New in version 2016.11.0.
This state allows configuring local Windows Group Policy
The state can be used to ensure the setting of a single policy or multiple policies in one pass.
Single policies must specify the policy name, the setting, and the policy class (Machine/User/Both)
Example single policy configuration
Ensure Account Lockout Duration:
lgpo.set:
- name: Account lockout duration
- setting: 90
- policy_class: Machine Account lockout duration:
gpo.set:
- setting: 120
- policy_class: Machine Multiple policy configuration
Company Local Group Policy:
lgpo.set:
- computer_policy:
Deny logon locally: Guest
Account lockout duration: 120
Account lockout threshold: 10
Reset account lockout counter after: 1440
Enforce password history: 24
Maximum password age: 60
Minimum password age: 1
Minimum password length: 14
Password must meet complexity requirements: Enabled
Store passwords using reversible encryption: Disabled
Configure Automatic Updates:
Configure automatic updating: 4 - Auto download and schedule the intsall
Scheduled install day: 7 - Every Saturday
Scheduled install time: 17:00
Specify intranet Microsoft update service location:
Set the intranet update service for detecting updates: http://mywsus
Set the intranet statistics server: http://mywsus
- user_policy:
Do not process the legacy run list: Enabled server_policy:
lgpo.set:
- computer_policy:
Maximum password age: 60
Minimum password age: 1
Minimum password length: 14
Account lockout duration: 1440
Account lockout threshold: 10
Reset account lockout counter after: 1440
Manage auditing and security log:
- "BUILTIN\Administrators"
Replace a process level token:
- "NT AUTHORITY\NETWORK SERVICE"
- "NT AUTHORITY\LOCAL SERVICE"
"Accounts: Guest account status": Disabled
"Accounts: Rename guest account": Not_4_U
"Audit: Audit the use of Backup and Restore privilege": Enabled
"Interactive logon: Do not display last user name": Enabled
"Network\DNS Client\Dynamic update": Disabled
"System\Logon\Do not display the Getting Started welcome screen at logon": Enabled
"Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Select RDP transport protocols":
"Select Transport Type": "Use both UDP and TCP"
"Windows Components\Windows Update\Allow Automatic Updates immediate installation": Enabled
"Windows Components\Windows Update\Allow non-administrators to receive update notifications": Disabled
"Windows Components\Windows Update\Always automatically restart at the scheduled time":
"The restart timer will give users this much time to save their work (minutes)": 15
"Windows Components\Windows Update\Automatic Updates detection frequency":
"Check for updates at the following interval (hours)": 1
"Windows Components\Windows Update\Configure Automatic Updates":
"Configure automatic updating": 4 - Auto download and schedule the install
"Install during automatic maintenance": False
"Scheduled install day": 7 - Every Saturday
"Scheduled install time": "17:00"
"Windows Components\Windows Update\Delay Restart for scheduled installations":
"Wait the following period before proceeding with a scheduled restart (minutes)": 1
"Windows Components\Windows Update\No auto-restart with logged on users for scheduled automatic updates installations": Disabled
"Windows Components\Windows Update\Re-prompt for restart with scheduled installations":
"Wait the following period before prompting again with a scheduled restart (minutes)": 30
"Windows Components\Windows Update\Reschedule Automatic Updates scheduled installations": Disabled
"Windows Components\Windows Update\Specify intranet Microsoft update service location":
"Set the intranet update service for detecting updates": http://mywsus
"Set the intranet statistics server": http://mywsus
- cumulative_rights_assignments: True Ensure the specified policy is set
© 2019 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.win_lgpo.html