Merge pull request #866 from Icinga:fix/service_login_for_other_users_being_removed

Fix: Service logon permission removed from other local/domain users Fixes an issue with the Icinga for Windows permission grant for the managed `icinga` user to logon as service, which causes other added local/domain users having this permission revoked for them
2026-03-22 02:20:04 -04:00 · 2026-03-18 11:24:43 +01:00 · 2026-03-18 11:24:43 +01:00 · beafddb4cf
commit beafddb4cf
parent 3e7d506153 322db146e9
2 changed files with 12 additions and 0 deletions
--- a/doc/100-General/10-Changelog.md
+++ b/doc/100-General/10-Changelog.md
@ -15,6 +15,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic

 * [#861](https://github.com/Icinga/icinga-powershell-framework/pull/861) Fixes `Update-IcingaWindowsUserPermission` to ensure permissions for logon as service are granted for non-managed users, while the removal process and any logon deny rights are never touched to not break possible third-party software and manually user configuration for those users
 * [#864](https://github.com/Icinga/icinga-powershell-framework/pull/864) Fixes process provider which could throw an exception for integer overflow on memory usage
+* [#866](https://github.com/Icinga/icinga-powershell-framework/pull/866) Fixes an issue with the Icinga for Windows permission grant for the managed `icinga` user to logon as service, which causes other added local/domain users having this permission revoked for them

 ## 1.14.1 (2026-02-11)

--- a/lib/core/windows/Update-IcingaWindowsUserPermission.psm1
+++ b/lib/core/windows/Update-IcingaWindowsUserPermission.psm1
@ -100,6 +100,17 @@ function Update-IcingaWindowsUserPermission()
                    if ([string]::IsNullOrEmpty($token) -eq $FALSE) {
                        # Detect any entries that are not SIDs (SIDs start with '*' and S-1-...)
                        if (-not ($token -match '^\*S-1-\d+(-\d+)*$')) {
+                            # Try to fetch the SID for the user entry and add it if a SID
+                            # is found to ensure we don't accidentally remove entries which are still valid
+                            $SIDFromToken = Get-IcingaUserSID -User $token;
+
+                            if ([string]::IsNullOrEmpty($SIDFromToken) -eq $FALSE) {
+                                $entryList += $token;
+                                continue;
+                            }
+
+                            # Add the non-SID entry to a list to print a warning later, but don't add it to the entry list,
+                            # as we don't want to remove it if we are removing permissions for the managed user
                            $nonSidEntries += $token;
                            continue;
                        }