File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/states/__pycache__/win_lgpo.cpython-310.pyc
o
�����N�g�g�����������������������@���s����d�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�e�� e
��Z�d�Z�d�d�i�Z
d�d���Z�d�d ��Z�d
d���Z� � � � � �
�d�d�d���Z�d�S�)�aO$��
Manage Windows Local Group Policy
=================================
.. versionadded:: 2016.11.0
This state module allows you to configure local Group Policy on Windows. You
can ensure the setting of a single policy or multiple policies in one pass.
Single policies must specify the policy name, the setting, and the policy class
(Machine/User/Both). Here are some examples for setting a single policy setting.
Example single policy configuration:
.. code-block:: yaml
Ensure Account Lockout Duration:
lgpo.set:
- name: Account lockout duration
- setting: 90
- policy_class: Machine
Example using abbreviated form:
.. code-block:: yaml
Account lockout duration:
lgpo.set:
- setting: 120
- policy_class: Machine
It is also possible to set multiple policies in a single state. This is done by
setting the settings under either `computer_policy` or `user_policy`. Here are
some examples for setting multiple policy settings in a single state.
Multiple policy configuration
.. code-block:: yaml
Company Local Group Policy:
lgpo.set:
- computer_policy:
Deny log on locally:
- Guest
Account lockout duration: 120
Account lockout threshold: 10
Reset account lockout counter after: 120
Enforce password history: 24
Maximum password age: 60
Minimum password age: 1
Minimum password length: 14
Password must meet complexity requirements: Enabled
Store passwords using reversible encryption: Disabled
Configure Automatic Updates:
Configure automatic updating: 4 - Auto download and schedule the intsall
Scheduled install day: 7 - Every Saturday
Scheduled install time: 17:00
Specify intranet Microsoft update service location:
Set the intranet update service for detecting updates: http://mywsus
Set the intranet statistics server: http://mywsus
- user_policy:
Do not process the legacy run list: Enabled
.. code-block:: text
server_policy:
lgpo.set:
- computer_policy:
Maximum password age: 60
Minimum password age: 1
Minimum password length: 14
Account lockout duration: 120
Account lockout threshold: 10
Reset account lockout counter after: 120
Manage auditing and security log:
- "BUILTIN\\Administrators"
Replace a process level token:
- "NT AUTHORITY\\NETWORK SERVICE"
- "NT AUTHORITY\\LOCAL SERVICE"
"Accounts: Guest account status": Disabled
"Accounts: Rename guest account": Not_4_U
"Audit: Audit the use of Backup and Restore privilege": Enabled
"Interactive logon: Do not display last user name": Enabled
"Network\\DNS Client\\Dynamic update": Disabled
"System\\Logon\\Do not display the Getting Started welcome screen at logon": Enabled
"Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Select RDP transport protocols":
"Select Transport Type": "Use both UDP and TCP"
"Windows Components\\Windows Update\\Allow Automatic Updates immediate installation": Enabled
"Windows Components\\Windows Update\\Allow non-administrators to receive update notifications": Disabled
"Windows Components\\Windows Update\\Always automatically restart at the scheduled time":
"The restart timer will give users this much time to save their work (minutes)": 15
"Windows Components\\Windows Update\\Automatic Updates detection frequency":
"Check for updates at the following interval (hours)": 1
"Windows Components\\Windows Update\\Configure Automatic Updates":
"Configure automatic updating": 4 - Auto download and schedule the install
"Install during automatic maintenance": False
"Scheduled install day": 7 - Every Saturday
"Scheduled install time": "17:00"
"Windows Components\\Windows Update\\Delay Restart for scheduled installations":
"Wait the following period before proceeding with a scheduled restart (minutes)": 1
"Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations": Disabled
"Windows Components\\Windows Update\\Re-prompt for restart with scheduled installations":
"Wait the following period before prompting again with a scheduled restart (minutes)": 30
"Windows Components\\Windows Update\\Reschedule Automatic Updates scheduled installations": Disabled
"Windows Components\\Windows Update\\Specify intranet Microsoft update service location":
"Set the intranet update service for detecting updates": http://mywsus
"Set the intranet statistics server": http://mywsus
- cumulative_rights_assignments: True
Some policy settings can't be set on their own an require that other policy
settings are set at the same time. It can be difficult to figure out what
additional settings need to be applied. The easiest way to do this is to
modify the setting manually using the Group Policy Editor (`gpedit.msc`) on
the machine. Then `get` the policy settings configured on that machine. Use
the following command:
.. code-block:: bash
salt-call --local lgpo.get machine
For example, if I want to set the Windows Update settings for a Windows
Server 2016 machine I would go into the Group Policy Editor (`gpedit.msc`)
and configure the group policy. That policy can be found at: Computer
Configuration -> Administrative Templates -> Windows Components -> Windows
Update -> Configure Automatic Updates. You have the option to "Enable" the
policy and set some configuration options. In this example, just click
"Enable" and accept the default configuration options. Click "OK" to apply
the setting.
