New in version 2016.11.0.
This state allows configuring local Windows Group Policy
The state can be used to ensure the setting of a single policy or multiple policies in one pass.
Single policies must specify the policy name, the setting, and the policy class (Machine/User/Both)
Example single policy configuration
Ensure Account Lockout Duration: lgpo.set: - name: Account lockout duration - setting: 90 - policy_class: Machine
Account lockout duration: gpo.set: - setting: 120 - policy_class: Machine
Multiple policy configuration
Company Local Group Policy: lgpo.set: - computer_policy: Deny logon locally: Guest Account lockout duration: 120 Account lockout threshold: 10 Reset account lockout counter after: 1440 Enforce password history: 24 Maximum password age: 60 Minimum password age: 1 Minimum password length: 14 Password must meet complexity requirements: Enabled Store passwords using reversible encryption: Disabled Configure Automatic Updates: Configure automatic updating: 4 - Auto download and schedule the intsall Scheduled install day: 7 - Every Saturday Scheduled install time: 17:00 Specify intranet Microsoft update service location: Set the intranet update service for detecting updates: http://mywsus Set the intranet statistics server: http://mywsus - user_policy: Do not process the legacy run list: Enabled
server_policy: lgpo.set: - computer_policy: Maximum password age: 60 Minimum password age: 1 Minimum password length: 14 Account lockout duration: 1440 Account lockout threshold: 10 Reset account lockout counter after: 1440 Manage auditing and security log: - "BUILTIN\Administrators" Replace a process level token: - "NT AUTHORITY\NETWORK SERVICE" - "NT AUTHORITY\LOCAL SERVICE" "Accounts: Guest account status": Disabled "Accounts: Rename guest account": Not_4_U "Audit: Audit the use of Backup and Restore privilege": Enabled "Interactive logon: Do not display last user name": Enabled "Network\DNS Client\Dynamic update": Disabled "System\Logon\Do not display the Getting Started welcome screen at logon": Enabled "Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Select RDP transport protocols": "Select Transport Type": "Use both UDP and TCP" "Windows Components\Windows Update\Allow Automatic Updates immediate installation": Enabled "Windows Components\Windows Update\Allow non-administrators to receive update notifications": Disabled "Windows Components\Windows Update\Always automatically restart at the scheduled time": "The restart timer will give users this much time to save their work (minutes)": 15 "Windows Components\Windows Update\Automatic Updates detection frequency": "Check for updates at the following interval (hours)": 1 "Windows Components\Windows Update\Configure Automatic Updates": "Configure automatic updating": 4 - Auto download and schedule the install "Install during automatic maintenance": False "Scheduled install day": 7 - Every Saturday "Scheduled install time": "17:00" "Windows Components\Windows Update\Delay Restart for scheduled installations": "Wait the following period before proceeding with a scheduled restart (minutes)": 1 "Windows Components\Windows Update\No auto-restart with logged on users for scheduled automatic updates installations": Disabled "Windows Components\Windows Update\Re-prompt for restart with scheduled installations": "Wait the following period before prompting again with a scheduled restart (minutes)": 30 "Windows Components\Windows Update\Reschedule Automatic Updates scheduled installations": Disabled "Windows Components\Windows Update\Specify intranet Microsoft update service location": "Set the intranet update service for detecting updates": http://mywsus "Set the intranet statistics server": http://mywsus - cumulative_rights_assignments: True
Ensure the specified policy is set
© 2019 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.win_lgpo.html