ansible.windows.win_user_right module – Manage Windows User Rights
Note
This module is part of the ansible.windows collection (version 2.5.0).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install ansible.windows
.
To use it in a playbook, specify: ansible.windows.win_user_right
.
Synopsis
Add, remove or set User Rights for a group or users or groups.
You can set user rights for both local and domain accounts.
Parameters
Parameter |
Comments |
---|---|
Choices:
|
|
The name of the User Right as shown by the The module will return an error if the right is invalid. |
|
A list of users or groups to add/remove on the User Right. These can be in the form DOMAIN\user-group, user-group@DOMAIN.COM for domain users/groups. For local users/groups it can be in the form user-group, .\user-group, SERVERNAME\user-group where SERVERNAME is the name of the remote server. It is highly recommended to use the You can also add special local accounts like SYSTEM and others. Can be set to an empty list with action=set to remove all accounts from the right. |
Notes
Note
If the server is domain joined this module can change a right but if a GPO governs this right then the changes won’t last.
See Also
See also
- ansible.windows.win_group
Add and remove local groups.
- ansible.windows.win_group_membership
Manage Windows local group membership.
- ansible.windows.win_user
Manages local Windows user accounts.
Examples
---
- name: Replace the entries of Deny log on locally
ansible.windows.win_user_right:
name: SeDenyInteractiveLogonRight
users:
- Guest
- Users
action: set
- name: Add account to Log on as a service
ansible.windows.win_user_right:
name: SeServiceLogonRight
users:
- .\Administrator
- '{{ansible_hostname}}\local-user'
action: add
- name: Remove accounts who can create Symbolic links
ansible.windows.win_user_right:
name: SeCreateSymbolicLinkPrivilege
users:
- SYSTEM
- Administrators
- DOMAIN\User
- group@DOMAIN.COM
action: remove
- name: Remove all accounts who cannot log on remote interactively
ansible.windows.win_user_right:
name: SeDenyRemoteInteractiveLogonRight
users: []
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
A list of accounts that were added to the right, this is empty if no accounts were added. Returned: success Sample: |
|
A list of accounts that were removed from the right, this is empty if no accounts were removed. Returned: success Sample: |