Use the built-in
group resource types to manage user and group accounts on
Managing local user and group resources
Puppet uses the
group resource types to manage local accounts. You can’t write a
Puppet resource that describes a domain user or group. However, a local
group resource can manage which domain accounts belong to the local group.
Managing group membership with Puppet
Windows manages group membership by specifying the groups to which a user belongs, or by specifying the members of a group. Puppet supports both of these methods.
Puppet is managing a local user, you can list the groups that the user belongs to. These groups can be a local group account (such as
Administrators) or a domain group account.
Puppet is managing a local group, you can list the members that belong to the group. Each member can be a local account (such as
Administrator) or a domain account, where each account can be a user or a group account.
When managing a user, Puppet makes sure that the user belongs to all of the groups listed in the manifest. If the user belongs to a group not specified in the manifest, Puppet does not remove the user from the group.
If you want to ensure that a user belongs to only the groups listed in the manifest, and no others, specify the
membership attribute for the user. If set to
Puppet removes the user from any group not listed in the manifest.
Similarly, when managing a group, Puppet makes sure all of the members listed in the manifest are added to the group. Existing members of the group who are not listed in the manifest are ignored.
To ensure that a group contains only the members listed in the manifest, and no others, specify the
auth_membership attribute for the group. When this attribute is present and set to
Puppet removes any members of the group not listed in the manifest.
user attributes on
userresource type attributes:
|You cannot use the |
|Passwords must be specified in cleartext, because Windows does not have an API for setting the password hash.|
|Read-only. Available for inspecting a user by running |
group attributes on
groupresource type attributes:
|Read-only. Available for inspecting a group by running |
Names and security identifiers (SIDs)
S-1-5-32-544name form is called a security identifier (SID). Puppet treats all these forms equally: when comparing two account names, it transforms account names into their canonical SID form and compares the SIDs.
When you refer to a user or group in multiple places in a manifest (such as when creating relationships between resources), be consistent with how you capitalize the name. Names are case-sensitive in
Puppet manifests, but case-insensitive on
Windows. It’s important that the cases match, however, because autorequire will attempt to match users with fully qualified names (such as
User[BUILTIN\Administrators]) in addition to SIDs (such as
User[S-1-5-32-544]). It might not match in cases where domain accounts and local accounts have the same name, such as
puppet resource, groups always return the fully qualified form when describing a user, such as
BUILTIN\Administrators. These fully qualified names might not look the same as in the names specified in the manifest.