ansible.windows
ansible.windows copied to clipboard
Problems with win_acl module.
SUMMARY
On several cases the module does not perform what it should, and misleadingly report it finished with success, and / or the system was changed.
ISSUE TYPE
- Bug Report
COMPONENT NAME
win_acl
ANSIBLE VERSION
ansible 2.10.1
config file = None
configured module search path = ['/home/laszlo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/laszlo/ansible_venv/lib64/python3.6/site-packages/ansible
executable location = /home/laszlo/ansible_venv/bin/ansible
python version = 3.6.8 (default, Sep 26 2019, 11:57:09) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
CONFIGURATION
The command does not produced any output
OS / ENVIRONMENT
Target is Windows Server 2019
STEPS TO REPRODUCE
I've created 6 small playbook to reproduce the issue: 3 - 3 for filesystem, and for registry,
- one for create the test prerequisite,
- one for execute the tests
- one for cleanup the system
Create filesystem:
---
- hosts: windows_laszlo
tasks:
- name: Create Test folder structure
win_file:
path: c:\TestFldr\SubFldr
state: directory
- name: Create Test user
win_user:
name: TestUser
password: TUP4ssw0rd
state: present
groups:
- Users
- name: Query ACL
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL
- debug:
var: GetACL.stdout_lines
Create registry:
---
- hosts: windows_laszlo
tasks:
- name: Create Test key
win_regedit:
path: HKLM:\Software\Test
state: present
- name: Create Test user
win_user:
name: TestUser
password: TUP4ssw0rd
state: present
groups:
- Users
- name: Query ACL
win_shell: (get-acl HKLM:Software\Test).AccessToString
register: GetACL
- debug:
var: GetACL.stdout_lines
Cleanup filesystem:
---
- hosts: windows_laszlo
tasks:
- name: remove Test folder
win_file:
path: c:\TestFldr\SubFldr
state: absent
- name: remove Test user
win_user:
name: TestUser
state: absent
Cleanup registry:
---
- hosts: windows_laszlo
tasks:
- name: Create Test key
win_regedit:
path: HKLM:\Software\Test
state: present
- name: Create Test user
win_user:
name: TestUser
password: TUP4ssw0rd
state: present
groups:
- Users
- name: Query ACL
win_shell: (get-acl HKLM:Software\Test).AccessToString
register: GetACL
- debug:
var: GetACL.stdout_lines
Run tests filesystem
---
- hosts: windows_laszlo
tasks:
- name: Query ACL
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL
- debug:
var: GetACL.stdout_lines
- name: Remove standard user access
win_acl:
path: c:\TestFldr\SubFldr
user: Users
rights: ReadAndExecute
type: allow
state: absent
register: SetACL
- debug:
var: SetACL
- name: Query ACL1
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL1
- debug:
var: GetACL1.stdout_lines
- name: add Read and Execute rights to Built-in Users
win_acl:
path: c:\TestFldr\SubFldr
user: Users
rights: ReadAndExecute
type: allow
state: present
- name: Query ACL2
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL2
- debug:
var: GetACL2.stdout_lines
- name: add Write rights to Built-in Users group
win_acl:
path: c:\TestFldr\SubFldr
user: Users
rights: Write
type: allow
state: present
- name: Query ACL31
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL31
- debug:
var: GetACL31.stdout_lines
- name: revoke the previously added Write rights from Built-in Users group
win_acl:
path: c:\TestFldr\SubFldr
user: Users
rights: Write
type: allow
state: absent
- name: Query ACL32
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL32
- debug:
var: GetACL32.stdout_lines
- name: add Read and Execute rights to TestUser
win_acl:
path: c:\TestFldr\SubFldr
user: TestUser
rights: ReadAndExecute
type: allow
state: present
- name: Query ACL4
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL4
- debug:
var: GetACL4.stdout_lines
- name: add Modify rights to TestUser
win_acl:
path: c:\TestFldr\SubFldr
user: TestUser
rights: Modify
type: allow
state: present
- name: Query ACL41
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL41
