salt.modules.win_dacl

Manage DACLs on Windows

depends:

  • winreg Python module

salt.modules.win_dacl.add_ace(path, objectType, user, permission, acetype, propagation)

Add an ace to an object

Parameters:

  • path (str) -- Path to the object (i.e. c:\temp\file, HKEY_LOCAL_MACHINE\SOFTWARE\KEY, etc)

  • user (str) -- User to add

  • permission (str) -- Permissions for the user

  • acetype (str) -- Either allow/deny for each user/permission (ALLOW, DENY)

  • propagation (str) -- How the ACE applies to children for Registry Keys and Directories (KEY, KEY&SUBKEYS, SUBKEYS)

CLI Example:

# allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey, propagate to this key and subkeys
salt 'myminion' win_dacl.add_ace 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'Registry' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'
salt.modules.win_dacl.check_ace(path, objectType, user, permission=None, acetype=None, propagation=None, exactPermissionMatch=False)

Checks a path to verify the ACE (access control entry) specified exists

Parameters:

  • path (str) -- Path to the file/reg key

  • objectType (str) -- The type of object (FILE, DIRECTORY, REGISTRY)

  • user (str) -- User that the ACL is for

  • permission (str, optional) -- Permission to test for (READ, FULLCONTROL, etc). Default is None.

  • acetype (str, optional) -- The type of ACE (ALLOW or DENY). Default is None.

  • propagation (str, optional) -- The propagation type of the ACE (FILES, FOLDERS, KEY, KEY&SUBKEYS, SUBKEYS, etc). Default is None.

  • exactPermissionMatch (bool, optional) -- The ACL must match exactly, ie: if READ is specified, the user must have READ exactly and not FULLCONTROL (which also has the READ permission obviously)

Returns (dict): 'Exists' true if the ACE exists, false if it does not

CLI Example:

salt 'minion-id' win_dacl.check_ace 'c:\temp' directory <username> fullcontrol
salt.modules.win_dacl.check_inheritance(path, objectType, user=None)

Check a specified path to verify if inheritance is enabled

Parameters:

  • path (str) -- path of the registry key or file system object to check

  • objectType (str) -- The type of object (FILE, DIRECTORY, REGISTRY)

  • user (str, optional) -- If provided, will consider only the ACEs for that user. Default is None.

Returns (bool): 'Inheritance' of True/False

CLI Example:

salt 'minion-id' win_dacl.check_inheritance 'c:\temp' directory <username>
class salt.modules.win_dacl.daclConstants

DACL constants used throughout the module

getAceTypeBit(t)

returns the acetype bit of a text value

getAceTypeText(t)

returns the textual representation of a acetype bit

getObjectTypeBit(t)

returns the bit value of the string object type

getPermissionBit(t, m)

returns a permission bit of the string permission value for the specified object type

getPermissionText(t, m)

returns the permission textual representation of a specified permission bit/object type

getPropagationBit(t, p)

returns the propagation bit of a text value

getPropagationText(t, p)

returns the textual representation of a propagation bit

getSecurityHkey(s)

returns the necessary string value for an HKEY for the win32security module

processPath(path, objectType)
processes a path/object type combo and returns:

registry types with the correct HKEY text representation files/directories with environment variables expanded

salt.modules.win_dacl.disable_inheritance(path, objectType, copy=True)

Disable inheritance on an object

Parameters:

  • path (str) -- The path to the object

  • objectType (str) -- The type of object (FILE, DIRECTORY, REGISTRY)

  • copy (bool, optional) -- True will copy the Inherited ACEs to the DACL before disabling inheritance. Default is True.

Returns (dict): A dictionary containing the results

CLI Example:

salt 'minion-id' win_dacl.disable_inheritance 'c:\temp' directory
salt.modules.win_dacl.enable_inheritance(path, objectType, clear=False)

Enable/disable inheritance on an object

Parameters:

  • path (str) -- The path to the object

  • objectType (str) -- The type of object (FILE, DIRECTORY, REGISTRY)

  • clear (bool, optional) -- True will remove non-Inherited ACEs from the ACL. Default is False.

Returns (dict): A dictionary containing the results

CLI Example:

salt 'minion-id' win_dacl.enable_inheritance 'c:\temp' directory
salt.modules.win_dacl.get(path, objectType, user=None)

Get the ACL of an object. Will filter by user if one is provided.

Parameters:

  • path (str) -- The path to the object

  • objectType (str) -- The type of object (FILE, DIRECTORY, REGISTRY)

  • user (str, optional) -- A username to filter by. Default is None.

Returns (dict): A dictionary containing the ACL

CLI Example:

salt 'minion-id' win_dacl.get 'c:\temp' directory
salt.modules.win_dacl.rm_ace(path, objectType, user, permission=None, acetype=None, propagation=None)

remove an ace to an object

Parameters:

  • path (str) -- Path to the object (i.e. c:\temp\file, HKEY_LOCAL_MACHINE\SOFTWARE\KEY, etc)

  • user (str) -- User to remove

  • permission (str, optional) -- Permission for the user. Default is None.

  • acetype (str, optional) -- Either allow/deny for each user/permission (ALLOW, DENY). Default is None.

  • propagation (str, optional) -- How the ACE applies to children for Registry Keys and Directories (KEY, KEY&SUBKEYS, SUBKEYS). Default is None.

If any of the optional parameters are omitted (or set to None) they act as wildcards.

CLI Example:

# Remove allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey propagated to this key and subkeys
salt 'myminion' win_dacl.rm_ace 'Registry' 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'

Generated on August 29, 2025 at 01:22:39 UTC.

You are viewing docs for the latest stable release, 3007.7. Switch to docs for the previous stable release, 3006.15, or to a recent doc build from the master branch.


saltproject.io

© 2025 VMware, Inc. | Privacy Policy