Forge Home


Manage Windows Registry ACL


22,023 latest version

4.9 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.0 (latest)
  • 0.0.6
  • 0.0.5
  • 0.0.4
  • 0.0.3
  • 0.0.2
  • 0.0.1
released Nov 19th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.1 < 7.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'ipcrm-registry_acl', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add ipcrm-registry_acl
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install ipcrm-registry_acl --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



ipcrm/registry_acl — version 0.1.0 Nov 19th 2020



This module provides the reg_acl resource type used to set registry permissions.

Resource Types


Puppet type for managing Windows Registry ACLs

== Parameters ==


Should this ACL include inherited permissions? Valid values are true, false. Default: true


The description used for uniqueness. If the target parameter is not provided name will be used.


Provide the name of the owner for this registry key. Can be string or SID.


Array of hashes of desired ACEs to be applied to target registry key. By default, reg_acl will simply compare existing permissions (non-inherited only) and make sure that the provided permissions are applied. Use the purge parameter to adjust this behavior.

For each hash, valid parameters:

  • IdentityReference: String or SID format for identity to have this ACE applied
  • AccessControlType: String of access type. Valid values Allow or Deny
  • InheritanceFlags: String of inheritance flags. Valid values: 'ContainerInherit, ObjectInherit', 'ContainerInherit', or 'ObjectInherit'
  • PropagationFlags: String of propagation behavior. Valid values: 'None', 'InheritOnly', or 'NoPropagateInherit, InheritOnly'
  • RegistryRights: String of Permissions to apply. Keep in mind you can combine values where needed(single string, comma seperated). Common values are 'FullControl', 'ReadKey', and 'WriteKey'. Valid values: 'QueryValues','SetValue','CreateSubKey','EnumerateSubKeys','Notify','CreateLink','ReadKey','WriteKey','Delete','ReadPermissions','ChangePermissions','TakeOwnership','FullControl'. See for more details.

Boolean to specify if all ACE should be purged that are not specifically named. Valid values are all, listed, false. Default: false

  • all: If additional ACE are present that have not been specifically declared (non-inherited), they will be removed.
  • listed: Ensure that the defined ACEs in permissions parameter are removed if present(i.e. delete listed parameters).
  • false: Default. Only compare defined ACEs in permissions and ignore any other present.

Path to the registry key. Expressed via hive:path or hive_path_. For example, hklm:SOFTWARE\test, hklm\software\test

== Examples ==

Ensure owner, inherit_from_parent, and the following two ACE are present.

reg_acl { 'hklm:software\test1',
  owner => 'Administrator',
  permissions =>
      {'RegistryRights' => 'FullControl', 'IdentityReference' => 'BUILTIN\Administrators' },
      {'RegistryRights' => 'ReadPermissions, SetValue', 'IdentityReference' => 'somelocaluser' },
      {'RegistryRights' => 'FullControl', 'IdentityReference' => 'S-1-5-21-392019300-2179095474-2072420904-1002'},

Ensure only these two ACE are present, disable inheritance from parent, and set the owner to SID.

reg_acl { 'admin rules':
  target => 'hklm:software\test1',
  owner => 'S-1-5-21-392019300-2179095474-2072420904-1002',
  inherit_from_parent => false,
  permissions =>
      {'RegistryRights' => 'FullControl', 'IdentityReference' => 'BUILTIN\Administrators' },
      {'RegistryRights' => 'FullControl', 'IdentityReference' => 'S-1-5-21-392019300-2179095474-2072420904-1002'},
   purge => 'all',

Ensure that the listed permissions are removed.

reg_acl { 'remove rules':
  target => 'hklm:software\test1',
  permissions =>
      {'RegistryRights' => 'FullControl', 'IdentityReference' => 'GP-WIN-1\test' },
  purge => 'listed',

To Do List

  • Test Suite