Reputation:
puppet add user to local windows group
For a couple of weeks I'm struggling with puppet. I do have it pretty much working but i keep getting issues to add a user to the built-in group "Administrators".
I do can add an user to that group, but removing is not possible. This is an local user, without a domain-controler
Here is my manifest:
#Adding user to administrators-group;
class developers {
user {'user_erik':
name => 'Erik.dev',
ensure => present,
comment => 'Developer',
groups => ['Administrators],
membership => inclusive,
password => 'blaat123',
}
}
#removing (not working);
class developers {
user {'user_erik':
name => 'Erik.dev',
ensure => present,
comment => 'Developer',
groups => [],
membership => inclusive,
password => 'blaat123',
}
}
# another way to set this up;
class developers {
user {'user_erik':
name => 'Eric.dev',
ensure => present,
comment => 'Developer',
groups => [],
membership => inclusive,
password => 'blaat123',
}
group{'admin':
name => 'Administrators',
ensure => present,
members => ['Erik.dev'],
}
}
getting error: Error: OLE error code:8007055B in Active Directory " Cannot perform this operation on built-in accounts "
In UNIX I have no problems, but windows is almost killing me and I cannot find my answer on the internet.
Hope someone has it working.
thanks Dave
Upvotes: 0
Views: 3000
Answers (1)
Reputation: 12561
I'm going to assume this is a copy pasta error:
user {'user_erik':
name => 'Erik.dev',
ensure => present,
comment => 'Developer',
groups => ['Administrators],
membership => inclusive,
password => 'blaat123',
}
note groups is missing an apostrophe. groups => ['Administrators] should be groups => ['Administrators']
Let's take a look at the remove:
user {'user_erik':
name => 'Erik.dev',
ensure => present,
comment => 'Developer',
groups => [],
membership => inclusive,
password => 'blaat123',
}
I think you are running into a derivative of PUP-3653, where you are trying to remove a user from all groups. I would instead put the user in at least one group (perhaps 'Users'?).
Group Membership
With groups, you must specify the complete list of members. Group auth_membership => minimum is ignored in less than Puppet 4.0.0. See PUP-2628 and PUP-3719 for details.
The error
Error: OLE error code:8007055B in Active Directory " Cannot perform this operation on built-in accounts "
is most likely related to:
group{'admin':
name => 'Administrators',
ensure => present,
members => ['Erik.dev'],
}
Right now you would need to specify the complete list and you can't remove built-in accounts from the Administrators group. Because this isn't the complete list, Puppet is attempting to remove LocalSystem from the list and running into issues, generating the error you see above.
In Puppet 4.x you can specify it like the above or you can specify it like this:
group{'admin':
name => 'Administrators',
ensure => present,
members => ['Erik.dev'],
auth_membership => false,
}
Upvotes: 2
Related Questions
- Puppet and Windows directory permissions
- Add User to Local Group
- Add user to multiple groups with Puppet
- Add user to group at a later point in puppet
- Puppet: Adding multiple AD users to local group
- How to add npm user
- How to automate adding a Node to a Group?
- How to create user having a primary group with the same name using puppet script?
- Creating a directory with multiple groups ownership using Puppet?
- Add Domain User Account to Local Group Windows Puppet