Win_acl permission inheritance child objects

njoylif · May 8, 2024, 4:35pm

I’m noobie for Ansible…tiafyh
I have windows web servers, I’m trying to add a user permissions to c:\inetpub\logs\logfiles\w3svc* folders and child objects. I’ve researched inheritance, propagation, used win_acl, win_acl_inheritance and various methods.

here is most recent example:
I can’t figure out how to set this at c:\inetpub\logs\LogFiles level and propagate down.

here’s Ansible playbook:

name: Enable IIS on DD agent config
hosts: IIS
tasks:
- name: Extract short hostname
  set_fact:
  ansible_short_hostname: “{{ ansible_host.split(‘.’)[0] }}”
- name: Enable inherited ACE’s
  ansible.windows.win_acl_inheritance:
  path: c:\inetpub\logs\LogFiles
  state: present
- name: Query ACL4
  win_shell: (get-acl c:\inetpub\logs\LogFiles).AccessToString
  register: GetACL4
- debug:
  var: GetACL4.stdout_lines
- name: add Modify rights to ddagentuser
  win_acl:
  path: c:\inetpub\logs\LogFiles
  user: “{{ansible_short_hostname}}\ddagentuser”
  rights: FullControl
  type: allow
  state: present
  inherit: ContainerInherit, ObjectInherit
  propagation: InheritOnly
- name: Query ACL41
  win_shell: (get-acl c:\inetpub\logs\LogFiles).AccessToString
  register: GetACL41
- debug:
  var: GetACL41.stdout_lines
- name: Query SubFolder
  win_shell: (get-acl c:\inetpub\logs\LogFiles\W3SVC1).AccessToString
  register: GetACL42
- debug:
  var: GetACL42.stdout_lines

HERE’s OUTPUT:
PLAY [Enable IIS on DD agent config] *********************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************
ok: [xxxxxx]

TASK [Extract short hostname] ****************************************************************************************************************************************************************************
ok: [xxxxxx]

TASK [Disable inherited ACE’s] ***************************************************************************************************************************************************************************
ok: [xxxxxx]

TASK [Query ACL4] ****************************************************************************************************************************************************************************************
changed: [xxxxxx]

TASK [debug] *********************************************************************************************************************************************************************************************
ok: [xxxxxx] => {
“GetACL4.stdout_lines”: [
“xxxxxx\ddagentuser Allow FullControl”,
“NT SERVICE\WMSVC Allow ReadAndExecute, Synchronize”,
“NT SERVICE\TrustedInstaller Allow FullControl”,
“NT SERVICE\TrustedInstaller Allow 268435456”,
“NT AUTHORITY\SYSTEM Allow FullControl”,
“NT AUTHORITY\SYSTEM Allow 268435456”,
“BUILTIN\Administrators Allow FullControl”,
“BUILTIN\Administrators Allow 268435456”,
“BUILTIN\Users Allow ReadAndExecute, Synchronize”,
“BUILTIN\Users Allow -1610612736”,
“CREATOR OWNER Allow 268435456”
]
}

TASK [add Modify rights to ddagentuser] ******************************************************************************************************************************************************************
ok: [xxxxxx]

TASK [Query ACL41] ***************************************************************************************************************************************************************************************
changed: [xxxxxx]

TASK [debug] *********************************************************************************************************************************************************************************************
ok: [xxxxxx] => {
“GetACL41.stdout_lines”: [
“xxxxxx\ddagentuser Allow FullControl”,
“NT SERVICE\WMSVC Allow ReadAndExecute, Synchronize”,
“NT SERVICE\TrustedInstaller Allow FullControl”,
“NT SERVICE\TrustedInstaller Allow 268435456”,
“NT AUTHORITY\SYSTEM Allow FullControl”,
“NT AUTHORITY\SYSTEM Allow 268435456”,
“BUILTIN\Administrators Allow FullControl”,
“BUILTIN\Administrators Allow 268435456”,
“BUILTIN\Users Allow ReadAndExecute, Synchronize”,
“BUILTIN\Users Allow -1610612736”,
“CREATOR OWNER Allow 268435456”
]
}

TASK [Query SubFolder] ***********************************************************************************************************************************************************************************
changed: [xxxxxx]

TASK [debug] *********************************************************************************************************************************************************************************************
ok: [xxxxxx] => {
“GetACL42.stdout_lines”: [
“NT AUTHORITY\SYSTEM Allow FullControl”,
“BUILTIN\Administrators Allow FullControl”
]
}

mikemorency · May 9, 2024, 12:52pm

I think your playbook looks fine and the issue is with IIS controlling the permissions of child items. See this stack overflow issue: logging - IIS log folder permissions not being inherited - Super User

Have you tried your playbook on another set of directories? That would be a good sanity check.

Also, if you gathered facts on this host (in your playbook, you have) then you can use the builtin variable ansible_hostname to get the host name without the domain. I think thats what your doing when you set ansible_short_hostname

njoylif · May 9, 2024, 1:19pm

Thanks for your suggestions. I’ll test and reply back asap.

Larry Rice

njoylif · May 9, 2024, 2:21pm

you are correct @mikemorency, it worked when trying on some newly generated file structures.

so the workaround for IIS folder structure is:

  ansible.windows.win_powershell:
    script: |
        $l = Get-ChildItem -Path C:\inetpub\logs\LogFiles -Recurse -Directory -Force -ErrorAction SilentlyContinue | Select-Object FullName
        $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("xxxxxxxxx","ReadAndExecute","3","0","Allow") #FullControl

        foreach ($d in $l) {
            $ACL = Get-Acl -Path $d.FullName
            $ACL.SetAccessRule($AccessRule)
            $ACL | Set-Acl -Path $d.FullName
            }

thanks for taking time to comment!

system · June 8, 2024, 2:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Win_acl Is Not Removing ACL's Get Help windows	1	74	July 17, 2024
How to operate with Win hosts with limited permissions? Get Help awx , windows	1	26	October 2, 2024
Cisco ACL in Ansible Get Help playbook , module	3	232	November 21, 2023
Ansible to Windows with SSH, become not working Get Help windows , ssh , runas	2	86	August 2, 2024
Windows - Setting local group policies Get Help windows	6	162	August 29, 2024

Win_acl permission inheritance child objects

here’s Ansible playbook:

Related topics