When we originally set out to do PUP-2628[1] for Puppet 4, we were going to change the group resource default to not authoritative for Windows (e.g. the specified members would be the minimum), because the thinking is that is how it was for all of the other platforms.
However after more research it is the user resource that has the minimum set of groups by default[2][3] and the members listed in a group resource are considered the authoritative list by default[4][5]. Having them be the opposite by default feels a little surprising IMHO. The question has come up, should it be this way? We have the opportunity for Puppet 4 to shift the behavior of group auth_membership. [1] https://tickets.puppetlabs.com/browse/PUP-2628 [2] https://docs.puppetlabs.com/references/latest/type.html#user-attribute-groups [3] https://docs.puppetlabs.com/references/latest/type.html#user-attribute-membership [4] https://docs.puppetlabs.com/references/latest/type.html#group-attribute-auth_membership [5] https://github.com/puppetlabs/puppet/blob/stable/lib/puppet/type/group.rb#L110-L113 -- Rob Reynolds Developer, Puppet Labs *Join us at **PuppetConf 2015, October 5-9 in Portland, OR - * http://2015.puppetconf.com/ *Register early to save 40%!* -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAMJiBK6LEXD82MnghCw%3DstJOqsasmEdDzG6n5SvnHDfPwy7hAg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.