Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lgpo doesn't seem to allow for unsetting a gpo setting #49582

Closed
UtahDave opened this issue Sep 8, 2018 · 7 comments

Comments

Projects
None yet
5 participants
@UtahDave
Copy link
Member

commented Sep 8, 2018

Description of Issue/Question

The gpo setting SeTrustedCredManAccessPrivilege accepts a list valid users. I can successfully add a list of users to the setting, but I can't find a way to remove all users from the list.

Setup

The following does work:

set_trusted_caller:                                                              
  lgpo.set:                                                                     
    - computer_policy:                                                          
        SeTrustedCredManAccessPrivilege:                                        
          - 'vagrant'                                                           
          - 'administrator'

I want to remove all users from this list. I've tried the following, but nothing seems to work.

no_trusted_caller:                                                              
  lgpo.set:                                                                     
    - computer_policy:                                                          
        SeTrustedCredManAccessPrivilege: []

I'm not sure if this needs some documentation on how to do this or if this is a feature request.

Here's my versions report:

vagrant-2016.lehi.saltstack.net:
    Salt Version:
               Salt: 2018.3.2
     
    Dependency Versions:
               cffi: 1.10.0
           cherrypy: 10.2.1
           dateutil: 2.6.1
          docker-py: Not Installed
              gitdb: 2.0.3
          gitpython: 2.1.3
              ioflo: Not Installed
             Jinja2: 2.9.6
            libgit2: Not Installed
            libnacl: Not Installed
           M2Crypto: Not Installed
               Mako: 1.0.6
       msgpack-pure: Not Installed
     msgpack-python: 0.4.8
       mysql-python: Not Installed
          pycparser: 2.17
           pycrypto: 2.6.1
       pycryptodome: Not Installed
             pygit2: Not Installed
             Python: 2.7.14 (v2.7.14:84471935ed, Sep 16 2017, 20:25:58) [MSC v.1500 64 bit (AMD64)]
       python-gnupg: 0.4.1
             PyYAML: 3.12
              PyZMQ: 16.0.3
               RAET: Not Installed
              smmap: 2.0.3
            timelib: 0.2.4
            Tornado: 4.5.1
                ZMQ: 4.1.6
     
    System Versions:
               dist:   
             locale: cp1252
            machine: AMD64
            release: 2016Server
             system: Windows
            version: 2016Server 10.0.14393  Multiprocessor Free
@Ch3LL

This comment has been minimized.

Copy link
Contributor

commented Sep 10, 2018

ping @saltstack/team-windows any ideas here if this is currently possible or i'll just label as feature

@Ch3LL Ch3LL added this to the Blocked milestone Sep 10, 2018

@twangboy

This comment has been minimized.

Copy link
Contributor

commented Sep 10, 2018

Sometimes you can pass Not Configured or None. Depending on the policy you're setting.

@UtahDave

This comment has been minimized.

Copy link
Member Author

commented Sep 11, 2018

@twangboy I tried None without success. I'll try Not Configured. I've tried several variations of these both and I kept getting an error because it failed to convert the name to the SID.

@lomeroe

This comment has been minimized.

Copy link
Contributor

commented Sep 11, 2018

@lomeroe

This comment has been minimized.

Copy link
Contributor

commented Sep 12, 2018

to expand on my previous comment, this should work to remove all users:

no_trusted_caller:                                                              
  lgpo.set:
    - cumulative_rights_assignments: False                                                  
    - computer_policy:                                                          
        SeTrustedCredManAccessPrivilege: []

The cumulative_rights_assignments argument is intended to determine if lgpo will make sure the listed users have the right (True) or that the right matches the list exactly (False).

@mike2523

This comment has been minimized.

Copy link

commented Sep 12, 2018

@lomeroe - cumulative_rights_assignments=False fixed this up for me. Thanks for the insight! These really need to be in docs :)

@twangboy

This comment has been minimized.

Copy link
Contributor

commented Sep 14, 2018

@lomeroe Oh, yeah... I forgot about that. Good catch!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.