salt.states.win_lgpo¶
Manage Windows Local Group Policy¶
New in version 2016.11.0.
This state module allows you to configure local Group Policy on Windows. You can ensure the setting of a single policy or multiple policies in one pass.
Single policies must specify the policy name, the setting, and the policy class (Machine/User/Both). Here are some examples for setting a single policy setting.
Example single policy configuration:
Ensure Account Lockout Duration:
lgpo.set:
- name: Account lockout duration
- setting: 90
- policy_class: Machine
Example using abbreviated form:
Account lockout duration:
lgpo.set:
- setting: 120
- policy_class: Machine
It is also possible to set multiple policies in a single state. This is done by setting the settings under either computer_policy or user_policy. Here are some examples for setting multiple policy settings in a single state.
Multiple policy configuration
Company Local Group Policy:
lgpo.set:
- computer_policy:
Deny log on locally:
- Guest
Account lockout duration: 120
Account lockout threshold: 10
Reset account lockout counter after: 120
Enforce password history: 24
Maximum password age: 60
Minimum password age: 1
Minimum password length: 14
Password must meet complexity requirements: Enabled
Store passwords using reversible encryption: Disabled
Configure Automatic Updates:
Configure automatic updating: 4 - Auto download and schedule the intsall
Scheduled install day: 7 - Every Saturday
Scheduled install time: 17:00
Specify intranet Microsoft update service location:
Set the intranet update service for detecting updates: http://mywsus
Set the intranet statistics server: http://mywsus
- user_policy:
Do not process the legacy run list: Enabled
server_policy:
lgpo.set:
- computer_policy:
Maximum password age: 60
Minimum password age: 1
Minimum password length: 14
Account lockout duration: 120
Account lockout threshold: 10
Reset account lockout counter after: 120
Manage auditing and security log:
- "BUILTIN\\Administrators"
Replace a process level token:
- "NT AUTHORITY\\NETWORK SERVICE"
- "NT AUTHORITY\\LOCAL SERVICE"
"Accounts: Guest account status": Disabled
"Accounts: Rename guest account": Not_4_U
"Audit: Audit the use of Backup and Restore privilege": Enabled
"Interactive logon: Do not display last user name": Enabled
"Network\\DNS Client\\Dynamic update": Disabled
"System\\Logon\\Do not display the Getting Started welcome screen at logon": Enabled
"Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Select RDP transport protocols":
"Select Transport Type": "Use both UDP and TCP"
"Windows Components\\Windows Update\\Allow Automatic Updates immediate installation": Enabled
"Windows Components\\Windows Update\\Allow non-administrators to receive update notifications": Disabled
"Windows Components\\Windows Update\\Always automatically restart at the scheduled time":
"The restart timer will give users this much time to save their work (minutes)": 15
"Windows Components\\Windows Update\\Automatic Updates detection frequency":
"Check for updates at the following interval (hours)": 1
"Windows Components\\Windows Update\\Configure Automatic Updates":
"Configure automatic updating": 4 - Auto download and schedule the install
"Install during automatic maintenance": False
"Scheduled install day": 7 - Every Saturday
"Scheduled install time": "17:00"
"Windows Components\\Windows Update\\Delay Restart for scheduled installations":
"Wait the following period before proceeding with a scheduled restart (minutes)": 1
"Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations": Disabled
"Windows Components\\Windows Update\\Re-prompt for restart with scheduled installations":
"Wait the following period before prompting again with a scheduled restart (minutes)": 30
"Windows Components\\Windows Update\\Reschedule Automatic Updates scheduled installations": Disabled
"Windows Components\\Windows Update\\Specify intranet Microsoft update service location":
"Set the intranet update service for detecting updates": http://mywsus
"Set the intranet statistics server": http://mywsus
- cumulative_rights_assignments: True
Some policy settings can't be set on their own an require that other policy
settings are set at the same time. It can be difficult to figure out what
additional settings need to be applied. The easiest way to do this is to
modify the setting manually using the Group Policy Editor (`gpedit.msc`) on
the machine. Then `get` the policy settings configured on that machine. Use
the following command:
.. code-block:: bash
salt-call --local lgpo.get machine
For example, if I want to set the Windows Update settings for a Windows
Server 2016 machine I would go into the Group Policy Editor (`gpedit.msc`)
and configure the group policy. That policy can be found at: Computer
Configuration -> Administrative Templates -> Windows Components -> Windows
Update -> Configure Automatic Updates. You have the option to "Enable" the
policy and set some configuration options. In this example, just click
"Enable" and accept the default configuration options. Click "OK" to apply
the setting.