- debug:
var: GetACL41.stdout_lines
- name: revoke Modify rights from TestUser
win_acl:
path: c:\TestFldr\SubFldr
user: TestUser
rights: Modify
type: allow
state: absent
- name: Query ACL42
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL42
- debug:
var: GetACL42.stdout_lines
- name: restore the expected state
win_acl:
path: c:\TestFldr\SubFldr
user: TestUser
rights: ReadAndExecute
type: allow
state: present
- name: Query ACL43
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL43
- debug:
var: GetACL43.stdout_lines
- name: add Write rights to TestUser
win_acl:
path: c:\TestFldr\SubFldr
user: TestUser
rights: Write
type: allow
state: present
- name: Query ACL44
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL44
- debug:
var: GetACL44.stdout_lines
- name: revoke Write rights from TestUser
win_acl:
path: c:\TestFldr\SubFldr
user: TestUser
rights: Write
type: allow
state: absent
- name: Query ACL45
win_shell: (get-acl c:\TestFldr\SubFldr).AccessToString
register: GetACL45
- debug:
var: GetACL45.stdout_lines
Run tests registry:
---
- hosts: windows_laszlo
tasks:
- name: Query ACL
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL
- debug:
var: GetACL.stdout_lines
- name: Remove standard user access
win_acl:
path: HKLM:\Software\Test
user: Users
rights: ReadKey
type: allow
state: absent
register: SetACL
- debug:
var: SetACL
- name: Query ACL1
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL1
- debug:
var: GetACL1.stdout_lines
- name: add Read and Execute rights to Built-in Users
win_acl:
path: HKLM:\Software\Test
user: Users
rights: ReadKey
type: allow
state: present
- name: Query ACL2
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL2
- debug:
var: GetACL2.stdout_lines
- name: add SetValue rights to Built-in Users group
win_acl:
path: HKLM:\Software\Test
user: Users
rights: SetValue
type: allow
state: present
- name: Query ACL31
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL31
- debug:
var: GetACL31.stdout_lines
- name: revoke the previously added SetValue rights from Built-in Users group
win_acl:
path: HKLM:\Software\Test
user: Users
rights: SetValue
type: allow
state: absent
- name: Query ACL32
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL32
- debug:
var: GetACL32.stdout_lines
- name: add Read and Execute rights to TestUser
win_acl:
path: HKLM:\Software\Test
user: TestUser
rights: ReadKey
type: allow
state: present
- name: Query ACL4
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL4
- debug:
var: GetACL4.stdout_lines
- name: add WriteKey rights to TestUser
win_acl:
path: HKLM:\Software\Test
user: TestUser
rights: WriteKey
type: allow
state: present
- name: Query ACL41
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL41
- debug:
var: GetACL41.stdout_lines
- name: revoke WriteKey rights from TestUser
win_acl:
path: HKLM:\Software\Test
user: TestUser
rights: WriteKey
type: allow
state: absent
- name: Query ACL42
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL42
- debug:
var: GetACL42.stdout_lines
- name: restore the expected state
win_acl:
path: HKLM:\Software\Test
user: TestUser
rights: ReadKey
type: allow
state: present
- name: Query ACL43
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL43
- debug:
var: GetACL43.stdout_lines
- name: add SetValue rights to TestUser
win_acl:
path: HKLM:\Software\Test
user: TestUser
rights: SetValue
type: allow
state: present
- name: Query ACL44
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL44
- debug:
var: GetACL44.stdout_lines
- name: revoke SetValue rights from TestUser
win_acl:
path: HKLM:\Software\Test
user: TestUser
rights: SetValue
type: allow
state: absent
- name: Query ACL45
win_shell: (get-acl HKLM:\Software\Test).AccessToString
register: GetACL45
- debug:
var: GetACL45.stdout_lines
EXPECTED RESULTS
Let me explain the expected results in the log of the execution below in the actual result section with my comments.
