It seems as though, regardless of what a given resource is actually trying to do on a server, that a given local or domain account that you want to use with PsDscRunAsCredential needs interactive logon rights?
Logon failure: the user has not been granted the requested logon type at this
+ CategoryInfo : AuthenticationError: ( , CimException
+ FullyQualifiedErrorId : Win32Error:1385
+ PSComputerName : localhost
It seems sort of silly that DSC would impose that restriction given that if I take the same local / domain account and perform the same action as the DSC resource would through PS Remoting (non-interactive) that I can accomplish that.
In our particular enterprise environment we’ve clamped down on static password, interactive logon domain accounts via OU group policies for security reasons. (And interactive management accounts rotate passwords daily.) You sort of need more static-ish passwords for DSC automation, though, so you can see where the pain point comes in…
Anyone else run into this particular dilemma? I’m considering posting something on UserVoice about this particular item.