diff options
author | Davin Taddeo <davin@chef.io> | 2020-06-24 18:26:47 -0400 |
---|---|---|
committer | Davin Taddeo <davin@chef.io> | 2020-06-24 18:26:47 -0400 |
commit | c1d2e127c731c7970b5901f8e15c9d4a6e65e9bd (patch) | |
tree | c220ff7eb98b05db758ab9e5fe327d2b613e6ec1 | |
parent | 696ecf12ff818f86c1d0853b407c0dd6cac9bc9f (diff) | |
download | chef-c1d2e127c731c7970b5901f8e15c9d4a6e65e9bd.tar.gz |
Update teh windows_user_privilege resource to have a `:clear` action to remove any users from being assigned a user access right.
Signed-off-by: Davin Taddeo <davin@chef.io>
-rw-r--r-- | lib/chef/resource/windows_user_privilege.rb | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/lib/chef/resource/windows_user_privilege.rb b/lib/chef/resource/windows_user_privilege.rb index aeff7ad468..ee44e3fcf1 100644 --- a/lib/chef/resource/windows_user_privilege.rb +++ b/lib/chef/resource/windows_user_privilege.rb @@ -112,6 +112,15 @@ class Chef action :remove end ``` + + **Clear all users from the SeDenyNetworkLogonRight Privilege**: + + ```ruby + windows_user_privilege 'Allow any user the Network Logon right' do + privilege 'SeDenyNetworkLogonRight' + action :clear + end + ``` DOC property :principal, String, @@ -132,8 +141,8 @@ class Chef } load_current_value do |new_resource| - unless new_resource.principal.nil? - privilege Chef::ReservedNames::Win32::Security.get_account_right(new_resource.principal) unless new_resource.action.include?(:set) + unless new_resource.principal.nil? || new_resource.action.include?(:set) || new_resource.action.include?(:clear) + privilege Chef::ReservedNames::Win32::Security.get_account_right(new_resource.principal) end end @@ -180,6 +189,20 @@ class Chef end end + action :clear do + new_resource.privilege.each do |privilege| + accounts = Chef::ReservedNames::Win32::Security.get_account_with_user_rights(privilege) + + # comparing the existing accounts for privilege with users + # Removing only accounts which is not matching with users in new_resource + accounts.each do |account| + converge_by("removing user '#{account}' from privilege #{privilege}") do + Chef::ReservedNames::Win32::Security.remove_account_right(account, privilege) + end + end + end + end + action :remove do curr_res_privilege = current_resource.privilege missing_res_privileges = (new_resource.privilege - curr_res_privilege) |