Win_acl permission inheritance child objects

Get Help
1

I’m noobie for Ansible…tiafyh
I have windows web servers, I’m trying to add a user permissions to c:\inetpub\logs\logfiles\w3svc* folders and child objects. I’ve researched inheritance, propagation, used win_acl, win_acl_inheritance and various methods.

here is most recent example:
I can’t figure out how to set this at c:\inetpub\logs\LogFiles level and propagate down.

here’s Ansible playbook:

  • name: Enable IIS on DD agent config
    hosts: IIS
    tasks:

    • name: Extract short hostname
      set_fact:
      ansible_short_hostname: “{{ ansible_host.split(‘.’)[0] }}”

    • name: Enable inherited ACE’s
      ansible.windows.win_acl_inheritance:
      path: c:\inetpub\logs\LogFiles
      state: present

    • name: Query ACL4
      win_shell: (get-acl c:\inetpub\logs\LogFiles).AccessToString
      register: GetACL4

    • debug:
      var: GetACL4.stdout_lines

    • name: add Modify rights to ddagentuser
      win_acl:
      path: c:\inetpub\logs\LogFiles
      user: “{{ansible_short_hostname}}\ddagentuser”
      rights: FullControl
      type: allow
      state: present
      inherit: ContainerInherit, ObjectInherit
      propagation: InheritOnly

    • name: Query ACL41
      win_shell: (get-acl c:\inetpub\logs\LogFiles).AccessToString
      register: GetACL41

    • debug:
      var: GetACL41.stdout_lines

    • name: Query SubFolder
      win_shell: (get-acl c:\inetpub\logs\LogFiles\W3SVC1).AccessToString
      register: GetACL42

    • debug:
      var: GetACL42.stdout_lines

HERE’s OUTPUT:
PLAY [Enable IIS on DD agent config] *********************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************
ok: [xxxxxx]

TASK [Extract short hostname] ****************************************************************************************************************************************************************************
ok: [xxxxxx]

TASK [Disable inherited ACE’s] ***************************************************************************************************************************************************************************
ok: [xxxxxx]

TASK [Query ACL4] ****************************************************************************************************************************************************************************************
changed: [xxxxxx]

TASK [debug] *********************************************************************************************************************************************************************************************
ok: [xxxxxx] => {
“GetACL4.stdout_lines”: [
“xxxxxx\ddagentuser Allow FullControl”,
“NT SERVICE\WMSVC Allow ReadAndExecute, Synchronize”,
“NT SERVICE\TrustedInstaller Allow FullControl”,
“NT SERVICE\TrustedInstaller Allow 268435456”,
“NT AUTHORITY\SYSTEM Allow FullControl”,
“NT AUTHORITY\SYSTEM Allow 268435456”,
“BUILTIN\Administrators Allow FullControl”,
“BUILTIN\Administrators Allow 268435456”,
“BUILTIN\Users Allow ReadAndExecute, Synchronize”,
“BUILTIN\Users Allow -1610612736”,
“CREATOR OWNER Allow 268435456”
]
}

TASK [add Modify rights to ddagentuser] ******************************************************************************************************************************************************************
ok: [xxxxxx]

TASK [Query ACL41] ***************************************************************************************************************************************************************************************
changed: [xxxxxx]

TASK [debug] *********************************************************************************************************************************************************************************************
ok: [xxxxxx] => {
“GetACL41.stdout_lines”: [
“xxxxxx\ddagentuser Allow FullControl”,
“NT SERVICE\WMSVC Allow ReadAndExecute, Synchronize”,
“NT SERVICE\TrustedInstaller Allow FullControl”,
“NT SERVICE\TrustedInstaller Allow 268435456”,
“NT AUTHORITY\SYSTEM Allow FullControl”,
“NT AUTHORITY\SYSTEM Allow 268435456”,
“BUILTIN\Administrators Allow FullControl”,
“BUILTIN\Administrators Allow 268435456”,
“BUILTIN\Users Allow ReadAndExecute, Synchronize”,
“BUILTIN\Users Allow -1610612736”,
“CREATOR OWNER Allow 268435456”
]
}

TASK [Query SubFolder] ***********************************************************************************************************************************************************************************
changed: [xxxxxx]

TASK [debug] *********************************************************************************************************************************************************************************************
ok: [xxxxxx] => {
“GetACL42.stdout_lines”: [
“NT AUTHORITY\SYSTEM Allow FullControl”,
“BUILTIN\Administrators Allow FullControl”
]
}

2

I think your playbook looks fine and the issue is with IIS controlling the permissions of child items. See this stack overflow issue: logging - IIS log folder permissions not being inherited - Super User

Have you tried your playbook on another set of directories? That would be a good sanity check.

Also, if you gathered facts on this host (in your playbook, you have) then you can use the builtin variable ansible_hostname to get the host name without the domain. I think thats what your doing when you set ansible_short_hostname

3

Thanks for your suggestions. I’ll test and reply back asap.

Larry Rice

4

you are correct @mikemorency, it worked when trying on some newly generated file structures.

so the workaround for IIS folder structure is:

  ansible.windows.win_powershell:
    script: |
        $l = Get-ChildItem -Path C:\inetpub\logs\LogFiles -Recurse -Directory -Force -ErrorAction SilentlyContinue | Select-Object FullName
        $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("xxxxxxxxx","ReadAndExecute","3","0","Allow") #FullControl

        foreach ($d in $l) {
            $ACL = Get-Acl -Path $d.FullName
            $ACL.SetAccessRule($AccessRule)
            $ACL | Set-Acl -Path $d.FullName
            }

thanks for taking time to comment!

1 Like