After using patch management on a Windows node, you get a permission denied error for the
pe_patch_groups.ps1 file (part of the
Error: /Stage[main]/Pe_patch/File[C:/ProgramData/PuppetLabs/pe_patch/pe_patch_groups.ps1]: Could not evaluate: Could not read file C:/ProgramData/PuppetLabs/pe_patch/pe_patch_groups.ps1: Permission denied @ rb_sysopen - C:/ProgramData/PuppetLabs/pe_patch/pe_patch_groups.ps1
You are getting this error because a file needed to run patching has misconfigured permissions.
Version and installation information
PE version: All supported versions
The correct file permissions for PE patch in Windows are Everyone with read and System with full control. Only the system account, used by the Puppet service, has those permissions. This error happens when you use the Administrators account to run patching and the group has been removed or the permissions of the group are changed.
To fix this, change the permissions of the file to add a local administrator with full control of the file.
To check the permissions, run:
PS C:\Users<USER NAME)> (get-acl C:/ProgramData/PuppetLabs/pe_patch/pe_patch_groups.ps1).access | ft IdentityReference,F ileSystemRights,AccessControlType,IsInherited,InheritanceFlags -auto
Which outputs something similar to:
IdentityReference FileSystemRights AccessControlType IsInherited InheritanceFlags ----------------- ---------------- ----------------- ----------- ---------------- Everyone ReadAttributes, ReadPermissions, Synchronize Allow False None NT AUTHORITY\SYSTEM FullControl Allow False None BUILTIN\Administrators FullControl Allow False None NEWEST-LOADING\None FullControl Allow False None
Complete the following steps to fix the issue on each affected node.
- Navigate to the
C:/ProgramData/PuppetLabs/pe_patch/folder, right click it, and then click Properties.
- On the Security tab, click Advanced and then click the Add button.
- In the new popup window, click the Select a principal link.
- In the Select User or Group window, click on Advanced and click the Find Now button.
- From the results, select the Administrator account, and click OK.
- To apply permission, select the Full control checkbox options and click OK.
- Navigate to the
How can we improve this article?
Please sign in to leave a comment.