Manage DACLs on Windows
depends: |
|
---|
add an ace to an object
path: path to the object (i.e. c:\temp\file, HKEY_LOCAL_MACHINE\SOFTWARE\KEY, etc) user: user to add permission: permissions for the user acetype: either allow/deny for each user/permission (ALLOW, DENY) propagation: how the ACE applies to children for Registry Keys and Directories(KEY, KEY&SUBKEYS, SUBKEYS)
CLI Example:
allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey, propagate to this key and subkeys salt 'myminion' win_dacl.add_ace 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'Registry' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'
Checks a path to verify the ACE (access control entry) specified exists
Parameters: |
|
---|
Returns (dict): 'Exists' true if the ACE exists, false if it does not
CLI Example:
salt 'minion-id' win_dacl.check_ace c: emp directory <username> fullcontrol
Check a specified path to verify if inheritance is enabled
Parameters: |
|
---|
Returns (bool): 'Inheritance' of True/False
CLI Example:
salt 'minion-id' win_dacl.check_inheritance c: emp directory <username>
salt.modules.win_dacl.
daclConstants
DACL constants used throughout the module
getAceTypeBit
(t)
returns the acetype bit of a text value
getAceTypeText
(t)
returns the textual representation of a acetype bit
getObjectTypeBit
(t)
returns the bit value of the string object type
getPermissionBit
(t, m)
returns a permission bit of the string permission value for the specified object type
getPermissionText
(t, m)
returns the permission textual representation of a specified permission bit/object type
getPropagationBit
(t, p)
returns the propagation bit of a text value
getPropagationText
(t, p)
returns the textual representation of a propagation bit
getSecurityHkey
(s)
returns the necessary string value for an HKEY for the win32security module
processPath
(path, objectType)
Disable inheritance on an object
Parameters: |
|
---|
Returns (dict): A dictionary containing the results
CLI Example:
salt 'minion-id' win_dacl.disable_inheritance c: emp directory
enable/disable inheritance on an object
Parameters: |
|
---|
Returns (dict): A dictionary containing the results
CLI Example:
salt 'minion-id' win_dacl.enable_inheritance c: emp directory
Get the ACL of an object. Will filter by user if one is provided.
Parameters: |
|
---|
Returns (dict): A dictionary containing the ACL
CLI Example:
salt 'minion-id' win_dacl.get c: emp directory
remove an ace to an object
path: path to the object (i.e. c:\temp\file, HKEY_LOCAL_MACHINE\SOFTWARE\KEY, etc) user: user to remove permission: permissions for the user acetypes: either allow/deny for each user/permission (ALLOW, DENY) propagation: how the ACE applies to children for Registry Keys and Directories(KEY, KEY&SUBKEYS, SUBKEYS)
If any of the optional parameters are omitted (or set to None) they act as wildcards.
CLI Example:
remove allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey propagated to this key and subkeys salt 'myminion' win_dacl.rm_ace 'Registry' 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'
© 2019 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.win_dacl.html