
close
close
In today’s Ask the Admin, I’ll show you how to manage local users and groups using Puppet.
advertisment
Just because you can do something, doesn’t mean that you should. And while Puppet can create local user accounts in Windows, you should always try and use Active Directory for user management and authentication. There might be some situations where you want to use Puppet to manage local users and groups. For example, where a server is not a member of an Active Directory domain. Or you might want to add Active Directory users or groups to a member server using Puppet instead of Group Policy.
Let’s start by looking at how to create a new local user. The built-in Puppet user and group resources know how to manage Windows local users and groups. The resource below creates a new local user, petriuser1 and sets the password for the account. Make sure you create a password that meets the complexity requirements set in policy on the Windows device.
advertisment
user { 'petriuser1': ensure => present, password => 'Petri!Kn0Wledge' }
When you are creating a new user, you can also add it to a group straight away:
user { 'petriuser1': ensure => present, password => 'Petri!Kn0Wledge', groups => 'Administrators' }
Creating a New Local User in Puppet (Image Credit: Russell Smith)
Using the group resource, you can either add or remove users from an existing group or create a new group. The resource below makes sure that petagentadmin and petriuser1 are both members of the Administrators group:
group { 'Local Admins': name => 'Administrators', ensure => present, members => ['petagentadmin','petriuser1'], auth_membership => false, }
Puppet Agent Creates a New Local User on a Node (Image Credit: Russell Smith)
The auth_membership parameter’s default setting is false. When set to false, any existing members of the group are preserved. If you want to purge the group, set auth_membership to true. To add a domain user to a local group, you need to specify the username and the domain together. In the resource below, I’m adding a user called testuser1 from the Petri domain to the local Administrators group:
group { 'Local Admins': name => 'Administrators', ensure => present, members => 'petri\testuser1', auth_membership => false }
To delete a local user, change the ensure parameter to absent. The same applies when deleting groups.
advertisment
user { 'petriuser1': ensure => absent, }
The auth_membership parameter can also be set in a user resource. If set to inclusive, Puppet will make sure the user only belongs to the groups specified in the manifest and remove the user from any groups that are not specified. In the resource below, petriuser1 will be added to Administrators and removed from any other local groups that it is a member of.
user { 'petriuser1': ensure => present, password => 'Petri!Kn0Wledge', groups => 'Administrators', auth_membership => inclusive }
In this Ask the Admin, I showed you how to create, remove, and manage local users and groups in Windows using Puppet.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Windows Server
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues
May 12, 2022 | Rabia Noureen
Microsoft to Disable SMB1 File-Sharing Protocol By Default on Windows 11
Apr 20, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Support for Windows Server 2012 R2 and 2016
Apr 14, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group