Skip to content

Latest commit

 

History

History
217 lines (179 loc) · 8.04 KB

ansible.windows.win_user_right_module.rst

File metadata and controls

217 lines (179 loc) · 8.04 KB
Raw

ansible.windows.win_user_right

Manage Windows User Rights

Synopsis

  • Add, remove or set User Rights for a group or users or groups.
  • You can set user rights for both local and domain accounts.

Parameters

Parameter Choices/Defaults Comments
action
string
    Choices:
  • add
  • remove
  • set ←
add will add the users/groups to the existing right.
remove will remove the users/groups from the existing right.
set will replace the users/groups of the existing right.
name
string / required
The name of the User Right as shown by the Constant Name value from https://technet.microsoft.com/en-us/library/dd349804.aspx.
The module will return an error if the right is invalid.
users
list / elements=string / required
A list of users or groups to add/remove on the User Right.
These can be in the form DOMAIN\user-group, [email protected] for domain users/groups.
For local users/groups it can be in the form user-group, .\user-group, SERVERNAME\user-group where SERVERNAME is the name of the remote server.
It is highly recommended to use the .\ or SERVERNAME\ prefix to avoid any ambiguity with domain account names or errors trying to lookup an account on a domain controller.
You can also add special local accounts like SYSTEM and others.
Can be set to an empty list with action=set to remove all accounts from the right.

Notes

Note

  • If the server is domain joined this module can change a right but if a GPO governs this right then the changes won't last.

See Also

.. seealso::

   :ref:`ansible.windows.win_group_module`
      The official documentation on the **ansible.windows.win_group** module.
   :ref:`ansible.windows.win_group_membership_module`
      The official documentation on the **ansible.windows.win_group_membership** module.
   :ref:`ansible.windows.win_user_module`
      The official documentation on the **ansible.windows.win_user** module.

Examples

---
- name: Replace the entries of Deny log on locally
  ansible.windows.win_user_right:
    name: SeDenyInteractiveLogonRight
    users:
    - Guest
    - Users
    action: set

- name: Add account to Log on as a service
  ansible.windows.win_user_right:
    name: SeServiceLogonRight
    users:
    - .\Administrator
    - '{{ansible_hostname}}\local-user'
    action: add

- name: Remove accounts who can create Symbolic links
  ansible.windows.win_user_right:
    name: SeCreateSymbolicLinkPrivilege
    users:
    - SYSTEM
    - Administrators
    - DOMAIN\User
    - [email protected]
    action: remove

- name: Remove all accounts who cannot log on remote interactively
  ansible.windows.win_user_right:
    name: SeDenyRemoteInteractiveLogonRight
    users: []

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
added
list
success
A list of accounts that were added to the right, this is empty if no accounts were added.

Sample:
['NT AUTHORITY\\SYSTEM', 'DOMAIN\\User']
removed
list
success
A list of accounts that were removed from the right, this is empty if no accounts were removed.

Sample:
['SERVERNAME\\Administrator', 'BUILTIN\\Administrators']


Status

Authors

  • Jordan Borean (@jborean93)