ACTUAL RESULTS
PLAY [windows_laszlo] **********************************************************
TASK [Gathering Facts] *********************************************************
ok: [10.137.58.169]
TASK [Query ACL] ***************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL.stdout_lines": [
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [Remove standard user access] *********************************************
ok: [10.137.58.169]
Here I wouldn't expect a simple "OK" as the access was not removed.
TASK [Query ACL1] **************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL1.stdout_lines": [
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [add Read and Execute rights to Built-in Users] ***************************
changed: [10.137.58.169]
Here it is a question as the Read&Execute rights already granted, although by an inherited entry.
TASK [Query ACL2] **************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL2.stdout_lines": [
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [add Write rights to Built-in Users group] ********************************
changed: [10.137.58.169]
This is ok.
TASK [Query ACL31] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL31.stdout_lines": [
"BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [revoke the previously added Write rights from Built-in Users group] ******
ok: [10.137.58.169]
Here I expect the granted write access to be revoked! Definitely not a simple "OK"
TASK [Query ACL32] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL32.stdout_lines": [
"BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [add Read and Execute rights to TestUser] *********************************
changed: [10.137.58.169]
TASK [Query ACL4] **************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL4.stdout_lines": [
"BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize",
"WIN-DHCP-WSUS\\TestUser Allow ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [add Modify rights to TestUser] *******************************************
changed: [10.137.58.169]
TASK [Query ACL41] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL41.stdout_lines": [
"BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize",
"WIN-DHCP-WSUS\\TestUser Allow Modify, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [revoke Modify rights from TestUser] **************************************
changed: [10.137.58.169]
Here it is also a questionable point, as the Modify right is a complex one, and includes the Read&Execute.
TASK [Query ACL42] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL42.stdout_lines": [
"BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [restore the expected state] **********************************************
changed: [10.137.58.169]
TASK [Query ACL43] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL43.stdout_lines": [
"BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize",
"WIN-DHCP-WSUS\\TestUser Allow ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [add Write rights to TestUser] ********************************************
changed: [10.137.58.169]
TASK [Query ACL44] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL44.stdout_lines": [
"BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize",
"WIN-DHCP-WSUS\\TestUser Allow Write, ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [revoke Write rights from TestUser] ***************************************
ok: [10.137.58.169]
Here I expect the previously granted Write access should be revoked. Definitely not a simple OK!
TASK [Query ACL45] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL45.stdout_lines": [
"BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize",
"WIN-DHCP-WSUS\\TestUser Allow Write, ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
PLAY RECAP *********************************************************************
10.137.58.169 : ok=33 changed=18 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
I've wrote a new win_acl.ps1 with which the results seems a bit better. Still not 100% Below is the log of the same playbook (one additional debug task for the new win_acl task) with my win_acl.ps1 for filesystem:
PLAY [windows_laszlo] **********************************************************
TASK [Gathering Facts] *********************************************************
ok: [10.137.58.169]
TASK [Query ACL] ***************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL.stdout_lines": [
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [Remove standard user access] *********************************************
skipping: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"SetACL": {
"changed": false,
"failed": false,
