Skip to content

Instantly share code, notes, and snippets.

@ferventcoder

ferventcoder/_PuppetUsersPasswordComplexity.md Secret

Last active September 21, 2015 18:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ferventcoder/4d485e24e341c6b365dc to your computer and use it in GitHub Desktop.
Save ferventcoder/4d485e24e341c6b365dc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
_PuppetUsersPasswordComplexity.md

Attemping to create users with Puppet with a password complexity requirements turned on, but not with a password.

Raw
user.pp
user {'bob':
ensure => present,
}
user {'bob_pwd':
ensure => present,
password => '@#SAFSawasf123',
}
user {'bob_managehome':
ensure => present,
managehome => true,
}
user {'bob_managehome_pwd':
ensure => present,
managehome => true,
password => '@#SAFSawasf123',
}
user {'bob_groups':
ensure => present,
groups => 'Users',
}
user {'bob_everything':
ensure => present,
managehome => true,
groups => 'Users',
}
user {'bob_everything_pwd':
ensure => present,
password => '@#SAFSawasf123',
managehome => true,
groups => 'Users',
}
Raw
z_output1_NormalPuppet.md 
C:\Users\Administrator>puppet -V
3.8.2
C:\Users\Administrator>puppet apply c:\code\temp\user.pp
Notice: Compiled catalog for win2012r2x64 in environment production in 0.34 seco
nds
Error: User update failed: (in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Wrapped exception:
(in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Error: /Stage[main]/Main/User[bob_groups]/ensure: change from absent to present
failed: User update failed: (in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Error: User update failed: (in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Wrapped exception:
(in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Error: /Stage[main]/Main/User[bob]/ensure: change from absent to present failed:
 User update failed: (in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Error: User update failed: (in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Wrapped exception:
(in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Error: /Stage[main]/Main/User[bob_managehome]/ensure: change from absent to pres
ent failed: User update failed: (in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Notice: /Stage[main]/Main/User[bob_pwd]/ensure: created
Notice: /Stage[main]/Main/User[bob_everything_pwd]/ensure: created
Error: User update failed: (in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Wrapped exception:
(in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Error: /Stage[main]/Main/User[bob_everything]/ensure: change from absent to pres
ent failed: User update failed: (in OLE method `SetInfo': )
    OLE error code:800708C5 in Active Directory
      The password does not meet the password policy requirements. Check the min
imum password length, password complexity and password history requirements.

    HRESULT error code:0x80020009
      Exception occurred.
Notice: /Stage[main]/Main/User[bob_managehome_pwd]/ensure: created
Notice: Finished catalog run in 0.64 seconds

It creates ONLY the users with passwords:

C:\Users\Administrator>puppet resource user
user { 'bob_everything_pwd':
  ensure => 'present',
  groups => ['Users'],
  uid    => 'S-1-5-21-1953236517-242735908-2433092285-1042',
}
user { 'bob_managehome_pwd':
  ensure => 'present',
  uid    => 'S-1-5-21-1953236517-242735908-2433092285-1045',
}
user { 'bob_pwd':
  ensure => 'present',
  uid    => 'S-1-5-21-1953236517-242735908-2433092285-1041',
}

And the only users who are actually managing home: image

Raw
z_output2_editADSI_output.md

After editing https://github.com/puppetlabs/puppet/blob/e983672fbaec81fc411dc948f61cc740cb21469a/lib/puppet/util/windows/adsi.rb#L190-L195 to make it verify that password is not nil and a message when called.

  def password=(password)
    Puppet.warning("Called password=#{password} for user #{name}.")
	  if password != nil
	    native_user.SetPassword(password)
        commit
        fADS_UF_DONT_EXPIRE_PASSWD = 0x10000
        add_flag("UserFlags", fADS_UF_DONT_EXPIRE_PASSWD)
	  end
  end
C:\Users\Administrator>puppet apply c:\code\temp\user.pp
Notice: Compiled catalog for win2012r2x64 in environment production in 0.34 seco
nds
Warning: Called password= for user bob_groups.
Notice: /Stage[main]/Main/User[bob_groups]/ensure: created
Warning: Called password= for user bob.
Notice: /Stage[main]/Main/User[bob]/ensure: created
Warning: Called password= for user bob_managehome.
Error: Failed to logon user "bob_managehome":  The user's password must be chang
ed before signing in.
Error: /Stage[main]/Main/User[bob_managehome]/ensure: change from absent to pres
ent failed: Failed to logon user "bob_managehome":  The user's password must be
changed before signing in.
Warning: Called password=@#SAFSawasf123 for user bob_pwd.
Notice: /Stage[main]/Main/User[bob_pwd]/ensure: created
Warning: Called password= for user bob_everything.
Error: Failed to logon user "bob_everything":  The user's password must be chang
ed before signing in.
Error: /Stage[main]/Main/User[bob_everything]/ensure: change from absent to pres
ent failed: Failed to logon user "bob_everything":  The user's password must be
changed before signing in.
Warning: Called password=@#SAFSawasf123 for user bob_managehome_pwd.
Notice: /Stage[main]/Main/User[bob_managehome_pwd]/ensure: created
Warning: Called password=@#SAFSawasf123 for user bob_everything_pwd.
Notice: /Stage[main]/Main/User[bob_everything_pwd]/ensure: created
Notice: Finished catalog run in 0.55 seconds

And it creates the users (without passwords).

C:\Users\Administrator>puppet resource user
user { 'bob':
  ensure => 'present',
  uid    => 'S-1-5-21-1953236517-242735908-2433092285-1029',
}
user { 'bob_everything':
  ensure => 'present',
  groups => ['Users'],
  uid    => 'S-1-5-21-1953236517-242735908-2433092285-1032',
}
user { 'bob_everything_pwd':
  ensure => 'present',
  groups => ['Users'],
  uid    => 'S-1-5-21-1953236517-242735908-2433092285-1034',
}
user { 'bob_groups':
  ensure => 'present',
  groups => ['Users'],
  uid    => 'S-1-5-21-1953236517-242735908-2433092285-1028',
}
user { 'bob_managehome':
  ensure => 'present',
  uid    => 'S-1-5-21-1953236517-242735908-2433092285-1030',
}
user { 'bob_managehome_pwd':
  ensure => 'present',
  uid    => 'S-1-5-21-1953236517-242735908-2433092285-1033',
}
user { 'bob_pwd':
  ensure => 'present',
  uid    => 'S-1-5-21-1953236517-242735908-2433092285-1031',
}

Still the only users able to manage home are those with passwords:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment