ansible.windows.win_user_right – Manage Windows User Rights
Note
This plugin is part of the ansible.windows collection (version 1.8.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install ansible.windows
.
To use it in a playbook, specify: ansible.windows.win_user_right
.
Synopsis
Add, remove or set User Rights for a group or users or groups.
You can set user rights for both local and domain accounts.
Parameters
Parameter |
Comments |
---|---|
Choices:
|
|
The name of the User Right as shown by the The module will return an error if the right is invalid. |
|
A list of users or groups to add/remove on the User Right. These can be in the form DOMAINuser-group, user-group@DOMAIN.COM for domain users/groups. For local users/groups it can be in the form user-group, .user-group, SERVERNAMEuser-group where SERVERNAME is the name of the remote server. You can also add special local accounts like SYSTEM and others. Can be set to an empty list with action=set to remove all accounts from the right. |
Notes
Note
If the server is domain joined this module can change a right but if a GPO governs this right then the changes won’t last.
See Also
See also
- ansible.windows.win_group
The official documentation on the ansible.windows.win_group module.
- ansible.windows.win_group_membership
The official documentation on the ansible.windows.win_group_membership module.
- ansible.windows.win_user
The official documentation on the ansible.windows.win_user module.
Examples
---
- name: Replace the entries of Deny log on locally
ansible.windows.win_user_right:
name: SeDenyInteractiveLogonRight
users:
- Guest
- Users
action: set
- name: Add account to Log on as a service
ansible.windows.win_user_right:
name: SeServiceLogonRight
users:
- .\Administrator
- '{{ansible_hostname}}\local-user'
action: add
- name: Remove accounts who can create Symbolic links
ansible.windows.win_user_right:
name: SeCreateSymbolicLinkPrivilege
users:
- SYSTEM
- Administrators
- DOMAIN\User
- group@DOMAIN.COM
action: remove
- name: Remove all accounts who cannot log on remote interactively
ansible.windows.win_user_right:
name: SeDenyRemoteInteractiveLogonRight
users: []
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
A list of accounts that were added to the right, this is empty if no accounts were added. Returned: success Sample: [“NT AUTHORITY\\SYSTEM”, “DOMAIN\\User”] |
|
A list of accounts that were removed from the right, this is empty if no accounts were removed. Returned: success Sample: [“SERVERNAME\\Administrator”, “BUILTIN\\Administrators”] |
Authors
Jordan Borean (@jborean93)