"msg": "Actual rights: Allow: ReadAndExecute, Synchronize: Inherited, ContainerInherit, ObjectInherit; Allow: AppendData: Inherited, ContainerInherit; Allow: CreateFiles: Inherited, ContainerInherit; ",
"skipped": true
}
}
TASK [Query ACL1] **************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL1.stdout_lines": [
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [add Read and Execute rights to Built-in Users] ***************************
changed: [10.137.58.169]
TASK [Query ACL2] **************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL2.stdout_lines": [
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [add Write rights to Built-in Users group] ********************************
changed: [10.137.58.169]
TASK [Query ACL31] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL31.stdout_lines": [
"BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [revoke the previously added Write rights from Built-in Users group] ******
changed: [10.137.58.169]
TASK [Query ACL32] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL32.stdout_lines": [
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [add Read and Execute rights to TestUser] *********************************
changed: [10.137.58.169]
TASK [Query ACL4] **************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL4.stdout_lines": [
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"WIN-DHCP-WSUS\\TestUser Allow ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [add Modify rights to TestUser] *******************************************
changed: [10.137.58.169]
TASK [Query ACL41] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL41.stdout_lines": [
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"WIN-DHCP-WSUS\\TestUser Allow Modify, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [revoke Modify rights from TestUser] **************************************
changed: [10.137.58.169]
TASK [Query ACL42] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL42.stdout_lines": [
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [restore the expected state] **********************************************
changed: [10.137.58.169]
TASK [Query ACL43] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL43.stdout_lines": [
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"WIN-DHCP-WSUS\\TestUser Allow ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [add Write rights to TestUser] ********************************************
changed: [10.137.58.169]
TASK [Query ACL44] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL44.stdout_lines": [
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"WIN-DHCP-WSUS\\TestUser Allow Write, ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
TASK [revoke Write rights from TestUser] ***************************************
changed: [10.137.58.169]
TASK [Query ACL45] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL45.stdout_lines": [
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"WIN-DHCP-WSUS\\TestUser Allow ReadAndExecute, Synchronize",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"BUILTIN\\Administrators Allow FullControl",
"BUILTIN\\Users Allow ReadAndExecute, Synchronize",
"BUILTIN\\Users Allow AppendData",
"BUILTIN\\Users Allow CreateFiles",
"CREATOR OWNER Allow 268435456"
]
}
PLAY RECAP *********************************************************************
10.137.58.169 : ok=33 changed=20 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
And here is a log with my win_acl.ps1 for a registry key:
PLAY [windows_laszlo] **********************************************************
TASK [Gathering Facts] *********************************************************
ok: [10.137.58.169]
TASK [Query ACL] ***************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL.stdout_lines": [
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
TASK [Remove standard user access] *********************************************
skipping: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"SetACL": {
"changed": false,
"failed": false,
"msg": "Actual rights: Allow: ReadKey: Inherited, ContainerInherit; ",
"skipped": true
}
}
TASK [Query ACL1] **************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL1.stdout_lines": [
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
TASK [add Read and Execute rights to Built-in Users] ***************************
changed: [10.137.58.169]
TASK [Query ACL2] **************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL2.stdout_lines": [
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
TASK [add SetValue rights to Built-in Users group] *****************************
changed: [10.137.58.169]
