From 299e964dbf24d0ad5b66a9ca36a0bb4f5fbebf34 Mon Sep 17 00:00:00 2001 From: Branden Pleines Date: Wed, 1 Mar 2017 22:38:27 -0800 Subject: [PATCH] Adding registry functionality to win_acl module (#19443) * Updated win_acl.ps1 module with registry functionality * adding registry functionality to the most recent win_acl module in ansible/ansible * updated in sync with win_regedit.ps1 --- lib/ansible/modules/windows/win_acl.ps1 | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/lib/ansible/modules/windows/win_acl.ps1 b/lib/ansible/modules/windows/win_acl.ps1 index 971b8dc300..972a562a82 100644 --- a/lib/ansible/modules/windows/win_acl.ps1 +++ b/lib/ansible/modules/windows/win_acl.ps1 @@ -143,7 +143,12 @@ ElseIf ($inherit -eq "") { } Try { + If ($path -match "^HK(CC|CR|CU|LM|U):\\") { + $colRights = [System.Security.AccessControl.RegistryRights]$rights + } + Else { $colRights = [System.Security.AccessControl.FileSystemRights]$rights + } $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]$inherit $PropagationFlag = [System.Security.AccessControl.PropagationFlags]$propagation @@ -155,11 +160,26 @@ Try { } $objUser = New-Object System.Security.Principal.SecurityIdentifier($sid) + If ($path -match "^HK(CC|CR|CU|LM|U):\\") { + $objACE = New-Object System.Security.AccessControl.RegistryAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) + } + Else { $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) + } $objACL = Get-ACL $path # Check if the ACE exists already in the objects ACL list $match = $false + If ($path -match "^HK(CC|CR|CU|LM|U):\\") { + ForEach($rule in $objACL.Access){ + $ruleIdentity = $rule.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) + If (($rule.RegistryRights -eq $objACE.RegistryRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { + $match = $true + Break + } + } + } + Else { ForEach($rule in $objACL.Access){ $ruleIdentity = $rule.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { @@ -167,6 +187,7 @@ Try { Break } } + } If ($state -eq "present" -And $match -eq $false) { Try {