Manage DACLs on Windows
winreg Python module
Add an ace to an object
path (str) -- Path to the object (i.e. c:\temp\file, HKEY_LOCAL_MACHINE\SOFTWARE\KEY, etc)
user (str) -- User to add
permission (str) -- Permissions for the user
acetype (str) -- Either allow/deny for each user/permission (ALLOW, DENY)
propagation (str) -- How the ACE applies to children for Registry Keys and Directories (KEY, KEY&SUBKEYS, SUBKEYS)
CLI Example:
# allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey, propagate to this key and subkeys
salt 'myminion' win_dacl.add_ace 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'Registry' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'
Checks a path to verify the ACE (access control entry) specified exists
path (str) -- Path to the file/reg key
objectType (str) -- The type of object (FILE, DIRECTORY, REGISTRY)
user (str) -- User that the ACL is for
permission (str
, optional) -- Permission to test for (READ, FULLCONTROL, etc).
Default is None
.
acetype (str
, optional) -- The type of ACE (ALLOW or DENY).
Default is None
.
propagation (str
, optional) -- The propagation type of the ACE (FILES, FOLDERS, KEY, KEY&SUBKEYS,
SUBKEYS, etc).
Default is None
.
exactPermissionMatch (bool
, optional) -- The ACL must match exactly, ie: if READ
is specified, the user
must have READ
exactly and not FULLCONTROL
(which also has
the READ
permission obviously)
Returns (dict): 'Exists' true if the ACE exists, false if it does not
CLI Example:
salt 'minion-id' win_dacl.check_ace 'c:\temp' directory <username> fullcontrol
Check a specified path to verify if inheritance is enabled
Returns (bool): 'Inheritance' of True/False
CLI Example:
salt 'minion-id' win_dacl.check_inheritance 'c:\temp' directory <username>
DACL constants used throughout the module
returns the acetype bit of a text value
returns the textual representation of a acetype bit
returns the bit value of the string object type
returns a permission bit of the string permission value for the specified object type
returns the permission textual representation of a specified permission bit/object type
returns the propagation bit of a text value
returns the textual representation of a propagation bit
returns the necessary string value for an HKEY for the win32security module
registry types with the correct HKEY text representation files/directories with environment variables expanded
Disable inheritance on an object
Returns (dict): A dictionary containing the results
CLI Example:
salt 'minion-id' win_dacl.disable_inheritance 'c:\temp' directory
Enable/disable inheritance on an object
Returns (dict): A dictionary containing the results
CLI Example:
salt 'minion-id' win_dacl.enable_inheritance 'c:\temp' directory
Get the ACL of an object. Will filter by user if one is provided.
Returns (dict): A dictionary containing the ACL
CLI Example:
salt 'minion-id' win_dacl.get 'c:\temp' directory
remove an ace to an object
path (str) -- Path to the object (i.e. c:\temp\file, HKEY_LOCAL_MACHINE\SOFTWARE\KEY, etc)
user (str) -- User to remove
permission (str
, optional) -- Permission for the user.
Default is None
.
acetype (str
, optional) -- Either allow/deny for each user/permission (ALLOW, DENY).
Default is None
.
propagation (str
, optional) -- How the ACE applies to children for Registry Keys and Directories
(KEY, KEY&SUBKEYS, SUBKEYS).
Default is None
.
If any of the optional parameters are omitted (or set to None) they act as wildcards.
CLI Example:
# Remove allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey propagated to this key and subkeys
salt 'myminion' win_dacl.rm_ace 'Registry' 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'