Skip to content

Instantly share code, notes, and snippets.

@trekr5

trekr5/gist:5389bdaa3c5ffcf4e48f

Created March 24, 2015 18:00
Show Gist options
  • Save trekr5/5389bdaa3c5ffcf4e48f to your computer and use it in GitHub Desktop.
Save trekr5/5389bdaa3c5ffcf4e48f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
def remove_login_rights(user)
cookbook_file "ntrights.exe" do
source "ntrights.exe"
path "/windows/temp"
mode '0644'
action :create_if_missing
notifies :run, 'execute[remove-right]', :immediately
end
execute "remove-right" do
#cwd "C:\\windows\\temp"
command "ntrights -u #{user} +r SeDenyInteractiveLogonRight"
action :nothing
end
@robbkidd
Copy link

How would you feel about:

def remove_login_rights(user)
  cookbook_file "C:\Windows\Temp\ntrights.exe" do
    source "ntrights.exe"
    mode '0644'
    action :create_if_missing
    notifies :run, 'execute[remove-right]', :immediately
  end

  execute "remove-right" do
    # Avoid assuming working directory?
    command "C:\Windows\Temp\ntrights.exe -u #{user} +r SeDenyInteractiveLogonRight"
    action :nothing
  end
end

The wiring of the execute[remove-right] to the cookbook_file will mean that the user will not have their login right removed if ntrights.exe exists. Once you drop the file on the system, you'll only ever be able to remove that right on one user as written above.

@robbkidd
Copy link

@trekr5 Will ntrights.exe return an error if you attempt to revoke a right that a user does not have? If not, if it is safe to attempt a revoke even if the user does not have the right, I suggest removing the notifies in the cookbook_file and changing remove-right to action :run.

def remove_login_rights(user)
  cookbook_file "C:\Windows\Temp\ntrights.exe" do
    source "ntrights.exe"
    mode '0644'
    action :create_if_missing
  end

  execute "remove-right" do
    # Avoid assuming working directory?
    command "C:\Windows\Temp\ntrights.exe -u #{user} +r SeDenyInteractiveLogonRight"
    action :run
  end
end

@robbkidd
Copy link

You could probably even omit the action :create_if_missing from cookbook_file. The default action is :create which should handle your use case as I understand it.

So ...

def remove_login_rights(user)
  cookbook_file "C:\Windows\Temp\ntrights.exe" do
    source "ntrights.exe"
    mode '0644'
  end

  execute "remove-right" do
    # Avoid assuming working directory?
    command "C:\Windows\Temp\ntrights.exe -u #{user} +r SeDenyInteractiveLogonRight"
    action :run
  end
end

@trekr5
Copy link
Author

trekr5 commented Mar 24, 2015

def remove_login_rights(user)
cookbook_file "C:\Windows\Temp\ntrights.exe" do
source "ntrights.exe"
#path "C:\windows\temp"
mode '0644'
#verify File.exist?('ntrights.exe')
action :create_if_missing
notifies :run, 'execute[remove-right]', :immediately
end

execute "remove-right" do
    #cwd "C:\\windows\\temp"
    command "C:\\Windows\\Temp\\ntrights.exe -u #{user} +r SeDenyInteractiveLogonRight"
    action :nothing

end

end

@robbkidd
Copy link

Something to keep in mind with a cookbook_file resource: the code under the hood in the cookbook_file provider handles the whole file already exists question.

@trekr5
Copy link
Author

trekr5 commented Mar 24, 2015

would it use powershell under the hood because the vagrant box i'm using is a windows 2012 server

@trekr5
Copy link
Author

trekr5 commented Mar 25, 2015

users_manage "sudo" do
data_bag "aws-admin-users"
group_id node.default['sudo_group_id']
action [:remove, :create]
end

@trekr5
Copy link
Author

trekr5 commented Mar 25, 2015 

users_manage "sudo" do
data_bag "aws-admin-users"
group_id node.default['sudo_group_id']
action [:remove, :create]
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment