Update teh windows_user_privilege resource to have a `:clear` action to remove any users from being assigned a user access right.

Signed-off-by: Davin Taddeo <davin@chef.io>
author: Davin Taddeo <davin@chef.io> 2020-06-24 18:26:47 -0400
committer: Davin Taddeo <davin@chef.io> 2020-06-24 18:26:47 -0400
commit: c1d2e127c731c7970b5901f8e15c9d4a6e65e9bd (patch)
tree: c220ff7eb98b05db758ab9e5fe327d2b613e6ec1
parent: 696ecf12ff818f86c1d0853b407c0dd6cac9bc9f (diff)
download: chef-c1d2e127c731c7970b5901f8e15c9d4a6e65e9bd.tar.gz
1 files changed, 25 insertions, 2 deletions
diff --git a/lib/chef/resource/windows_user_privilege.rb b/lib/chef/resource/windows_user_privilege.rb
index aeff7ad468..ee44e3fcf1 100644
--- a/lib/chef/resource/windows_user_privilege.rb
+++ b/lib/chef/resource/windows_user_privilege.rb
@@ -112,6 +112,15 @@ class Chef
         action         :remove
       end
       ```
+
+      **Clear all users from the SeDenyNetworkLogonRight Privilege**:
+
+      ```ruby
+      windows_user_privilege 'Allow any user the Network Logon right' do
+        privilege      'SeDenyNetworkLogonRight'
+        action         :clear
+      end
+      ```
       DOC
 
       property :principal, String,
@@ -132,8 +141,8 @@ class Chef
          }
 
       load_current_value do |new_resource|
-        unless new_resource.principal.nil?
-          privilege Chef::ReservedNames::Win32::Security.get_account_right(new_resource.principal) unless new_resource.action.include?(:set)
+        unless new_resource.principal.nil? || new_resource.action.include?(:set) || new_resource.action.include?(:clear)
+          privilege Chef::ReservedNames::Win32::Security.get_account_right(new_resource.principal)
         end
       end
 
@@ -180,6 +189,20 @@ class Chef
         end
       end
 
+      action :clear do
+        new_resource.privilege.each do |privilege|
+          accounts = Chef::ReservedNames::Win32::Security.get_account_with_user_rights(privilege)
+
+          # comparing the existing accounts for privilege with users
+          # Removing only accounts which is not matching with users in new_resource
+          accounts.each do |account|
+            converge_by("removing user '#{account}' from privilege #{privilege}") do
+              Chef::ReservedNames::Win32::Security.remove_account_right(account, privilege)
+            end
+          end
+        end
+      end
+
       action :remove do
         curr_res_privilege = current_resource.privilege
         missing_res_privileges = (new_resource.privilege - curr_res_privilege)
author	Davin Taddeo <davin@chef.io>	2020-06-24 18:26:47 -0400
committer	Davin Taddeo <davin@chef.io>	2020-06-24 18:26:47 -0400
commit	c1d2e127c731c7970b5901f8e15c9d4a6e65e9bd (patch)
tree	c220ff7eb98b05db758ab9e5fe327d2b613e6ec1
parent	696ecf12ff818f86c1d0853b407c0dd6cac9bc9f (diff)
download	chef-c1d2e127c731c7970b5901f8e15c9d4a6e65e9bd.tar.gz