Try SpotterChange ACL inheritance
Authors: Oleg Galushko (@inorangestylee), Hans-Joachim Kliemeck (@h0nIg)
Install with ansible-galaxy collection install ansible.windows:==2.3.0
collections:
- name: ansible.windows
version: 2.3.0Change ACL (Access Control List) inheritance and optionally copy inherited ACE's (Access Control Entry) to dedicated ACE's or vice versa.
- name: Disable inherited ACE's
ansible.windows.win_acl_inheritance:
path: C:\apache
state: absent
- name: Disable and copy inherited ACE's
ansible.windows.win_acl_inheritance:
path: C:\apache
state: absent
reorganize: true
- name: Enable and remove dedicated ACE's
ansible.windows.win_acl_inheritance:
path: C:\apache
state: present
reorganize: true
- name: Disable registry key inherited ACE's
ansible.windows.win_acl_inheritance:
path: HKLM:\SOFTWARE\Secrets
state: absent
- name: Disable and copy registry key inherited ACE's
ansible.windows.win_acl_inheritance:
path: HKLM:\SOFTWARE\Secrets
state: absent
reorganize: true
- name: Enable and remove registry key dedicated ACE's
ansible.windows.win_acl_inheritance:
path: HKLM:\SOFTWARE\Secrets
state: present
reorganize: true
path:
description:
- Path to be used for changing inheritance
- Support for registry keys have been added in C(ansible.windows>=1.11.0)
required: true
type: str
state:
choices:
- absent
- present
default: absent
description:
- Specify whether to enable I(present) or disable I(absent) ACL inheritance.
type: str
reorganize:
default: false
description:
- For C(state=absent), indicates if the inherited ACE's should be copied from the
parent. This is necessary (in combination with removal) for a simple ACL instead
of using multiple ACE deny entries.
- For C(state=present), indicates if the inherited ACE's should be deduplicated compared
to the parent. This removes complexity of the ACL structure.
type: bool