Now run the `get` command as shown above. You will find the following in
the minion return:
.. code-block:: bash
Windows Components\Windows Update\Configure Automatic Updates:
----------
Configure automatic updating:
3 - Auto download and notify for install
Install during automatic maintenance:
False
Install updates for other Microsoft products:
False
Scheduled install day:
0 - Every day
Scheduled install time:
03:00
This shows you that to enable the "Configure Automatic Updates" policy you
also have to configure the following settings:
- Configure automatic updating
- Install during automatic maintenance
- Install updates for other Microsoft products
- Scheduled install day
- Scheduled install time
So, if you were writing a state for the above policy, it would look like
this:
.. code-block:: bash
configure_windows_update_settings:
lgpo.set:
- computer_policy:
Configure Automatic Updates:
Configure automatic updating: 3 - Auto download and notify for install
Install during automatic maintenance: False
Install updates for other Microsoft products: False
Scheduled install day: 0 - Every day
Scheduled install time: 03:00
.. note::
It is important that you put names of policies and settings exactly as
they are displayed in the return. That includes capitalization and
punctuation such as periods, dashes, etc. This rule applies to both
the setting name and the setting value.
.. warning::
From time to time Microsoft updates the Administrative templates on the
machine. This can cause the policy name to change or the list of
settings that must be applied at the same time. These settings often
change between versions of Windows as well. For example, Windows Server
2019 allows you to also specify a specific week of the month to apply
the update.
Another thing note is the long policy name returned by the `get` function:
.. code-block:: bash
Windows Components\Windows Update\Configure Automatic Updates:
When we wrote the state for this policy we only used the final portion of
the policy name, `Configure Automatic Updates`. This usually works fine, but
if you are having problems, you may try the long policy name.
When writing the long name in a state file either wrap the name in single
quotes to make yaml see it as raw data, or escape the back slashes.
.. code-block:: bash
'Windows Components\Windows Update\Configure Automatic Updates:'
or
Windows Components\\Windows Update\\Configure Automatic Updates:
�����NZ�lgpo��set_��setc��������������������C���s����d�t�v�r�t�S�d�S�)�z7
load this state if the win_lgpo module exists
��lgpo.set)�Fz�lgpo module could not be loaded)���__salt__��__virtualname__��r����r�����H/opt/saltstack/salt/lib/python3.10/site-packages/salt/states/win_lgpo.py��__virtual__����s����������r ���c��������������������C���sr���t�|�t�t�f���r�|�|�k�S�t�|�t���r!t�|�t���r�t�j�j���|�|���i�k�S�d�S�t�|�t���r7t�|�t���r5t�j�j�� |�|���i�k�S�d�S�d�S�)�ze
Helper function that returns ``True`` if the policies are the same,
otherwise ``False``
FN)
�
isinstance��str��int��list��salt��utils��dataZ
compare_lists��dictZ
compare_dicts)��
new_policy��current_policyr����r����r������_compare_policies����s��������
�
�����
�
�������r����c��������������������C���s`���t�|�t���r�|���d�d���}�t�j�j���|���S�t�|�t���r d�d���|�����D���S�t�|�t ��r.t d�d���|�D�����S�|�S�)�a����
Helper function that makes sure all items in the dictionary are unicode for
comparing the existing state with the desired state. This function is only
needed for Python 2 and can be removed once we've migrated to Python 3.
The data returned by the current settings sometimes has a mix of unicode and
string values (these don't matter in Py3). This causes the comparison to
say it's not in the correct state even though it is. They basically compares
apples to apples, etc.
Also, in Python 2, the utf-16 encoded strings remain utf-16 encoded (each
character separated by `/x00`) In Python 3 it returns a utf-8 string. This
will just remove all the null bytes (`/x00`), again comparing apples to
apples.
