(TL;DR) when I change something in my custom resource and push a configuration, it appears that the changes aren’t being read or applied
I feel like I’m missing something really basic here, but I’ve been banging my head on it for a couple of days here and I’m starting to bruise. Basically I’m working to create a custom resource to mess around with some registry permissions. My citrix admin had a need and it was a good chance for me to play around. So I create my resource using the latest version of the resource designer and these commands:
$propKey = New-xDscResourceProperty -name Key -type String -Attribute Key $propIdentity = New-xDscResourceProperty -name identity -type String -Attribute Key $propAccessRight = New-xDscResourceProperty -name AccessRight -type String -Attribute Key -ValidateSet ` "QueryValues","SetValue","CreateSubKey","EnumerateSubKeys","Notify","CreateLink","ExecuteKey","ReadKey","WriteKey","Delete","ReadPermissions","ChangePermissions","TakeOwnership","FullControl" $propControlType = New-xDscResourceProperty -name ControlType -type String -Attribute Key -ValidateSet "Allow","Deny" $propEnsure = New-xDscResourceProperty -name Ensure -type String -Attribute Write -ValidateSet "Present","Absent" New-xDscResource -name EPD_RegistryPermission -Property $propKey, $propIdentity, $propAccessRight, $propControlType, $propEnsure -path c:\Scripts\EPD_CustomResources New-ModuleManifest -path c:\scripts\EPD_CustomResources\EPD_CustomResources.psd1 -RootModule EPD_CustomResources
That gives me my folder structure, so far so good. I fill it with my code, move it to my test server and execute it with this:
Configuration Test { Import-DscResource -moduleName EPD_CustomResources Node localhost { EPD_RegistryPermission FullControl { Ensure='Present' Key='HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Test' AccessRight="FullControl" ControlType="Deny" Identity="Administrators" } } } Test -outputPath c:\dsc\test Start-DscConfiguration -wait -ComputerName localhost -path c:\dsc\test -Verbose -Force
That creates my mof and starts it up. Test runs through ok but I get an error in the Set stage:
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguratio n'. VERBOSE: An LCM method call arrived from computer PDADUTL01CORP with user sid S-1-5-21-1327060583-1562144247-1555438652-123710. VERBOSE: [PDADUTL01CORP]: LCM: [ Start Set ] VERBOSE: [PDADUTL01CORP]: LCM: [ Start Resource ] [[EPD_RegistryPermission]FullControl] VERBOSE: [PDADUTL01CORP]: LCM: [ Start Test ] [[EPD_RegistryPermission]FullControl] VERBOSE: [PDADUTL01CORP]: LCM: [ End Test ] [[EPD_RegistryPermission]FullControl] in 0.0160 seconds. VERBOSE: [PDADUTL01CORP]: LCM: [ Start Set ] [[EPD_RegistryPermission]FullControl] Cannot set the ACL because the method that it needs to invoke, SetSecurityDescriptor, does not exist. + CategoryInfo : NotImplemented: (:) [], CimException + FullyQualifiedErrorId : SetAcl_OperationNotSupported,Microsoft.PowerShell.Commands.SetAclCommand + PSComputerName : localhost VERBOSE: [PDADUTL01CORP]: LCM: [ End Set ] [[EPD_RegistryPermission]FullControl] in 0.0160 seconds. The PowerShell provider EPD_RegistryPermission threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details. + CategoryInfo : InvalidOperation: (:) [], CimException + FullyQualifiedErrorId : NonTerminatingErrorFromProvider + PSComputerName : localhost VERBOSE: [PDADUTL01CORP]: LCM: [ End Set ] The SendConfigurationApply function did not succeed. + CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException + FullyQualifiedErrorId : MI RESULT 1 + PSComputerName : localhost VERBOSE: Operation 'Invoke CimMethod' complete. VERBOSE: Time taken for configuration job to complete is 0.117 seconds
Looks like it doesn’t like me using set-acl on a registry key. No problem I’ll try something else. But here’s where the problem comes in. No matter what I change, I get the exact same error. I’ve even thrown in a bunch of “write-verbose “****************” just to see that in the output, and it doesn’t appear. I should just be able to update the code in my psm1 file and be good right? What am I missing?