ansible.windows.win_user_right (2.3.0) — module

Install collection

Install with ansible-galaxy collection install ansible.windows:==2.3.0

Add to requirements.yml

  collections:
    - name: ansible.windows
      version: 2.3.0

Description

Add, remove or set User Rights for a group or users or groups.

You can set user rights for both local and domain accounts.

Usage examples

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

---
- name: Replace the entries of Deny log on locally
  ansible.windows.win_user_right:
    name: SeDenyInteractiveLogonRight
    users:
    - Guest
    - Users
    action: set

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Add account to Log on as a service
  ansible.windows.win_user_right:
    name: SeServiceLogonRight
    users:
    - .\Administrator
    - '{{ansible_hostname}}\local-user'
    action: add

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Remove accounts who can create Symbolic links
  ansible.windows.win_user_right:
    name: SeCreateSymbolicLinkPrivilege
    users:
    - SYSTEM
    - Administrators
    - DOMAIN\User
    - group@DOMAIN.COM
    action: remove

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Remove all accounts who cannot log on remote interactively
  ansible.windows.win_user_right:
    name: SeDenyRemoteInteractiveLogonRight
    users: []

Inputs

    
name:
    description:
    - The name of the User Right as shown by the C(Constant Name) value from U(https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment).
    - The module will return an error if the right is invalid.
    required: true
    type: str

users:
    description:
    - A list of users or groups to add/remove on the User Right.
    - These can be in the form DOMAIN\user-group, user-group@DOMAIN.COM for domain users/groups.
    - For local users/groups it can be in the form user-group, .\user-group, SERVERNAME\user-group
      where SERVERNAME is the name of the remote server.
    - It is highly recommended to use the C(.\) or C(SERVERNAME\) prefix to avoid any
      ambiguity with domain account names or errors trying to lookup an account on a domain
      controller.
    - You can also add special local accounts like SYSTEM and others.
    - Can be set to an empty list with I(action=set) to remove all accounts from the right.
    elements: str
    required: true
    type: list

action:
    choices:
    - add
    - remove
    - set
    default: set
    description:
    - C(add) will add the users/groups to the existing right.
    - C(remove) will remove the users/groups from the existing right.
    - C(set) will replace the users/groups of the existing right.
    type: str

Outputs

added:
  description: A list of accounts that were added to the right, this is empty if no
    accounts were added.
  returned: success
  sample:
  - NT AUTHORITY\SYSTEM
  - DOMAIN\User
  type: list
removed:
  description: A list of accounts that were removed from the right, this is empty
    if no accounts were removed.
  returned: success
  sample:
  - SERVERNAME\Administrator
  - BUILTIN\Administrators
  type: list

See also

• ansible.windows.win_group
• ansible.windows.win_group_membership
• ansible.windows.win_user