Windows Server 2022 - "Cannot find an appropriate constructor for type System.Security.Principal.NTAccount"

[Wheels387]

Describe the bug
Attempting to run "Test-DSCConfiguration -ComputerName "localhost" -ReferenceConfiguration ".\localhost.mof" fails with the following errors:

Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : System.Management.Automation.MethodInvocationException,Resolve-Identity
    + PSComputerName        : localhost

A constructor was not found. Cannot find an appropriate constructor for type System.Security.Principal.NTAccount.
    + CategoryInfo          : ObjectNotFound: (:) [], CimException
    + FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
    + PSComputerName        : localhost

The PowerShell DSC resource '[RegistryAccessEntry][V-254254.c][medium][SRG-OS-000324-GPOS-00125]::[WindowsServer]BaseLine'
with SourceInfo 'C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.22.0\DSCResources\Resources\windows.AccessControl.p
s1::15::13::RegistryAccessEntry' threw one or more non-terminating errors while running the Test-TargetResource
functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel
for more details.
    + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

To Reproduce

1. Install Windows Server 2022 Standard - Desktop Experience
2. Download / Install PowerShell 7.4.x LTS
3. Download / Install Terminal
4. Perform Windows Updates
5. Open Windows PowerShell as Admin (NOT PowerShell 7.4.x)
6. Run commands:

Install-Module PowerStig -Scope CurrentUser
winrm quickconfig
Set-NetConnectionProfile -InterfaceAlias 'Ethernet' -NetworkCategory Private
Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 8192
$(Get-Module PowerStig -ListAvailable).RequiredModules | % { $PSITEM | Install-Module -Force }

NOTE: Issue occurs with or without running the final command to install the modules. Unsure if that's just supposed to be executed on remote machines when you're running this from another machine. Seems like the error message I'm seeing is coming from the submodules inside of the PowerStig module.

7. Close Windows PowerShell
8. Create C:\temp\conf.ps1 with contents:

configuration Example
{
    param
    (
        [parameter()]
        [string]
        $NodeName = 'localhost'
    )

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
    {
        WindowsServer BaseLine
        {
            OsVersion   = '2022'
            OsRole      = 'MS'
            DomainName  = 'sample.test'
            ForestName  = 'sample.test'
        }
    }
}

Example

NOTE: Found contradictory instructions for Domain Name, Forest Name values. Have tried with those omitted and set to sample.test. Issue happens in both cases.

9. Open Windows PowerShell as Admin
10. Run commands:
    . C:\temp\conf.ps1
    Test-DscConfiguration -ComputerName 'localhost' -ReferenceConfiguration <localhost.mof from previous command>

Expected behavior
Return from command indicating most settings are not in compliance.

[erjenkin]

Hello @Wheels387,

Thanks for creating the issue. I confirmed that rule 'v-254254.c' produces the error. The security group "Server Operators" should not be in this 'MS' STIG because it only exists on DomainControllers.

Temp workaround - skip that rule ( you could also use the exception format with PowerSTIG to update that rule to still apply without the "Server Operator" group

configuration Example
{
    param
    (
        [parameter()]
        [string]
        $NodeName = 'localhost'
    )

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
    {
        WindowsServer BaseLine
        {
            OsVersion   = '2022'
            OsRole      = 'MS'
            DomainName  = 'sample.test'
            ForestName  = 'sample.test'
            SkipRules = @('V-254254.c')
        }
    }
}

Example

Fix needed
Update converted STIG for MemberServer 2022, to not include 'Server Operators'

Thanks
Eric

[erjenkin]

Created a PR to fix your issue, which will be released with the next version of PowerSTIG
#1361

Thank you,
Eric

[Wheels387]

Adding SkipRule = @('V-254254.c') to the configuration allowed everything to run as expected. Thank you for the quick response!

[CJFranklin]

@erjenkin It looks like you fixed this with PR #1361 for 2022-MS-1.4 and 2022-MS-1.5, but it appears to be back in 2022-MS-2.1. I just wanted to make sure you were aware of that.