I’m noobie for Ansible…tiafyh
I have windows web servers, I’m trying to add a user permissions to c:\inetpub\logs\logfiles\w3svc* folders and child objects. I’ve researched inheritance, propagation, used win_acl, win_acl_inheritance and various methods.
here is most recent example:
I can’t figure out how to set this at c:\inetpub\logs\LogFiles level and propagate down.
here’s Ansible playbook:
-
name: Enable IIS on DD agent config
hosts: IIS
tasks:-
name: Extract short hostname
set_fact:
ansible_short_hostname: “{{ ansible_host.split(‘.’)[0] }}” -
name: Enable inherited ACE’s
ansible.windows.win_acl_inheritance:
path: c:\inetpub\logs\LogFiles
state: present -
name: Query ACL4
win_shell: (get-acl c:\inetpub\logs\LogFiles).AccessToString
register: GetACL4 -
debug:
var: GetACL4.stdout_lines -
name: add Modify rights to ddagentuser
win_acl:
path: c:\inetpub\logs\LogFiles
user: “{{ansible_short_hostname}}\ddagentuser”
rights: FullControl
type: allow
state: present
inherit: ContainerInherit, ObjectInherit
propagation: InheritOnly -
name: Query ACL41
win_shell: (get-acl c:\inetpub\logs\LogFiles).AccessToString
register: GetACL41 -
debug:
var: GetACL41.stdout_lines -
name: Query SubFolder
win_shell: (get-acl c:\inetpub\logs\LogFiles\W3SVC1).AccessToString
register: GetACL42 -
debug:
var: GetACL42.stdout_lines
-
HERE’s OUTPUT:
PLAY [Enable IIS on DD agent config] *********************************************************************************************************************************************************************
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************
ok: [xxxxxx]
TASK [Extract short hostname] ****************************************************************************************************************************************************************************
ok: [xxxxxx]
TASK [Disable inherited ACE’s] ***************************************************************************************************************************************************************************
ok: [xxxxxx]
TASK [Query ACL4] ****************************************************************************************************************************************************************************************
changed: [xxxxxx]
TASK [debug] *********************************************************************************************************************************************************************************************
ok: [xxxxxx] => {
“GetACL4.stdout_lines”: [
“xxxxxx\ddagentuser Allow FullControl”,
“NT SERVICE\WMSVC Allow ReadAndExecute, Synchronize”,
“NT SERVICE\TrustedInstaller Allow FullControl”,
“NT SERVICE\TrustedInstaller Allow 268435456”,
“NT AUTHORITY\SYSTEM Allow FullControl”,
“NT AUTHORITY\SYSTEM Allow 268435456”,
“BUILTIN\Administrators Allow FullControl”,
“BUILTIN\Administrators Allow 268435456”,
“BUILTIN\Users Allow ReadAndExecute, Synchronize”,
“BUILTIN\Users Allow -1610612736”,
“CREATOR OWNER Allow 268435456”
]
}
TASK [add Modify rights to ddagentuser] ******************************************************************************************************************************************************************
ok: [xxxxxx]
TASK [Query ACL41] ***************************************************************************************************************************************************************************************
changed: [xxxxxx]
TASK [debug] *********************************************************************************************************************************************************************************************
ok: [xxxxxx] => {
“GetACL41.stdout_lines”: [
“xxxxxx\ddagentuser Allow FullControl”,
“NT SERVICE\WMSVC Allow ReadAndExecute, Synchronize”,
“NT SERVICE\TrustedInstaller Allow FullControl”,
“NT SERVICE\TrustedInstaller Allow 268435456”,
“NT AUTHORITY\SYSTEM Allow FullControl”,
“NT AUTHORITY\SYSTEM Allow 268435456”,
“BUILTIN\Administrators Allow FullControl”,
“BUILTIN\Administrators Allow 268435456”,
“BUILTIN\Users Allow ReadAndExecute, Synchronize”,
“BUILTIN\Users Allow -1610612736”,
“CREATOR OWNER Allow 268435456”
]
}
TASK [Query SubFolder] ***********************************************************************************************************************************************************************************
changed: [xxxxxx]
TASK [debug] *********************************************************************************************************************************************************************************************
ok: [xxxxxx] => {
“GetACL42.stdout_lines”: [
“NT AUTHORITY\SYSTEM Allow FullControl”,
“BUILTIN\Administrators Allow FullControl”
]
}