salt.modules.win_lgpo module

Manage Local Policy on Windows

New in version 2016.11.0.

This module allows configuring local group policy (i.e. gpedit.msc) on a Windows server.

Administrative Templates

Administrative template policies are dynamically read from ADMX/ADML files on the server.

Windows Settings

Policies contained in the "Windows Settings" section of the gpedit.msc GUI are statically defined in this module. Each policy is configured for the section (Machine/User) in the module's _policy_info class. The _policy_info class contains a "policies" dict on how the module will configure the policy, where the policy resides in the GUI (for display purposes), data validation data, data transformation data, etc.

Current known limitations

  • At this time, start/shutdown scripts policies are displayed, but are not configurable.
  • Not all "Security Settings" policies exist in the _policy_info class
depends:
  • pywin32 Python module
  • lxml
  • uuid
  • codecs
  • struct
  • salt.modules.reg
salt.modules.win_lgpo.get(policy_class=None, return_full_policy_names=True, hierarchical_return=False, adml_language='en-US', return_not_configured=False)

Get a policy value

Parameters:
  • policy_class (str) -- Some policies are both user and computer, by default all policies will be pulled, but this can be used to retrieve only a specific policy class User/USER/user = retrieve user policies Machine/MACHINE/machine/Computer/COMPUTER/computer = retrieve machine/computer policies
  • return_full_policy_names (bool) -- True/False to return the policy name as it is seen in the gpedit.msc GUI or to only return the policy key/id.
  • hierarchical_return (bool) -- True/False to return the policy data in the hierarchy as seen in the gpedit.msc GUI. The default of False will return data split only into User/Computer configuration sections
  • adml_language (str) -- The ADML language to use for processing display/descriptive names and enumeration values of ADMX template data, defaults to en-US
  • return_not_configured (bool) -- Include Administrative Template policies that are 'Not Configured' in the return data
Returns:

A dictionary containing the policy values for the specified class
Return type:

dict

CLI Example:

salt '*' lgpo.get machine return_full_policy_names=True
salt.modules.win_lgpo.get_policy_info(policy_name, policy_class, adml_language='en-US')

Returns information about a specified policy

Parameters:
  • policy_name (str) -- The name of the policy to lookup
  • policy_class (str) -- The class of policy, i.e. machine, user, both
  • adml_language (str) -- The ADML language to use for Administrative Template data lookup
Returns:

Information about the specified policy
Return type:

dict

CLI Example:

salt '*' lgpo.get_policy_info 'Maximum password age' machine
salt.modules.win_lgpo.set(computer_policy=None, user_policy=None, cumulative_rights_assignments=True, adml_language='en-US')

Set a local server policy.

Parameters:
  • computer_policy (dict) --

    A dictionary of "policyname: value" pairs of computer policies to set. 'value' should be how it is displayed in the gpedit GUI, i.e. if a setting can be 'Enabled'/'Disabled', then that should be passed

    Administrative Template data may require dicts within dicts, to specify each element of the Administrative Template policy. Administrative Templates policies are always cumulative.

    Policy names can be specified in a number of ways based on the type of policy:

    Windows Settings Policies:
    These policies can be specified using the GUI display name or the key name from the _policy_info class in this module. The GUI display name is also contained in the _policy_info class in this module.

    Administrative Template Policies:

    These can be specified using the policy name as displayed in the GUI (case sensitive). Some policies have the same name, but a different location (for example, "Access data sources across domains"). These can be differentiated by the "path" in the GUI (for example, "Windows ComponentsInternet ExplorerInternet Control PanelSecurity PageInternet ZoneAccess data sources across domains").

    Additionally, policies can be specified using the "name" and "id" attributes from the ADMX files.

    For Administrative Templates that have policy elements, each element can be specified using the text string as seen in the GUI or using the ID attribute from the ADMX file. Due to the way some of the GUI text is laid out, some policy element names could include descriptive text that appears lbefore the policy element in the GUI.

    Use the get_policy_info function for the policy name to view the element ID/names that the module will accept.

  • user_policy (dict) -- The same setup as the computer_policy, except with data to configure the local user policy.
  • cumulative_rights_assignments (bool) --

    Determine how user rights assignment policies are configured.

    If True, user right assignment specifications are simply added to the existing policy

    If False, only the users specified will get the right (any existing will have the right revoked)

  • adml_language (str) -- The language files to use for looking up Administrative Template policy data (i.e. how the policy is displayed in the GUI). Defaults to 'en-US' (U.S. English).
Returns:

True is successful, otherwise False
Return type:

bool

CLI Example:

salt '*' lgpo.set computer_policy="{'LockoutDuration': 2, 'RestrictAnonymous': 'Enabled', 'AuditProcessTracking': 'Succes, Failure'}"
salt.modules.win_lgpo.set_computer_policy(name, setting, cumulative_rights_assignments=True, adml_language='en-US')

Set a single computer policy

Parameters:
  • name (str) -- The name of the policy to configure
  • setting (str) -- The setting to configure the named policy with
  • cumulative_rights_assignments (bool) -- Determine how user rights assignment policies are configured. If True, user right assignment specifications are simply added to the existing policy. If False, only the users specified will get the right (any existing will have the right revoked)
  • adml_language (str) -- The language files to use for looking up Administrative Template policy data (i.e. how the policy is displayed in the GUI). Defaults to 'en-US' (U.S. English).
Returns:

True if successful, otherwise False
Return type:

bool

CLI Example:

salt '*' lgpo.set_computer_policy LockoutDuration 1440
salt.modules.win_lgpo.set_user_policy(name, setting, adml_language='en-US')

Set a single user policy

Parameters:
  • name (str) -- The name of the policy to configure
  • setting (str) -- The setting to configure the named policy with
  • adml_language (str) -- The language files to use for looking up Administrative Template policy data (i.e. how the policy is displayed in the GUI). Defaults to 'en-US' (U.S. English).
Returns:

True if successful, Otherwise False
Return type:

bool

CLI Example:

salt '*' lgpo.set_user_policy "Control Panel\Display\Disable the Display Control Panel" Enabled

Generated on April 03, 2018 at 06:37:10 MDT.

You are viewing docs for the previous stable release, 2016.11.9. Switch to docs for the latest stable release, 2017.7.4, or to a recent doc build from the develop branch.


saltstack.com

© 2018 SaltStack. All Rights Reserved, SaltStack Inc. | Privacy Policy