�����c��������������������S���s����i�|�]�\�}�}�t�|���t�|�����q�S�r��������_convert_to_unicode)���.0��k��vr����r����r�����
<dictcomp>����s������z'_convert_to_unicode.<locals>.<dictcomp>c��������������������s���s������|�]�}�t�|���V���q�d�S�)�Nr����)�r����r����r����r����r����� <genexpr>����s��������z&_convert_to_unicode.<locals>.<genexpr>)
r
���r������replacer����r����Z�stringutilsZ
to_unicoder������itemsr
���)�r����r����r����r����r��������s����
�����
���
�����r����T��en-USFc������������%�������C���s����|�d�i�d�d���}�g�d���} d�d�d�d���}
|�s#|�s#|�s#d�}�d |�d
<�|�|�d�<�|�S�|�r3|�s3d�}�d |�d
<�|�|�d�<�|�S�|�rE|�s9|�rEd
}�d |�d
<�|�|�d�<�|�S�|�rY|�����| v�rYd�}�d |�d
<�|�|�d�<�|�S�|�s�|�rnt�|�t���snd�}�d |�d
<�|�|�d�<�|�S�|�r�t�|�t���s�d�}�d |�d
<�|�|�d�<�|�S�n(i�}�i�}�|�����d�k�r�|�|�|�<�|�|�|�<�n�|�����d�k�r�|�|�|�<�n
|�����d�v�r�|�|�|�<�|�i�d���|�i�d���d���}�|�r�t�d�������i�}
g�}�|�����D�]�\�}�}�|�d�����rt|�d�������D�]�\�}�}�t�d���|�|�|�d���}�|�d�����r`|�|�|���d���|�<�|
��|
|���i�����t�d���|�|�|�d�d���|
|
|�����|�<�t�|�d���|���t�����r_g�}�|�d���D�]
}�|���|�d���������q�|�d���|���D�]8}�|�|�v���r]|���d ��d!������}�|�|�v���rGd"� |�|���}�|��
|�����n�d#|�����}�d$��|�d���|�g�������|�d�<�d |�d
<���q&q�d$��|�d���|�d%��g�������|�d�<�d |�d
<�q�q�|�d
����s�|���r�|���d&d'����|��
|�d�������d$��|�������|�d�<�|�S�t
��d(|�����t
��d)|
����g�}�|�����D���]�\�}�}�|���d���}�|���r�|�����D�]�\�}�}�|�|
|
|�����v���r�t
��d*|�����|�d���|���d+����r�g�}�|�d���|���D�]
}�|��
t�j�j���|���������q�|�|�d���|�<�g�}�|
|
|�����|���D�]
}�|��
t�j�j���|���������q�|�|
|
|�����|�<�d }�t�j�j�j�|�d���|���d�d,��}�t�j�j�j�|
|
|�����|���d�d,��}�t�j�j���|���}�t�j�j���|���} t�|�| ��}!|!��s�|�d���|���d+����rz|���rz|�d���|���D�]"}"|"|
|
|�����|���v���rwt�j�j���|"��}"|"|
|
|�����|���v���rwd�}���qVn�d�}�|���r�t
��d-|�����t
��d.|�|�����|��
|�������q�d/|���d0��}�t
��|�������q�|��
|�����t
��d1|�������q���q�t�d2����r�|���r�d3� d$��|�����}�d4|�d
<�n�d5}�|��
|�����d$��|�������|�d�<�|�S�|���rft�d6��|�d7��d���|�d���d���|�|�d8��}#|#��rM|#|�d
<�i�}$|�����D�].\�}�}�|�d�����r%|�d�������D�]�\�}�}�|$��|
|���i�����t�d���|�|�|�d�d���|$|
|�����|�<���q���q�t�j�j�j�|
|$d9��|�d:<�|�d:����r@d;� d$��|�����}�n�d<� d$��|�����}�d |�d
<�n d=� |#��}�d |�d
<�|��
|�����d$��|�������|�d�<�|�S�d5}�|��
|�����d$��|�������|�d�<�|�S�)>aj���
Ensure the specified policy is set.
