ansible.windows.win_user_right – Manage Windows User Rights

Note

This plugin is part of the ansible.windows collection (version 1.3.0).

To install it use: ansible-galaxy collection install ansible.windows.

To use it in a playbook, specify: ansible.windows.win_user_right.

Synopsis

  • Add, remove or set User Rights for a group or users or groups.
  • You can set user rights for both local and domain accounts.

Parameters

Parameter Choices/Defaults Comments
action
string
    Choices:
  • add
  • remove
  • set
add will add the users/groups to the existing right.
remove will remove the users/groups from the existing right.
set will replace the users/groups of the existing right.
name
string / required
The name of the User Right as shown by the Constant Name value from https://technet.microsoft.com/en-us/library/dd349804.aspx.
The module will return an error if the right is invalid.
users
list / elements=string / required
A list of users or groups to add/remove on the User Right.
These can be in the form DOMAIN\user-group, [email protected] for domain users/groups.
For local users/groups it can be in the form user-group, .\user-group, SERVERNAME\user-group where SERVERNAME is the name of the remote server.
You can also add special local accounts like SYSTEM and others.
Can be set to an empty list with action=set to remove all accounts from the right.

Notes

Note

  • If the server is domain joined this module can change a right but if a GPO governs this right then the changes won’t last.

See Also

See also

ansible.windows.win_group

The official documentation on the ansible.windows.win_group module.

ansible.windows.win_group_membership

The official documentation on the ansible.windows.win_group_membership module.

ansible.windows.win_user

The official documentation on the ansible.windows.win_user module.

Examples

---
- name: Replace the entries of Deny log on locally
  ansible.windows.win_user_right:
    name: SeDenyInteractiveLogonRight
    users:
    - Guest
    - Users
    action: set

- name: Add account to Log on as a service
  ansible.windows.win_user_right:
    name: SeServiceLogonRight
    users:
    - .\Administrator
    - '{{ansible_hostname}}\local-user'
    action: add

- name: Remove accounts who can create Symbolic links
  ansible.windows.win_user_right:
    name: SeCreateSymbolicLinkPrivilege
    users:
    - SYSTEM
    - Administrators
    - DOMAIN\User
    - [email protected]
    action: remove

- name: Remove all accounts who cannot log on remote interactively
  ansible.windows.win_user_right:
    name: SeDenyRemoteInteractiveLogonRight
    users: []

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
added
list / elements=string
success
A list of accounts that were added to the right, this is empty if no accounts were added.

Sample:
['NT AUTHORITY\\SYSTEM', 'DOMAIN\\User']
removed
list / elements=string
success
A list of accounts that were removed from the right, this is empty if no accounts were removed.

Sample:
['SERVERNAME\\Administrator', 'BUILTIN\\Administrators']


Authors

  • Jordan Borean (@jborean93)

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/ansible/windows/win_user_right_module.html