salt.states.win_lgpo module

Manage Windows Local Group Policy

New in version 2016.11.0.

This state allows configuring local Windows Group Policy

The state can be used to ensure the setting of a single policy or multiple policies in one pass.

Single policies must specify the policy name, the setting, and the policy class (Machine/User/Both)

Example single policy configuration

Ensure Account Lockout Duration:
  lgpo.set:
    - name: Account lockout duration
    - setting: 90
    - policy_class: Machine
Account lockout duration:
  lgpo.set:
    - setting: 120
    - policy_class: Machine

Multiple policy configuration

Company Local Group Policy:
    lgpo.set:
        - computer_policy:
            Deny log on locally:
              - Guest
            Account lockout duration: 120
            Account lockout threshold: 10
            Reset account lockout counter after: 120
            Enforce password history: 24
            Maximum password age: 60
            Minimum password age: 1
            Minimum password length: 14
            Password must meet complexity requirements: Enabled
            Store passwords using reversible encryption: Disabled
            Configure Automatic Updates:
                Configure automatic updating: 4 - Auto download and schedule the intsall
                Scheduled install day: 7 - Every Saturday
                Scheduled install time: 17:00
            Specify intranet Microsoft update service location:
                Set the intranet update service for detecting updates: http://mywsus
                Set the intranet statistics server: http://mywsus
        - user_policy:
            Do not process the legacy run list: Enabled
server_policy:
  lgpo.set:
    - computer_policy:
        Maximum password age: 60
        Minimum password age: 1
        Minimum password length: 14
        Account lockout duration: 120
        Account lockout threshold: 10
        Reset account lockout counter after: 120
        Manage auditing and security log:
          - "BUILTIN\Administrators"
        Replace a process level token:
          - "NT AUTHORITY\NETWORK SERVICE"
          - "NT AUTHORITY\LOCAL SERVICE"
        "Accounts: Guest account status": Disabled
        "Accounts: Rename guest account": Not_4_U
        "Audit: Audit the use of Backup and Restore privilege": Enabled
        "Interactive logon: Do not display last user name": Enabled
        "Network\DNS Client\Dynamic update": Disabled
        "System\Logon\Do not display the Getting Started welcome screen at logon": Enabled
        "Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Select RDP transport protocols":
            "Select Transport Type": "Use both UDP and TCP"
        "Windows Components\Windows Update\Allow Automatic Updates immediate installation": Enabled
        "Windows Components\Windows Update\Allow non-administrators to receive update notifications": Disabled
        "Windows Components\Windows Update\Always automatically restart at the scheduled time":
            "The restart timer will give users this much time to save their work (minutes)": 15
        "Windows Components\Windows Update\Automatic Updates detection frequency":
            "Check for updates at the following interval (hours)": 1
        "Windows Components\Windows Update\Configure Automatic Updates":
            "Configure automatic updating": 4 - Auto download and schedule the install
            "Install during automatic maintenance": False
            "Scheduled install day": 7 - Every Saturday
            "Scheduled install time": "17:00"
        "Windows Components\Windows Update\Delay Restart for scheduled installations":
            "Wait the following period before proceeding with a scheduled restart (minutes)": 1
        "Windows Components\Windows Update\No auto-restart with logged on users for scheduled automatic updates installations": Disabled
        "Windows Components\Windows Update\Re-prompt for restart with scheduled installations":
            "Wait the following period before prompting again with a scheduled restart (minutes)": 30
        "Windows Components\Windows Update\Reschedule Automatic Updates scheduled installations": Disabled
        "Windows Components\Windows Update\Specify intranet Microsoft update service location":
            "Set the intranet update service for detecting updates": http://mywsus
            "Set the intranet statistics server": http://mywsus
    - cumulative_rights_assignments: True
salt.states.win_lgpo.set_(name, setting=None, policy_class=None, computer_policy=None, user_policy=None, cumulative_rights_assignments=True, adml_language='en-US')

Ensure the specified policy is set.

Warning

The setting argument cannot be used in conjunction with the computer_policy or user_policy arguments

Parameters
  • name (str) -- The name of a single policy to configure

  • setting (str, dict, list) -- The configuration setting for the single named policy. If this argument is used the computer_policy / user_policy arguments will be ignored

  • policy_class (str) -- The policy class of the single named policy to configure. This can machine, user, or both

  • computer_policy (dict) -- A dictionary of containing the policy name and key/value pairs of a set of computer policies to configure. If this argument is used, the name / policy_class arguments will be ignored

  • user_policy (dict) -- A dictionary of containing the policy name and key/value pairs of a set of user policies to configure. If this argument is used, the name / policy_class arguments will be ignored

  • cumulative_rights_assignments (bool) -- If user rights assignments are being configured, determines if any user right assignment policies specified will be cumulative or explicit

  • adml_language (str) -- The adml language to use for AMDX policy data/display conversions. Default is en-US