Jira (PUP-6540) Allow Windows group resource to specify SID as title

Ethan Brown (JIRA)

unread,

Jul 22, 2016, 5:42:04 PM7/22/16

to puppe...@googlegroups.com

Ethan Brown created an issue

Puppet /

PUP-6540

Allow Windows group resource to specify SID as title

Issue Type:	Improvement
Affects Versions:	PUP 4.5.2
Assignee:	Kylo Ginsberg
Components:	Types and Providers, Windows
Created:	2016/07/22 2:41 PM
Labels:	windows i18n utf-8
Priority:	Normal
Reporter:	Ethan Brown

Without being able to use a SID in the title of a group resource on Windows, it can be difficult to write a manifest that works properly on internationalized versions of Windows. Take for instance, adding a user to the Administrators group.

In English, this works to modify the Administrators group and add user bob (presuming they already exist):

group { 'Administrators':

  members => ['bob'],

  auth_membership => false

The same code on French Windows, will actually create a new group named Administrators, which may be surprising. The user likely expected that the well-defined Administrators group with SID S-1-5-32-544 was used, which in this case is localized to Administrateurs. For cases where manifests are running only in one localized environment, this may already be well understood by users.

However, this becomes quite painful if working across an environment with more than 1 localized set of accounts.

The solution to referring to well-known accounts is typically to use the SIDs as defined at https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx to circumvent any localization problems.

However, the group type does not support SIDs as titles, but likely could with some additional munging code.

Add Comment

This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9)

Ethan Brown (JIRA)

unread,

Jul 22, 2016, 5:44:04 PM7/22/16

to puppe...@googlegroups.com

Ethan Brown updated an issue

Puppet /

PUP-6540

Allow Windows group resource to specify SID as title

Change By:	Ethan Brown

Without being able to use a SID in the title of a group resource on Windows, it can be difficult to write a manifest that works properly on internationalized versions of Windows. Take for instance, adding a user to the {{Administrators}} group.

In English, this works to modify the {{Administrators}} group and add user {{bob}} (presuming they already exist):

{code}

group { 'Administrators':
members => ['bob'],
auth_membership => false
}

{code}

The same code on French Windows, will actually create a new group named {{Administrators}}, which may be surprising. The user likely expected that the well-defined Administrators group with SID {{S-1-5-32-544}} was used, which in this case is localized to {{Administrateurs}}. For cases where manifests are running only in one localized environment, this may already be well understood by users.

However, this becomes quite painful if working across an environment with more than 1 localized set of accounts , as manifests must be special cased for each additional environment .

The solution to referring to well-known accounts is typically to use the SIDs as defined at https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx to circumvent any localization problems.

However, the group type does not support SIDs as titles, but likely could with some additional munging code.