Managing Windows Server with Puppet Part 4: Working with Files and ACLs

computer files heroimg

In this Ask the Admin, I’ll show you how to use the file resource and manage permissions on files and folders.



In part three of this series, I showed you how to locate the site manifest file on your Puppet master, how to edit it using the vi text editor, and install the Puppet on Windows module pack. In the fourth part of this series, I want to show you how to perform basic file and permissions tasks on Windows Server by adding resources to the site manifest. (If you would like to start at the beginning, part one of this series can be found on


Managing Files and Folders

For the time being, I’m going to make life simple and add resources directly to the site manifest (site.pp). In a production environment, you’d probably create classes that contain a series of resources and then call those classes from the site manifest. But it is not obligatory to create classes.

In part two of this series, I showed you how to add a file resource to the manifest that added a text file to the root of the system drive:

  file { 'c:/petri.txt':
    ensure   => present,
    content  => 'The Petri IT Knowledgebase'

But what if you want to delete a file instead of adding one? All you need to do is change ‘ensure’ from present to absent.

file { 'c:/petri.txt':
    ensure   => absent,

Backward and Forward

Notice that I’m using a forward slash in the Windows file path. Puppet uses forward slashes by default. Just like PowerShell, single quotes should be used to define strings if they don’t contain variables that need enumerating. Strings that will be parsed directly by Windows, like the file path to an executable that will run as part of a scheduled task, must use forward slashes. For strings with variables, use double quotes. Double-quoted strings must use double backslashes to represent a single backslash.

"C:\\Program Files\\$file"

If you need to represent a single backslash at the end of a single-quoted string in Puppet 4.0 (or later), it needs to be represented by double backslashes.

'C:\Program Files(x86)\\'

Creating Folders and Multiple Items

If you want to add multiple files at the same time, you can use square brackets as shown below to add two or more files using one resource:

file {['c:/petri.txt', ‘c:/petri2.txt', 'c:/petri3.txt']:
  ensure   => present,

Folders can be created by replacing present with directory:

file {['c:/petri', ‘c:/petri2', 'c:/petri2/petri3']:
  ensure   => directory,

Changing Permissions on Files and Folders

Permissions can be set on files or folders by creating an access control list (acl) resource. In the resource below, I’m adding two access control entries (ACE). One is for a user account (petriuser) and a second is for the local Users group. Each identity section can contain only contain one user or group.

acl {'c:/petri':
  permissions => [{identity => 'petriuser', rights => ['full']},{identity => 'Users', rights =>['read','execute']}],

More complex options can be specified as shown below. In this example, I disable the permissions inheritance flag on the folder and remove all existing ACEs. ACEs should be listed in the correct order in the resource, otherwise, you might get errors. For more information on orderings ACEs in ACLs, see Microsoft’s website here.

acl {'c:/petri':
  purge => true,  
  permissions => [
   { identity => 'Administrators', rights => ['full'] },
   { identity => 'S-1-5-11', rights => ['write','read','execute'] },
   { identity => 'Users', rights => ['read','execute'] }
   { identity => 'Everyone', rights => ['read'] }
owner => 'Administrators',
group => 'Users',
inherit_parent_permissions => false,

Manifest Notes

When you are editing the site manifest, make sure that any code you copy uses ‘straight’ quotes and not curved quotes. Yes, that’s right. Puppet doesn’t parse curved quotes. Take a look at the screenshot below and you’ll see all the single quotes are perfectly vertical, unlike the way Microsoft Word formats single quotes.

Edit the Puppet master site manifest (Image Credit: Russell Smith)
Edit the Puppet Master Site Manifest (Image Credit: Russell Smith)

Once you’ve saved your manifest file, run the Puppet parser to validate the manifest’s syntax. By default, the parser validates the site manifest. If there are no errors, you should be good to go.

puppet parser validate

Finally, log into your Windows Server node, type puppet into the search box on the taskbar, and select Run Puppet Agent from the results.

Run the agent on the Windows Server node (Image Credit: Russell Smith)
Run the Agent on the Windows Server Node (Image Credit: Russell Smith)

In this Ask the Admin, I showed you how to manage files, folders, and permissions using Puppet. In the next part of this series, I’ll show you how to add registry keys and values, as well as manage Windows services.