From fa0ddc5374d63254dfb698933ab4d8657e2f13c3 Mon Sep 17 00:00:00 2001 From: Kyriakos Oikonomakos Date: Wed, 9 Sep 2020 18:10:14 +0100 Subject: [PATCH] Set Machine Extension Names to the correct value In order for the GPO to apply the security settings we need to set the GPO's relevant field to the correct values. Fixes #39. --- ad/internal/winrmhelper/winrm_helper.go | 17 +++++++++++++++-- ad/resource_ad_gpo_security.go | 8 ++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/ad/internal/winrmhelper/winrm_helper.go b/ad/internal/winrmhelper/winrm_helper.go index 36db479a..814bd15c 100644 --- a/ad/internal/winrmhelper/winrm_helper.go +++ b/ad/internal/winrmhelper/winrm_helper.go @@ -33,7 +33,7 @@ func RunWinRMCommand(conn *winrm.Client, cmds []string, json bool) (*WinRMResult } if err != nil { log.Printf("[DEBUG] run error : %s", err) - return nil, fmt.Errorf("powershell command failed with exit code %d\nstdout: %s\nstderr: %s", res, stdout, stderr) + return nil, fmt.Errorf("powershell command failed with exit code %d\nstdout: %s\nstderr: %s\nerror: %s", res, stdout, stderr, err) } result := &WinRMResult{ @@ -63,8 +63,21 @@ func SanitiseTFInput(d *schema.ResourceData, key string) string { "\v", "`v", ) - // placeholder for now. out := cleanupReplacer.Replace(d.Get(key).(string)) log.Printf("[DEBUG] sanitising key %q to: %s", key, out) return out } + +// SetMachineExtensionName will add the necessary GUIDs to the GPO's gPCMachineExtensionNames attribute. +// These are required for the security settings part of a GPO to work. +func SetMachineExtensionNames(client *winrm.Client, gpoDN, value string) error { + cmd := fmt.Sprintf(`Set-ADObject -Identity "%s" -Replace @{gPCMachineExtensionNames="%s"}`, gpoDN, value) + result, err := RunWinRMCommand(client, []string{cmd}, false) + if err != nil { + return fmt.Errorf("error while setting machine extension names for GPO %q: %s", gpoDN, err) + } + if result.ExitCode != 0 { + return fmt.Errorf("command to set machine extension names for GPO %q failed, stderr: %s, stdout: %s", gpoDN, result.StdErr, result.Stdout) + } + return nil +} diff --git a/ad/resource_ad_gpo_security.go b/ad/resource_ad_gpo_security.go index 5beabf88..ab584683 100644 --- a/ad/resource_ad_gpo_security.go +++ b/ad/resource_ad_gpo_security.go @@ -55,7 +55,15 @@ func resourceADGPOSecurityCreate(d *schema.ResourceData, meta interface{}) error return err } + // GUIDs for security settings are defined here: + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/55bb803e-b35f-4ce8-b558-4c1e92ad77a4 + err = winrmhelper.SetMachineExtensionNames(winrmClient, gpo.DN, "[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]") + if err != nil { + return err + } + d.SetId(fmt.Sprintf("%s_securitysettings", guid)) + return resourceADGPOSecurityRead(d, meta) }