New in version 2016.11.0.
This state module allows you to configure local Group Policy on Windows. You can ensure the setting of a single policy or multiple policies in one pass.
Single policies must specify the policy name, the setting, and the policy class (Machine/User/Both). Here are some examples for setting a single policy setting.
Example single policy configuration:
Ensure Account Lockout Duration: lgpo.set: - name: Account lockout duration - setting: 90 - policy_class: Machine
Example using abbreviated form:
Account lockout duration: lgpo.set: - setting: 120 - policy_class: Machine
It is also possible to set multiple policies in a single state. This is done by setting the settings under either computer_policy or user_policy. Here are some examples for setting multiple policy settings in a single state.
Multiple policy configuration
Company Local Group Policy: lgpo.set: - computer_policy: Deny log on locally: - Guest Account lockout duration: 120 Account lockout threshold: 10 Reset account lockout counter after: 120 Enforce password history: 24 Maximum password age: 60 Minimum password age: 1 Minimum password length: 14 Password must meet complexity requirements: Enabled Store passwords using reversible encryption: Disabled Configure Automatic Updates: Configure automatic updating: 4 - Auto download and schedule the intsall Scheduled install day: 7 - Every Saturday Scheduled install time: 17:00 Specify intranet Microsoft update service location: Set the intranet update service for detecting updates: http://mywsus Set the intranet statistics server: http://mywsus - user_policy: Do not process the legacy run list: Enabled
server_policy: lgpo.set: - computer_policy: Maximum password age: 60 Minimum password age: 1 Minimum password length: 14 Account lockout duration: 120 Account lockout threshold: 10 Reset account lockout counter after: 120 Manage auditing and security log: - "BUILTIN\\Administrators" Replace a process level token: - "NT AUTHORITY\\NETWORK SERVICE" - "NT AUTHORITY\\LOCAL SERVICE" "Accounts: Guest account status": Disabled "Accounts: Rename guest account": Not_4_U "Audit: Audit the use of Backup and Restore privilege": Enabled "Interactive logon: Do not display last user name": Enabled "Network\\DNS Client\\Dynamic update": Disabled "System\\Logon\\Do not display the Getting Started welcome screen at logon": Enabled "Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Select RDP transport protocols": "Select Transport Type": "Use both UDP and TCP" "Windows Components\\Windows Update\\Allow Automatic Updates immediate installation": Enabled "Windows Components\\Windows Update\\Allow non-administrators to receive update notifications": Disabled "Windows Components\\Windows Update\\Always automatically restart at the scheduled time": "The restart timer will give users this much time to save their work (minutes)": 15 "Windows Components\\Windows Update\\Automatic Updates detection frequency": "Check for updates at the following interval (hours)": 1 "Windows Components\\Windows Update\\Configure Automatic Updates": "Configure automatic updating": 4 - Auto download and schedule the install "Install during automatic maintenance": False "Scheduled install day": 7 - Every Saturday "Scheduled install time": "17:00" "Windows Components\\Windows Update\\Delay Restart for scheduled installations": "Wait the following period before proceeding with a scheduled restart (minutes)": 1 "Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations": Disabled "Windows Components\\Windows Update\\Re-prompt for restart with scheduled installations": "Wait the following period before prompting again with a scheduled restart (minutes)": 30 "Windows Components\\Windows Update\\Reschedule Automatic Updates scheduled installations": Disabled "Windows Components\\Windows Update\\Specify intranet Microsoft update service location": "Set the intranet update service for detecting updates": http://mywsus "Set the intranet statistics server": http://mywsus - cumulative_rights_assignments: True Some policy settings can't be set on their own an require that other policy settings are set at the same time. It can be difficult to figure out what additional settings need to be applied. The easiest way to do this is to modify the setting manually using the Group Policy Editor (`gpedit.msc`) on the machine. Then `get` the policy settings configured on that machine. Use the following command: .. code-block:: bash salt-call --local lgpo.get machine For example, if I want to set the Windows Update settings for a Windows Server 2016 machine I would go into the Group Policy Editor (`gpedit.msc`) and configure the group policy. That policy can be found at: Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Configure Automatic Updates. You have the option to "Enable" the policy and set some configuration options. In this example, just click "Enable" and accept the default configuration options. Click "OK" to apply the setting. Now run the `get` command as shown above. You will find the following in the minion return: .. code-block:: bash Windows Components\Windows Update\Configure Automatic Updates: ---------- Configure automatic updating: 3 - Auto download and notify for install Install during automatic maintenance: False Install updates for other Microsoft products: False Scheduled install day: 0 - Every day Scheduled install time: 03:00 This shows you that to enable the "Configure Automatic Updates" policy you also have to configure the following settings: - Configure automatic updating - Install during automatic maintenance - Install updates for other Microsoft products - Scheduled install day - Scheduled install time So, if you were writing a state for the above policy, it would look like this: .. code-block:: bash configure_windows_update_settings: lgpo.set: - computer_policy: Configure Automatic Updates: Configure automatic updating: 3 - Auto download and notify for install Install during automatic maintenance: False Install updates for other Microsoft products: False Scheduled install day: 0 - Every day Scheduled install time: 03:00 .. note:: It is important that you put names of policies and settings exactly as they are displayed in the return. That includes capitalization and punctuation such as periods, dashes, etc. This rule applies to both the setting name and the setting value. .. warning:: From time to time Microsoft updates the Administrative templates on the machine. This can cause the policy name to change or the list of settings that must be applied at the same time. These settings often change between versions of Windows as well. For example, Windows Server 2019 allows you to also specify a specific week of the month to apply the update. Another thing note is the long policy name returned by the `get` function: .. code-block:: bash Windows Components\Windows Update\Configure Automatic Updates: When we wrote the state for this policy we only used the final portion of the policy name, `Configure Automatic Updates`. This usually works fine, but if you are having problems, you may try the long policy name. When writing the long name in a state file either wrap the name in single quotes to make yaml see it as raw data, or escape the back slashes. .. code-block:: bash 'Windows Components\Windows Update\Configure Automatic Updates:' or Windows Components\\Windows Update\\Configure Automatic Updates:
set_(name, setting=None, policy_class=None, computer_policy=None, user_policy=None, cumulative_rights_assignments=True, adml_language='en-US')¶
Ensure the specified policy is set.
setting argument cannot be used in conjunction with the
name (str) -- The name of a single policy to configure
policy_class (str) -- The policy class of the single named policy to configure. This can
computer_policy (dict) -- A dictionary of containing the policy name and key/value pairs of a
set of computer policies to configure. If this argument is used, the
policy_class arguments will be ignored
user_policy (dict) -- A dictionary of containing the policy name and key/value pairs of a
set of user policies to configure. If this argument is used, the
policy_class arguments will be ignored
cumulative_rights_assignments (bool) -- If user rights assignments are being configured, determines if any user right assignment policies specified will be cumulative or explicit
adml_language (str) -- The adml language to use for AMDX policy data/display conversions.