salt.modules.win_lgpo module
Manage Local Policy on Windows
New in version 2016.11.0.
This module allows configuring local group policy (i.e. gpedit.msc
) on a
Windows server.
Administrative Templates
Administrative template policies are dynamically read from ADMX/ADML files on
the server.
Windows Settings
Policies contained in the "Windows Settings" section of the gpedit.msc
GUI
are statically defined in this module. Each policy is configured for the section
(Machine/User) in the module's _policy_info class. The _policy_info
class
contains a "policies" dict on how the module will configure the policy, where
the policy resides in the GUI (for display purposes), data validation data, data
transformation data, etc.
Current known limitations
- At this time, start/shutdown scripts policies are displayed, but are not
configurable.
- Not all "Security Settings" policies exist in the _policy_info class
depends: |
- pywin32 Python module
- lxml
- uuid
- codecs
- struct
- salt.modules.reg
|
-
salt.modules.win_lgpo.
get
(policy_class=None, return_full_policy_names=True, hierarchical_return=False, adml_language='en-US', return_not_configured=False)
Get a policy value
Parameters: |
- policy_class (str) -- Some policies are both user and computer, by default all policies
will be pulled, but this can be used to retrieve only a specific
policy class User/USER/user = retrieve user policies
Machine/MACHINE/machine/Computer/COMPUTER/computer = retrieve
machine/computer policies
- return_full_policy_names (bool) -- True/False to return the policy name as it is seen in the
gpedit.msc GUI or to only return the policy key/id.
- hierarchical_return (bool) -- True/False to return the policy data in the hierarchy as seen in the
gpedit.msc GUI. The default of False will return data split only
into User/Computer configuration sections
- adml_language (str) -- The ADML language to use for processing display/descriptive names
and enumeration values of ADMX template data, defaults to en-US
- return_not_configured (bool) -- Include Administrative Template policies that are 'Not Configured'
in the return data
|
Returns: | A dictionary containing the policy values for the specified class
|
Return type: | dict
|
CLI Example:
salt '*' lgpo.get machine return_full_policy_names=True
-
salt.modules.win_lgpo.
get_policy_info
(policy_name, policy_class, adml_language='en-US')
Returns information about a specified policy
Parameters: |
- policy_name (str) -- The name of the policy to lookup
- policy_class (str) -- The class of policy, i.e. machine, user, both
- adml_language (str) -- The ADML language to use for Administrative Template data lookup
|
Returns: | Information about the specified policy
|
Return type: | dict
|
CLI Example:
salt '*' lgpo.get_policy_info 'Maximum password age' machine
-
salt.modules.win_lgpo.
set
(computer_policy=None, user_policy=None, cumulative_rights_assignments=True, adml_language='en-US')
Set a local server policy.
Parameters: |
- computer_policy (dict) --
A dictionary of "policyname: value" pairs of computer policies to
set. 'value' should be how it is displayed in the gpedit GUI, i.e.
if a setting can be 'Enabled'/'Disabled', then that should be passed
Administrative Template data may require dicts within dicts, to
specify each element of the Administrative Template policy.
Administrative Templates policies are always cumulative.
Policy names can be specified in a number of ways based on the type
of policy:
Windows Settings Policies:
These policies can be specified using the GUI display name
or the key name from the _policy_info class in this module.
The GUI display name is also contained in the _policy_info
class in this module.
Administrative Template Policies:
These can be specified using the policy name as displayed in
the GUI (case sensitive). Some policies have the same name,
but a different location (for example, "Access data sources
across domains"). These can be differentiated by the "path"
in the GUI (for example, "Windows ComponentsInternet
ExplorerInternet Control PanelSecurity PageInternet
ZoneAccess data sources across domains"). Additionally, policies can be specified using the "name" and
"id" attributes from the ADMX files.
For Administrative Templates that have policy elements, each
element can be specified using the text string as seen in
the GUI or using the ID attribute from the ADMX file. Due to
the way some of the GUI text is laid out, some policy
element names could include descriptive text that appears
lbefore the policy element in the GUI.
Use the get_policy_info function for the policy name to view
the element ID/names that the module will accept.
- user_policy (dict) -- The same setup as the computer_policy, except with data to configure
the local user policy.
- cumulative_rights_assignments (bool) --
Determine how user rights assignment policies are configured.
If True, user right assignment specifications are simply added to
the existing policy
If False, only the users specified will get the right (any existing
will have the right revoked)
- adml_language (str) -- The language files to use for looking up Administrative Template
policy data (i.e. how the policy is displayed in the GUI). Defaults
to 'en-US' (U.S. English).
|
Returns: | True is successful, otherwise False
|
Return type: | bool
|
CLI Example:
salt '*' lgpo.set computer_policy="{'LockoutDuration': 2, 'RestrictAnonymous': 'Enabled', 'AuditProcessTracking': 'Succes, Failure'}"
-
salt.modules.win_lgpo.
set_computer_policy
(name, setting, cumulative_rights_assignments=True, adml_language='en-US')
Set a single computer policy
Parameters: |
- name (str) -- The name of the policy to configure
- setting (str) -- The setting to configure the named policy with
- cumulative_rights_assignments (bool) -- Determine how user rights
assignment policies are configured. If True, user right assignment
specifications are simply added to the existing policy. If False,
only the users specified will get the right (any existing will have
the right revoked)
- adml_language (str) -- The language files to use for looking up
Administrative Template policy data (i.e. how the policy is
displayed in the GUI). Defaults to 'en-US' (U.S. English).
|
Returns: | True if successful, otherwise False
|
Return type: | bool
|
CLI Example:
salt '*' lgpo.set_computer_policy LockoutDuration 1440
-
salt.modules.win_lgpo.
set_user_policy
(name, setting, adml_language='en-US')
Set a single user policy
Parameters: |
- name (str) -- The name of the policy to configure
- setting (str) -- The setting to configure the named policy with
- adml_language (str) -- The language files to use for looking up Administrative Template
policy data (i.e. how the policy is displayed in the GUI). Defaults
to 'en-US' (U.S. English).
|
Returns: | True if successful, Otherwise False
|
Return type: | bool
|
CLI Example:
salt '*' lgpo.set_user_policy "Control Panel\Display\Disable the Display Control Panel" Enabled