Now run the `get` command as shown above. You will find the following in
the minion return:
.. code-block:: bash
Windows Components\Windows Update\Configure Automatic Updates:
----------
Configure automatic updating:
3 - Auto download and notify for install
Install during automatic maintenance:
False
Install updates for other Microsoft products:
False
Scheduled install day:
0 - Every day
Scheduled install time:
03:00
This shows you that to enable the "Configure Automatic Updates" policy you
also have to configure the following settings:
- Configure automatic updating
- Install during automatic maintenance
- Install updates for other Microsoft products
- Scheduled install day
- Scheduled install time
So, if you were writing a state for the above policy, it would look like
this:
.. code-block:: bash
configure_windows_update_settings:
lgpo.set:
- computer_policy:
Configure Automatic Updates:
Configure automatic updating: 3 - Auto download and notify for install
Install during automatic maintenance: False
Install updates for other Microsoft products: False
Scheduled install day: 0 - Every day
Scheduled install time: 03:00
.. note::
It is important that you put names of policies and settings exactly as
they are displayed in the return. That includes capitalization and
punctuation such as periods, dashes, etc. This rule applies to both
the setting name and the setting value.
.. warning::
From time to time Microsoft updates the Administrative templates on the
machine. This can cause the policy name to change or the list of
settings that must be applied at the same time. These settings often
change between versions of Windows as well. For example, Windows Server
2019 allows you to also specify a specific week of the month to apply
the update.
Another thing note is the long policy name returned by the `get` function:
.. code-block:: bash
Windows Components\Windows Update\Configure Automatic Updates:
When we wrote the state for this policy we only used the final portion of
the policy name, `Configure Automatic Updates`. This usually works fine, but
if you are having problems, you may try the long policy name.
When writing the long name in a state file either wrap the name in single
quotes to make yaml see it as raw data, or escape the back slashes.
.. code-block:: bash
'Windows Components\Windows Update\Configure Automatic Updates:'
or
Windows Components\\Windows Update\\Configure Automatic Updates:
- salt.states.win_lgpo.set_(name, setting=None, policy_class=None, computer_policy=None, user_policy=None, cumulative_rights_assignments=True, adml_language='en-US', refresh_cache=False)¶
Ensure the specified policy is set.
Warning
The
settingargument cannot be used in conjunction with thecomputer_policyoruser_policyarguments- Parameters:
name (str) -- The name of a single policy to configure
setting (str, dict, list) -- The configuration setting for the single named policy. If this argument is used the
computer_policy/user_policyarguments will be ignoredpolicy_class (str) -- The policy class of the single named policy to configure. This can
machine,user, orbothcomputer_policy (dict) -- A dictionary of containing the policy name and key/value pairs of a set of computer policies to configure. If this argument is used, the
name/policy_classarguments will be ignoreduser_policy (dict) -- A dictionary of containing the policy name and key/value pairs of a set of user policies to configure. If this argument is used, the
name/policy_classarguments will be ignoredcumulative_rights_assignments (bool) -- If user rights assignments are being configured, determines if any user right assignment policies specified will be cumulative or explicit
adml_language (str) -- The adml language to use for AMDX policy data/display conversions. Default is
en-USrefresh_cache (bool) --
Clear the cached policy definitions before applying the state. This is useful when the underlying policy files (ADMX/ADML) have been added/modified in the same state. This will allow those new policies to be picked up. This adds time to the state run when applied to multiple states within the same run. Therefore, it is best to only apply this to the first policy that is applied. For individual runs this will have no effect. Default is
FalseNew in version 3006.8.
New in version 3007.1.
Generated on October 23, 2024 at 09:06:04 UTC.
You are viewing docs built from a recent snapshot of the master branch. Switch to docs for the latest stable release, 3007.1.
