Managing Windows Server with Puppet Part 5: Managing Local Users and Groups

computer keyboard hero img

In today’s Ask the Admin, I’ll show you how to manage local users and groups using Puppet.

 

 

Just because you can do something, doesn’t mean that you should. And while Puppet can create local user accounts in Windows, you should always try and use Active Directory for user management and authentication. There might be some situations where you want to use Puppet to manage local users and groups. For example, where a server is not a member of an Active Directory domain. Or you might want to add Active Directory users or groups to a member server using Puppet instead of Group Policy.

Create a Local User Account

Let’s start by looking at how to create a new local user. The built-in Puppet user and group resources know how to manage Windows local users and groups. The resource below creates a new local user, petriuser1 and sets the password for the account. Make sure you create a password that meets the complexity requirements set in policy on the Windows device.

user { 'petriuser1':
   ensure => present,
   password => 'Petri!Kn0Wledge' 
}

When you are creating a new user, you can also add it to a group straight away:

user { 'petriuser1':
   ensure => present,
   password => 'Petri!Kn0Wledge',
   groups => 'Administrators'
}
Creating a new local user in Puppet (Image Credit: Russell Smith)
Creating a New Local User in Puppet (Image Credit: Russell Smith)

Managing Group Membership

Using the group resource, you can either add or remove users from an existing group or create a new group. The resource below makes sure that petagentadmin and petriuser1 are both members of the Administrators group:

group { 'Local Admins':
    name => 'Administrators',
    ensure => present,
    members => ['petagentadmin','petriuser1'],
    auth_membership => false,
}
Puppet agent creates a new local user on a node (Image Credit: Russell Smith)
Puppet Agent Creates a New Local User on a Node (Image Credit: Russell Smith)

The auth_membership parameter’s default setting is false. When set to false, any existing members of the group are preserved. If you want to purge the group, set auth_membership to true. To add a domain user to a local group, you need to specify the username and the domain together. In the resource below, I’m adding a user called testuser1 from the Petri domain to the local Administrators group:

group { 'Local Admins':
    name => 'Administrators',
    ensure => present,
    members => 'petri\testuser1',
    auth_membership => false
}

To delete a local user, change the ensure parameter to absent. The same applies when deleting groups.

user { 'petriuser1':
   ensure => absent,
}

The auth_membership parameter can also be set in a user resource. If set to inclusive, Puppet will make sure the user only belongs to the groups specified in the manifest and remove the user from any groups that are not specified. In the resource below, petriuser1 will be added to Administrators and removed from any other local groups that it is a member of.

user { 'petriuser1':
   ensure => present,
   password => 'Petri!Kn0Wledge',
   groups => 'Administrators',
   auth_membership => inclusive
}

In this Ask the Admin, I showed you how to create, remove, and manage local users and groups in Windows using Puppet.