Creating SDDL string always report False with Test-DSCConfiguration

[SylvainMartel]

On Windows 2016 with latest CU installed
DSC Code to secure the Application Log and the System Log

        xWinEventLog securEvtApplication
        {
            LogName = 'Application'
            SecurityDescriptor = 'O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-21-3455453797-2004565670-2676727958-53937)'

        }

        xWinEventLog securEvtSystem
        {
            LogName = 'System'
            SecurityDescriptor = 'O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-21-3455453797-2004565670-2676727958-53937)'

        }

This works fine, it creates the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\CustomSD with the SDDL string and it's sister key for the System log, but when we run Test-Dscconfiguration, it report those parts as a ResourcesNotInDesiredState

VERBOSE: []: LCM:  [ Start  Resource ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ Start  Test     ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ End    Test     ]  [[xWinEventLog]securEvtApplication] False in 0.0780 seconds.
VERBOSE: []: LCM:  [ End    Resource ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ Start  Resource ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ Start  Test     ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ End    Test     ]  [[xWinEventLog]securEvtSystem] False in 0.0310 seconds.
VERBOSE: []: LCM:  [ End    Resource ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ End    Test     ]     Completed processing test operation. The operation returned False.
VERBOSE: []: LCM:  [ End    Test     ]    in  0.7650 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.

PSComputerName  ResourcesInDesiredState        ResourcesNotInDesiredState     InDesiredState
--------------  -----------------------        --------------------------     --------------
localhost       {[cNtfsPermissionEntry]Perm... {[xWinEventLog]securEvtAppl... False
VERBOSE: Time taken for configuration job to complete is 0.877 seconds

If we run Start-DscConfiguration -UseExisting -Force -Wait -Verbose then it will do the Set, but it will never see it as in Desire State:

VERBOSE: []: LCM:  [ Start  Resource ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ Start  Test     ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ End    Test     ]  [[xWinEventLog]securEvtApplication]  in 0.0630 seconds.
VERBOSE: []: LCM:  [ Start  Set      ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ End    Set      ]  [[xWinEventLog]securEvtApplication]  in 0.0310 seconds.
VERBOSE: []: LCM:  [ End    Resource ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ Start  Resource ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ Start  Test     ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ End    Test     ]  [[xWinEventLog]securEvtSystem]  in 0.0160 seconds.
VERBOSE: []: LCM:  [ Start  Set      ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ End    Set      ]  [[xWinEventLog]securEvtSystem]  in 0.0470 seconds.
VERBOSE: []: LCM:  [ End    Resource ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []:                            [] Consistency check completed.

The same code works fine on Windows 10...

[SylvainMartel]

I took a look at the code and ran the test condition manually on the server(line 143 )
$log = Get-WinEvent -ListLog application

Then I compared $log.SecurityDescriptor to the string that got created in the registry by DSC, and indeed they are different. That test condition doesn't seem to work.

Also, running wevtutil gl application (which is the command line utility to set SDDL the old way)returns the correct SDDL string.

So, to continue the debuging, I tried the function Set-SecurityDescriptor line by line.

It doesn't seem to work. It doesn't return an error, but the change are not taken into account.
I tried this:

$SecurityDescriptor = 'O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-21-3455453797-2004565670-2676727958-53937)'
$log = Get-WinEvent -ListLog "application"
$log.SecurityDescriptor = $SecurityDescriptor
$log.SaveChanges()

and then

$log2 = Get-WinEvent -ListLog "application"
$log2.SecurityDescriptor

result

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-21-3700697335-2754794931-3075335600-74107)

Not what it should be. Some weird behavior going on

[SylvainMartel]

closing this, found a GPO that interfere.

[SylvainMartel]

Reopening this. After making sure the system is completely isolated we still get the problem described above. Completely baffled.