TASK [Query ACL31] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL31.stdout_lines": [
"BUILTIN\\Users Allow SetValue, ReadKey",
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
TASK [revoke the previously added SetValue rights from Built-in Users group] ***
changed: [10.137.58.169]
TASK [Query ACL32] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL32.stdout_lines": [
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
TASK [add Read and Execute rights to TestUser] *********************************
changed: [10.137.58.169]
TASK [Query ACL4] **************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL4.stdout_lines": [
"BUILTIN\\Users Allow ReadKey",
"WIN-DHCP-WSUS\\TestUser Allow ReadKey",
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
TASK [add WriteKey rights to TestUser] *****************************************
changed: [10.137.58.169]
TASK [Query ACL41] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL41.stdout_lines": [
"BUILTIN\\Users Allow ReadKey",
"WIN-DHCP-WSUS\\TestUser Allow SetValue, CreateSubKey, ReadKey",
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
TASK [revoke WriteKey rights from TestUser] ************************************
changed: [10.137.58.169]
TASK [Query ACL42] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL42.stdout_lines": [
"BUILTIN\\Users Allow ReadKey",
"WIN-DHCP-WSUS\\TestUser Allow QueryValues, EnumerateSubKeys, Notify",
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
TASK [restore the expected state] **********************************************
changed: [10.137.58.169]
TASK [Query ACL43] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL43.stdout_lines": [
"BUILTIN\\Users Allow ReadKey",
"WIN-DHCP-WSUS\\TestUser Allow ReadKey",
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
TASK [add SetValue rights to TestUser] *****************************************
changed: [10.137.58.169]
TASK [Query ACL44] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL44.stdout_lines": [
"BUILTIN\\Users Allow ReadKey",
"WIN-DHCP-WSUS\\TestUser Allow SetValue, ReadKey",
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
TASK [revoke SetValue rights from TestUser] ************************************
changed: [10.137.58.169]
TASK [Query ACL45] *************************************************************
changed: [10.137.58.169]
TASK [debug] *******************************************************************
ok: [10.137.58.169] => {
"GetACL45.stdout_lines": [
"BUILTIN\\Users Allow ReadKey",
"WIN-DHCP-WSUS\\TestUser Allow ReadKey",
"BUILTIN\\Users Allow ReadKey",
"BUILTIN\\Administrators Allow FullControl",
"NT AUTHORITY\\SYSTEM Allow FullControl",
"CREATOR OWNER Allow FullControl",
"APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey",
"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey"
]
}
PLAY RECAP *********************************************************************
10.137.58.169 : ok=33 changed=20 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
Please let me know if you'd need my win_acl.ps1 file
I've recently run into a (possibly) similar issue when trying to remove the BUILTIN\Users access from a folder. The issue appears to be two-fold - creating the ACE and then trying to match it to an ACL rule.
The code used for the test is as follows
- name: win_acl Testing
block:
- name: Disable inheritance on folder and copy inherited rights
win_acl_inheritance:
path: 'D:\folder4'
reorganize: yes
state: absent
- name: Query ACL (Before change)
win_shell: (get-acl -Path D:\folder4).GetAccessRules($true, $true, [System.Security.Principal.NTAccount])
register: GetACL_before
- name: Show ACL before Removal
debug:
msg: "{{ GetACL_before.stdout_lines }}"
- name: Remove the CreateFiles, AppendData rights
win_acl:
inherit: 'ContainerInherit'
path: 'D:\folder4'
propagation: 'None'
rights: 'CreateFiles, AppendData'
state: absent
type: 'allow'
user: 'Users'
- name: Query ACL (After)
win_shell: (get-acl -Path D:\folder4).GetAccessRules($true, $true, [System.Security.Principal.NTAccount])
register: GetACL_after
- name: Show ACL after Removal
debug:
msg: "{{ GetACL_after.stdout_lines }}"
tags:
- win_acl_test
The relevant output is as follows
TASK [webserver : Disable inheritance on folder and copy inherited rights] *****
changed: [utilappvb34831]
TASK [webserver : Query ACL (Before change)] ***********************************
changed: [utilappvb34831]
TASK [webserver : Show ACL before Removal] **************************************
ok: [utilappvb34831] => {
"msg": [
"",
"",
"FileSystemRights : 268435456",
"AccessControlType : Allow",
"IdentityReference : CREATOR OWNER",
"IsInherited : False",
"InheritanceFlags : ContainerInherit, ObjectInherit",
