registry_acl

Manage Windows Registry ACL

Project URL RSS Feed Report issues

Module Stats

34,874 downloads

22,565 latest version

4.9 quality score

Version information

released Nov 19th 2020

This version is compatible with:

Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
Puppet >= 4.10.1 < 7.0.0

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'ipcrm-registry_acl', '0.1.0'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add ipcrm-registry_acl

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install ipcrm-registry_acl --version 0.1.0

Tags: utility, windows, registry

Documentation

ipcrm/registry_acl — version 0.1.0 Nov 19th 2020

registry_acl

Description

This module provides the reg_acl resource type used to set registry permissions.

Resource Types

`reg_acl`

Puppet type for managing Windows Registry ACLs

== Parameters ==

`inherit_from_parent`

Should this ACL include inherited permissions? Valid values are true, false. Default: true

`name`

The description used for uniqueness. If the target parameter is not provided name will be used.

`owner`

Provide the name of the owner for this registry key. Can be string or SID.

`permissions`

Array of hashes of desired ACEs to be applied to target registry key. By default, reg_acl will simply compare existing permissions (non-inherited only) and make sure that the provided permissions are applied. Use the purge parameter to adjust this behavior.

For each hash, valid parameters:

IdentityReference: String or SID format for identity to have this ACE applied
AccessControlType: String of access type. Valid values Allow or Deny
InheritanceFlags: String of inheritance flags. Valid values: 'ContainerInherit, ObjectInherit', 'ContainerInherit', or 'ObjectInherit'
PropagationFlags: String of propagation behavior. Valid values: 'None', 'InheritOnly', or 'NoPropagateInherit, InheritOnly'
RegistryRights: String of Permissions to apply. Keep in mind you can combine values where needed(single string, comma seperated). Common values are 'FullControl', 'ReadKey', and 'WriteKey'. Valid values: 'QueryValues','SetValue','CreateSubKey','EnumerateSubKeys','Notify','CreateLink','ReadKey','WriteKey','Delete','ReadPermissions','ChangePermissions','TakeOwnership','FullControl'. See https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights(v=vs.110).aspx for more details.

`purge`

Boolean to specify if all ACE should be purged that are not specifically named. Valid values are all, listed, false. Default: false

all: If additional ACE are present that have not been specifically declared (non-inherited), they will be removed.
listed: Ensure that the defined ACEs in permissions parameter are removed if present(i.e. delete listed parameters).
false: Default. Only compare defined ACEs in permissions and ignore any other present.

`target`

Path to the registry key. Expressed via hive:path or hive_path_. For example, hklm:SOFTWARE\test, hklm\software\test

== Examples ==

Ensure owner, inherit_from_parent, and the following two ACE are present.

reg_acl { 'hklm:software\test1',
  owner => 'Administrator',
  permissions =>
    [
      {'RegistryRights' => 'FullControl', 'IdentityReference' => 'BUILTIN\Administrators' },
      {'RegistryRights' => 'ReadPermissions, SetValue', 'IdentityReference' => 'somelocaluser' },
      {'RegistryRights' => 'FullControl', 'IdentityReference' => 'S-1-5-21-392019300-2179095474-2072420904-1002'},
    ],
 }

Ensure only these two ACE are present, disable inheritance from parent, and set the owner to SID.

reg_acl { 'admin rules':
  target => 'hklm:software\test1',
  owner => 'S-1-5-21-392019300-2179095474-2072420904-1002',
  inherit_from_parent => false,
  permissions =>
    [
      {'RegistryRights' => 'FullControl', 'IdentityReference' => 'BUILTIN\Administrators' },
      {'RegistryRights' => 'FullControl', 'IdentityReference' => 'S-1-5-21-392019300-2179095474-2072420904-1002'},
    ],
   purge => 'all',
 }

Ensure that the listed permissions are removed.

reg_acl { 'remove rules':
  target => 'hklm:software\test1',
  permissions =>
    [
      {'RegistryRights' => 'FullControl', 'IdentityReference' => 'GP-WIN-1\test' },
    ],
  purge => 'listed',
}

To Do List

Test Suite

Reference

Resource types

reg_acl: Puppet type for managing Windows Registry ACLs

Resource types

`reg_acl`

Puppet type for managing Windows Registry ACLs

Properties

The following properties are available in the reg_acl type.

`inherit_from_parent`

Valid values: true, false

Should this ACL include inherited permissions? Valid values are true, false. Default: true

Default value: true

`owner`

Provide the name of the owner for this registry key. Can be string or SID.

`permissions`

Array of hashes of desired ACEs to be applied to target registry key. By default, reg_acl will simply compare existing permissions (non-inherited only) and make sure that the provided permissions are applied. Use the purge parameter to adjust this behavior.

For each hash, valid parameters:

IdentityReference: String or SID format for identity to have this ACE applied

AccessControlType: String of access type. Valid values Allow or Deny

InheritanceFlags: String of inheritance flags. Valid values: 'ContainerInherit, ObjectInherit', 'ContainerInherit', or 'ObjectInherit'

PropagationFlags: String of propagation behavior. Valid values: 'None', 'InheritOnly', or 'NoPropagateInherit, InheritOnly'

RegistryRights: String of Permissions to apply. Keep in mind you can combine values where needed(single string, comma seperated). Common values are 'FullControl', 'ReadKey', and 'WriteKey'. Valid values: 'QueryValues','SetValue','CreateSubKey','EnumerateSubKeys','Notify','CreateLink','ReadKey','WriteKey','Delete','ReadPermissions','ChangePermissions','TakeOwnership','FullControl'. See https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights(v=vs.110).aspx for more details.

Parameters

The following parameters are available in the reg_acl type.

`name`

namevar

The description used for uniqueness. If the target parameter is not provided name will be used.

`provider`

The specific backend to use for this reg_acl resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

`purge`

Valid values: all, listed, false

Boolean to specify if all ACE should be purged that are not specifically named. Valid values are all, listed, false. Default: false

all: If additional ACE are present that have not been specifically declared (non-inherited), they will be removed.

listed: Ensure that the defined ACEs in permissions parameter are removed if present(i.e. delete listed parameters).

false: Default. Only compare defined ACEs in permissions and ignore any other present.

Default value: false

`target`

Path to the registry key. If not provided the name parameter will be used.

Modules

Discover

Contribute

Puppet

Premium features

Downloads

Resources

About Forge

Getting Started

registry_acl

Version information

This version is compatible with:

Start using this module

Documentation

registry_acl

Description

Resource Types

reg_acl

== Parameters ==

inherit_from_parent

name

owner

permissions

purge

target

== Examples ==

To Do List

Reference

Table of Contents

Resource types

Resource types

reg_acl

Properties

inherit_from_parent

owner

permissions

Parameters

name

provider

purge

target

Changelog

2020-11-18 Release 0.1.0

2019-01-20 Release 0.0.6

2017-06-21 Release 0.0.5

2017-06-20 Release 0.0.4

2017-06-15 Release 0.0.3

2017-06-15 Release 0.0.2

2017-06-15 Release 0.0.1

Dependencies

`reg_acl`

`inherit_from_parent`

`name`

`owner`

`permissions`

`purge`

`target`

`reg_acl`

`inherit_from_parent`

`owner`

`permissions`

`name`

`provider`

`purge`

`target`