Jira (PUP-6569) Improve error messaging for Windows user management

[Moses Mendoza (JIRA)]

Moses Mendoza created an issue

Puppet / PUP-6569 Improve error messaging for Windows user management Issue Type: Task Assignee: Unassigned Created: 2016/08/01 12:44 PM Priority: Normal Reporter: Moses Mendoza While investigating PUP-6483, we found that we could be more specific with our error handling when performing some user password management tasks on Windows. Per Rob Reynolds in PUP-6483: A few error codes we could explore handling some of the errors and providing better messages around how to correct. Possibly as a separate ticket though. https://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx * ERROR_LAST_ADMIN - 1322 (0x52A) - This operation is disallowed as it could result in an administration account being disabled, deleted or unable to log on. * ERROR_WRONG_PASSWORD - 1323 (0x52B) - Unable to update the password. The value provided as the current password is incorrect. * ERROR_ILL_FORMED_PASSWORD - 1324 (0x52C) - Unable to update the password. The value provided for the new password contains values that are not allowed in passwords. * ERROR_PASSWORD_RESTRICTION - 1325 (0x52D) - Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain. * ERROR_LOGON_FAILURE - 1326 (0x52E) - The user name or password is incorrect. * ERROR_ACCOUNT_RESTRICTION - 1327 (0x52F) - Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced. * ERROR_INVALID_LOGON_HOURS - 1328 (0x530) - Your account has time restrictions that keep you from signing in right now. * ERROR_INVALID_WORKSTATION - 1329 (0x531) - This user isn't allowed to sign in to this computer. * ERROR_PASSWORD_EXPIRED - 1330 (0x532) - The password for this account has expired. * ERROR_ACCOUNT_DISABLED - 1331 (0x533) - This user can't sign in because this account is currently disabled. In Scope Modify the Puppet Windows user provider or backing libs in puppet/util/windows to detect and surface some or all of the preceding errors to the user when applicable Add Comment

This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9)

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Moses Mendoza Sprint: Windows Triage

Add Comment

[Rob Reynolds (JIRA)]

Rob Reynolds updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Rob Reynolds Component/s: Windows Component/s: Types and Providers

Add Comment

[Rob Reynolds (JIRA)]

Rob Reynolds updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Rob Reynolds Labels: type_user windows

Add Comment

[Kenaz Kwa (JIRA)]

Kenaz Kwa updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Kenaz Kwa Sprint: Windows  Triage  2016-08-24

Add Comment

[Craig Gomes (JIRA)]

Craig Gomes updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Craig Gomes Sprint: Windows 2016- 08 09 - 24 07

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Moses Mendoza

While investigating PUP-6483, we found that we could be more specific with our error handling when performing some user password management tasks on Windows.

Per [~rob] in PUP-6483: {quote}

A few error codes we could explore handling some of the errors and providing better messages around how to correct. Possibly as a separate ticket though. https://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx

{code}

* ERROR_LAST_ADMIN  - 1322 (0x52A) - This operation is disallowed as it could result in an administration account being disabled, deleted or unable to log on. * ERROR_WRONG_PASSWORD - 1323 (0x52B) - Unable to update the password. The value provided as the current password is incorrect. * ERROR_ILL_FORMED_PASSWORD - 1324 (0x52C) - Unable to update the password. The value provided for the new password contains values that are not allowed in passwords. * ERROR_PASSWORD_RESTRICTION - 1325 (0x52D) - Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain. * ERROR_LOGON_FAILURE - 1326 (0x52E) - The user name or password is incorrect. * ERROR_ACCOUNT_RESTRICTION - 1327 (0x52F) - Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced. * ERROR_INVALID_LOGON_HOURS - 1328 (0x530) - Your account has time restrictions that keep you from signing in right now. * ERROR_INVALID_WORKSTATION - 1329 (0x531) - This user isn't allowed to sign in to this computer. * ERROR_PASSWORD_EXPIRED - 1330 (0x532) - The password for this account has expired. * ERROR_ACCOUNT_DISABLED - 1331 (0x533) - This user can't sign in because this account is currently disabled.

{code} {quote} *In Scope* * Modify the Puppet Windows user provider or backing libs in puppet/util/windows to detect and surface some or all of the preceding errors to the user when applicable *Notes* From - https://github.com/puppetlabs/puppet/pull/5201#discussion_r75033133 {{ERROR_ACCOUNT_LOCKED_OUT = 1909}} - is raised if account is locked out even when supplied login credentials are valid With both {{ERROR_ACCOUNT_LOCKED_OUT = 1909}} and {{ERROR_ACCOUNT_EXPIRED = 1793}}, puppet will proceed to set the password anyway after failed logon. Both of these (and probably others) are cases we could improve on... for example, puppet should not try to set passwords for expired or locked out accounts, and possibly should log a debug message that this was encountered?

Add Comment

[Ethan Brown (JIRA)]

Ethan Brown updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Ethan Brown Sprint: Windows 2016-09- 07 21

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Moses Mendoza Sprint: Windows 2016-09-21

Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[Doug Rosser (JIRA)]

Doug Rosser updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Doug Rosser Labels: triaged type_user windows

Add Comment

[Branan Riley (JIRA)]

Branan Riley updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Branan Riley Labels: triaged type_and_provider type_user user windows

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Casey Williams (JIRA)]

Casey Williams assigned an issue to Casey Williams

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Casey Williams Assignee: Casey Williams

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-6569 Improve error messaging for Windows user management

Change By: Geoff Nichols Sprint: Platform OS Kanban

Add Comment

[Jonathan Morris (JIRA)]

Jonathan Morris commented on PUP-6569

Re: Improve error messaging for Windows user management Disabled, expired and locked accounts are detected; passwords cannot be changed for accounts in these states and a warning is reported. More expansive error reporting will be addressed in a separate ticket.

Add Comment

[Dorin Pleava (JIRA)]

Dorin Pleava updated an issue

Puppet / PUP-6569

Improve error messaging for Windows user management

Change By: Dorin Pleava

Add Comment