.. warning::
The ``setting`` argument cannot be used in conjunction with the
``computer_policy`` or ``user_policy`` arguments
Args:
name (str): The name of a single policy to configure
setting (str, dict, list):
The configuration setting for the single named policy. If this
argument is used the ``computer_policy`` / ``user_policy`` arguments
will be ignored
policy_class (str):
The policy class of the single named policy to configure. This can
``machine``, ``user``, or ``both``
computer_policy (dict):
A dictionary of containing the policy name and key/value pairs of a
set of computer policies to configure. If this argument is used, the
``name`` / ``policy_class`` arguments will be ignored
user_policy (dict):
A dictionary of containing the policy name and key/value pairs of a
set of user policies to configure. If this argument is used, the
``name`` / ``policy_class`` arguments will be ignored
cumulative_rights_assignments (bool):
If user rights assignments are being configured, determines if any
user right assignment policies specified will be cumulative or
explicit
adml_language (str):
The adml language to use for AMDX policy data/display conversions.
Default is ``en-US``
refresh_cache (bool):
Clear the cached policy definitions before applying the state. This
is useful when the underlying policy files (ADMX/ADML) have been
added/modified in the same state. This will allow those new policies
to be picked up. This adds time to the state run when applied to
multiple states within the same run. Therefore, it is best to only
apply this to the first policy that is applied. For individual runs
this will have no effect. Default is ``False``
.. versionadded:: 3006.8
.. versionadded:: 3007.1
Tr����)���name��result��changes��comment)���machine��computer��user��bothz�Computer Configurationz�User Configuration)�r&���r%���r'���zZAt least one of the parameters setting, computer_policy, or user_policy must be specified.Fr"���r$���zMA single policy setting was specified but the policy_class was not specified.z�The setting and computer_policy/user_policy parameters are mutually exclusive. Please specify either a policy name and setting or a computer_policy and/or user_policy dictz;The policy_class parameter must be one of the following: {}z0The computer_policy must be specified as a dict.z,The user_policy must be specified as a dict.r(���r'���)�r%���r&���)���requested_policy�
policy_lookup)�r'���r%���z�lgpo.clear_policy_cacher)���z�lgpo.get_policy_info)���policy_name��policy_class�
adml_languageZ�policy_foundr*���z�lgpo.get_policy)�r+���r,���r-���Z�return_value_onlyZ�policy_elementsZ�element_aliases��:���z1"{}" is no longer valid.
Please use "{}" instead.z�Invalid element name: ��
��messager����z=The LGPO module changed the way it gets policy element names.z�pol_data == %sz�current policy == %sz0need to compare %s from current/requested policyZ�rights_assignment)�� sort_keysz%%s current policy != requested policyz�We compared %s to %s��"z�" is already setz*policy %s is not set, we will configure it��testz,The following policies are set to change:
{}Nz.All specified policies are properly configuredr����r%���)���computer_policy��user_policy��cumulative_rights_assignmentsr-���)���old��newr#���z"The following policies changed:
{}z(Failed to set the following policies:
{}z:Errors occurred while attempting to configure policies: {})���lowerr
���r����r����r�����
setdefault��extend��split��strip��format��append��join��insert��log��debug��getr����r����Z
win_functionsZ�get_sam_name��json��dumps��loadsr����Z�__opts__Z
dictdifferZ deep_diff)%r!���Z�settingr,���r5���r6���r7���r-���Z
refresh_cache��retZ�policy_classesZ class_map��msgZ�pol_datar����Z�deprecation_commentsZ�p_classZ�p_dataZ�p_name��_��lookupZ�valid_names��elementZ�e_nameZ
new_e_nameZ�policy_changesr)���Z p_settingZ�resolved_namesr#���Z�requested_policy_jsonZ�current_policy_jsonZ�requested_policy_checkZ�current_policy_checkZ�policies_are_equalr'���Z�_retr����r����r����r����r��������s�����<����������������������������������������������������������������������������������������
���
�������������
�������
�������������
���������������������� ��������
���
���������
���
���������������������
���
�����������������������
�����������������������������������������������������������������������������������������
�����������������������������
�������
�����
���������
���
����2����
�
���������������
���������������������������
�
�������������
�����������
�������
�����)�NNNNTr ���F)���__doc__��loggingZ�salt.utils.datar����Z�salt.utils.dictdifferZ�salt.utils.jsonZ�salt.utils.stringutilsZ�salt.utils.versionsZ�salt.utils.win_functions� getLogger��__name__rC���r����Z�__func_alias__r ���r����r����r����r����r����r����r������<module>����s.�������R������������
�������� ������������������