New in version 2016.11.0.
This state allows configuring local Windows Group Policy
The state can be used to ensure the setting of a single policy or multiple policies in one pass.
Single policies must specify the policy name, the setting, and the policy class (Machine/User/Both)
Example single policy configuration
Ensure Account Lockout Duration:
lgpo.set:
- name: Account lockout duration
- setting: 90
- policy_class: Machine
Account lockout duration:
lgpo.set:
- setting: 120
- policy_class: Machine
Multiple policy configuration
Company Local Group Policy:
lgpo.set:
- computer_policy:
Deny log on locally:
- Guest
Account lockout duration: 120
Account lockout threshold: 10
Reset account lockout counter after: 120
Enforce password history: 24
Maximum password age: 60
Minimum password age: 1
Minimum password length: 14
Password must meet complexity requirements: Enabled
Store passwords using reversible encryption: Disabled
Configure Automatic Updates:
Configure automatic updating: 4 - Auto download and schedule the intsall
Scheduled install day: 7 - Every Saturday
Scheduled install time: 17:00
Specify intranet Microsoft update service location:
Set the intranet update service for detecting updates: http://mywsus
Set the intranet statistics server: http://mywsus
- user_policy:
Do not process the legacy run list: Enabled
server_policy:
lgpo.set:
- computer_policy:
Maximum password age: 60
Minimum password age: 1
Minimum password length: 14
Account lockout duration: 120
Account lockout threshold: 10
Reset account lockout counter after: 120
Manage auditing and security log:
- "BUILTIN\Administrators"
Replace a process level token:
- "NT AUTHORITY\NETWORK SERVICE"
- "NT AUTHORITY\LOCAL SERVICE"
"Accounts: Guest account status": Disabled
"Accounts: Rename guest account": Not_4_U
"Audit: Audit the use of Backup and Restore privilege": Enabled
"Interactive logon: Do not display last user name": Enabled
"Network\DNS Client\Dynamic update": Disabled
"System\Logon\Do not display the Getting Started welcome screen at logon": Enabled
"Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Select RDP transport protocols":
"Select Transport Type": "Use both UDP and TCP"
"Windows Components\Windows Update\Allow Automatic Updates immediate installation": Enabled
"Windows Components\Windows Update\Allow non-administrators to receive update notifications": Disabled
"Windows Components\Windows Update\Always automatically restart at the scheduled time":
"The restart timer will give users this much time to save their work (minutes)": 15
"Windows Components\Windows Update\Automatic Updates detection frequency":
"Check for updates at the following interval (hours)": 1
"Windows Components\Windows Update\Configure Automatic Updates":
"Configure automatic updating": 4 - Auto download and schedule the install
"Install during automatic maintenance": False
"Scheduled install day": 7 - Every Saturday
"Scheduled install time": "17:00"
"Windows Components\Windows Update\Delay Restart for scheduled installations":
"Wait the following period before proceeding with a scheduled restart (minutes)": 1
"Windows Components\Windows Update\No auto-restart with logged on users for scheduled automatic updates installations": Disabled
"Windows Components\Windows Update\Re-prompt for restart with scheduled installations":
"Wait the following period before prompting again with a scheduled restart (minutes)": 30
"Windows Components\Windows Update\Reschedule Automatic Updates scheduled installations": Disabled
"Windows Components\Windows Update\Specify intranet Microsoft update service location":
"Set the intranet update service for detecting updates": http://mywsus
"Set the intranet statistics server": http://mywsus
- cumulative_rights_assignments: True
salt.states.win_lgpo.
set_
(name, setting=None, policy_class=None, computer_policy=None, user_policy=None, cumulative_rights_assignments=True, adml_language='en-US')¶Ensure the specified policy is set.
Warning
The setting
argument cannot be used in conjunction with the
computer_policy
or user_policy
arguments
name (str) -- The name of a single policy to configure
setting (str, dict, list) -- The configuration setting for the single named policy. If this
argument is used the computer_policy
/ user_policy
arguments
will be ignored
policy_class (str) -- The policy class of the single named policy to configure. This can
machine
, user
, or both
computer_policy (dict) -- A dictionary of containing the policy name and key/value pairs of a
set of computer policies to configure. If this argument is used, the
name
/ policy_class
arguments will be ignored
user_policy (dict) -- A dictionary of containing the policy name and key/value pairs of a
set of user policies to configure. If this argument is used, the
name
/ policy_class
arguments will be ignored
cumulative_rights_assignments (bool) -- If user rights assignments are being configured, determines if any user right assignment policies specified will be cumulative or explicit
adml_language (str) -- The adml language to use for AMDX policy data/display conversions.
Default is en-US