020 · fa0ddc5 · fa0ddc5
1 parent 6e68fb6
commit fa0ddc5
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/ad/internal/winrmhelper/winrm_helper.go b/ad/internal/winrmhelper/winrm_helper.go
@@ -33,7 +33,7 @@ func RunWinRMCommand(conn *winrm.Client, cmds []string, json bool) (*WinRMResult
 	}
 	if err != nil {
 		log.Printf("[DEBUG] run error : %s", err)
-		return nil, fmt.Errorf("powershell command failed with exit code %d\nstdout: %s\nstderr: %s", res, stdout, stderr)
+		return nil, fmt.Errorf("powershell command failed with exit code %d\nstdout: %s\nstderr: %s\nerror: %s", res, stdout, stderr, err)
 	}
 
 	result := &WinRMResult{
@@ -63,8 +63,21 @@ func SanitiseTFInput(d *schema.ResourceData, key string) string {
 		"\v", "`v",
 	)
 
-	// placeholder for now.
 	out := cleanupReplacer.Replace(d.Get(key).(string))
 	log.Printf("[DEBUG] sanitising key %q to: %s", key, out)
 	return out
 }
+
+// SetMachineExtensionName will add the necessary GUIDs to the GPO's gPCMachineExtensionNames attribute.
+// These are required for the security settings part of a GPO to work.
+func SetMachineExtensionNames(client *winrm.Client, gpoDN, value string) error {
+	cmd := fmt.Sprintf(`Set-ADObject -Identity "%s" -Replace @{gPCMachineExtensionNames="%s"}`, gpoDN, value)
+	result, err := RunWinRMCommand(client, []string{cmd}, false)
+	if err != nil {
+		return fmt.Errorf("error while setting machine extension names for GPO %q: %s", gpoDN, err)
+	}
+	if result.ExitCode != 0 {
+		return fmt.Errorf("command to set machine extension names for GPO %q failed, stderr: %s, stdout: %s", gpoDN, result.StdErr, result.Stdout)
+	}
+	return nil
+}
diff --git a/ad/resource_ad_gpo_security.go b/ad/resource_ad_gpo_security.go
@@ -55,7 +55,15 @@ func resourceADGPOSecurityCreate(d *schema.ResourceData, meta interface{}) error
 		return err
 	}
 
+	// GUIDs for security settings are defined here:
+	// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/55bb803e-b35f-4ce8-b558-4c1e92ad77a4
+	err = winrmhelper.SetMachineExtensionNames(winrmClient, gpo.DN, "[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]")
+	if err != nil {
+		return err
+	}
+
 	d.SetId(fmt.Sprintf("%s_securitysettings", guid))
+
 	return resourceADGPOSecurityRead(d, meta)
 }