"PropagationFlags : InheritOnly",
"",
"FileSystemRights : FullControl",
"AccessControlType : Allow",
"IdentityReference : NT AUTHORITY\\\\SYSTEM",
"IsInherited : False",
"InheritanceFlags : ContainerInherit, ObjectInherit",
"PropagationFlags : None",
"",
"FileSystemRights : FullControl",
"AccessControlType : Allow",
"IdentityReference : BUILTIN\\\\Administrators",
"IsInherited : False",
"InheritanceFlags : ContainerInherit, ObjectInherit",
"PropagationFlags : None",
"",
"FileSystemRights : ReadAndExecute, Synchronize",
"AccessControlType : Allow",
"IdentityReference : BUILTIN\\\\Users",
"IsInherited : False",
"InheritanceFlags : ContainerInherit, ObjectInherit",
"PropagationFlags : None",
"",
"FileSystemRights : CreateFiles, AppendData",
"AccessControlType : Allow",
"IdentityReference : BUILTIN\\\\Users",
"IsInherited : False",
"InheritanceFlags : ContainerInherit",
"PropagationFlags : None",
"",
"",
""
]
}
TASK [webserver : Remove the CreateFiles, AppendData rights] *******************
ok: [utilappvb34831]
TASK [webserver : Query ACL (After)] *******************************************
changed: [utilappvb34831]
TASK [webserver : Show ACL after Removal] **************************************
ok: [utilappvb34831] => {
"msg": [
"",
"",
"FileSystemRights : 268435456",
"AccessControlType : Allow",
"IdentityReference : CREATOR OWNER",
"IsInherited : False",
"InheritanceFlags : ContainerInherit, ObjectInherit",
"PropagationFlags : InheritOnly",
"",
"FileSystemRights : FullControl",
"AccessControlType : Allow",
"IdentityReference : NT AUTHORITY\\\\SYSTEM",
"IsInherited : False",
"InheritanceFlags : ContainerInherit, ObjectInherit",
"PropagationFlags : None",
"",
"FileSystemRights : FullControl",
"AccessControlType : Allow",
"IdentityReference : BUILTIN\\\\Administrators",
"IsInherited : False",
"InheritanceFlags : ContainerInherit, ObjectInherit",
"PropagationFlags : None",
"",
"FileSystemRights : ReadAndExecute, Synchronize",
"AccessControlType : Allow",
"IdentityReference : BUILTIN\\\\Users",
"IsInherited : False",
"InheritanceFlags : ContainerInherit, ObjectInherit",
"PropagationFlags : None",
"",
"FileSystemRights : CreateFiles, AppendData",
"AccessControlType : Allow",
"IdentityReference : BUILTIN\\\\Users",
"IsInherited : False",
"InheritanceFlags : ContainerInherit",
"PropagationFlags : None",
"",
"",
""
]
}
PLAY RECAP *********************************************************************
utilappvb34831 : ok=7 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
The ACL on the folder is unchanged, and here's why -
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
When creating $objACE in win_acl.ps1 with FileSystemRights 'CreateFiles, AppendData' the rights in $objACE are actually created as 'CreateFiles, AppendData, Synchronize'
This can be verified by running the following in PowerShell
# Define Variables
$Rights = 'CreateFiles, AppendData'
$Inherit = 'ContainerInherit'
$Propagation = 'None'
$AccessControlType = 'Allow'
$Account = [System.Security.Principal.NTAccount]::new('BUILTIN\Users')
# Define parameters for ACE object
$objUser = $account.Translate([System.Security.Principal.NTAccount])
$colRights = [System.Security.AccessControl.FileSystemRights]$Rights
$inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]$Inherit
$propagationFlag = [System.Security.AccessControl.PropagationFlags]$Propagation
$objType =[System.Security.AccessControl.AccessControlType]::$AccessControlType
# Instantiate ACE object
$objACE = [System.Security.AccessControl.FileSystemAccessRule]::new($objUser, $colRights, $inheritanceFlag, $propagationFlag, $objType)
$objACE
Even though the rights specified in $Rights is 'CreateFiles, AppendData' the FileSystemRights property of $objACE is as follows
FileSystemRights : CreateFiles, AppendData, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
This is a problem because win_acl.ps1 tries to match the folder ACL FileSystemRights (CreateFiles, AppendData) with the ACE FileSystemRights (CreateFiles, AppendData, Synchronize) here and a match will not exist.
If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($rule.IdentityReference -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
$match = $true
Break
}
The automatic addition of Synchronize to $objACE and its subsequent match attempt with $objACL rule, will cause match to be false and exit without change.
You can refer to https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemrights where it explains that Synchronize "Specifies whether the application can wait for a file handle to synchronize with the completion of an I/O operation. This value is automatically set when allowing access and automatically excluded when denying access."