Hi Paul, On Tue, Sep 9, 2014 at 11:30 AM, Paul Chernoch <pachern...@gmail.com> wrote:
> The *acl *module has a parameter named '*group*' which takes a list of > users, groups or SIDs. > What is it for? When would I need it? > Windows Security Descriptors support a group to allow for POSIX emulation. Here's some dated, but still accurate info: "The Primary Group field contains the SID for the owner’s primary group. This information is used only by the POSIX subsystem, and it is ignored by the rest of Windows Server 2003." [1] Since the group can be set on a security descriptor, puppet provides the ability to manage it. That said, it's not something you would typically need to manage, and for most users, it's set to the Nobody/None SID (S-1-0-0). Note that many windows tools, e.g. icacls, won't show you what the group is, but others do: C:\> Get-Acl C:\windows | format-list Path : Microsoft.PowerShell.Core\FileSystem::C:\windows Owner : NT SERVICE\TrustedInstaller Group : NT SERVICE\TrustedInstaller ... The documentation is fuzzy. This is what it says: > > Properties <https://github.com/puppetlabs/puppetlabs-acl#group>group > > The entity or entities that have access to a particular ACL descriptor. > The group identity is also known as a trustee or principal. Valid inputs > can be in the form of: > > - User - e.g. 'Bob' or 'TheNet\Bob' > - Group - e.g. 'Administrators' or 'BUILTIN\Administrators' > - SID (Security ID) - e.g. 'S-1-5-18' > > No default value will be enforced by Puppet. Using the default will allow > the group to stay set to whatever it is currently set to (group can vary > depending on the original CREATOR GROUP). Since the identity must exist on > the system in order to be used, Puppet will make sure they exist by > creating them as needed. > > *NOTE*: On Windows the CREATOR GROUP inherited ACE must be set for the > creator's primary group to be set as an ACE automatically. Group is not > always widely used. By default the group will also need to be specifically > set as an explicit managed ACE. See Microsoft's page > <http://support.microsoft.com/kb/126629> for instructions on enabling > CREATOR GROUP. > > > > Paul > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/172c9ce0-bdd3-4f85-8fb5-c84a55d56fe5%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/172c9ce0-bdd3-4f85-8fb5-c84a55d56fe5%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > Josh [1] http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx -- Josh Cooper Developer, Puppet Labs *Join us at PuppetConf 2014 <http://www.puppetconf.com/>, September 20-24 in San Francisco* -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2Bu97u%3DnvXnLLZvzkR5uZB%3DpoRWeewaep%3D77YD0qtA_RHT3F9Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
