Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6540

Allow Windows group resource to specify SID as title



    • Night's Watch


      Without being able to use a SID in the title of a group resource on Windows, it can be difficult to write a manifest that works properly on internationalized versions of Windows. Take for instance, adding a user to the Administrators group.

      In English, this works to modify the Administrators group and add user bob (presuming they already exist):

      group { 'Administrators':
        members => ['bob'],
        auth_membership => false

      The same code on French Windows, will actually create a new group named Administrators, which may be surprising. The user likely expected that the well-defined Administrators group with SID S-1-5-32-544 was used, which in this case is localized to Administrateurs. For cases where manifests are running only in one localized environment, this may already be well understood by users.

      However, this becomes quite painful if working across an environment with more than 1 localized set of accounts, as manifests must be special cased for each additional environment.

      The solution to referring to well-known accounts is typically to use the SIDs as defined at https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx to circumvent any localization problems.

      However, the group type does not support SIDs as titles, but likely could with some additional munging code.


        Issue Links



              Unassigned Unassigned
              ethan Ethan Brown
              1 Vote for this issue
              5 Start watching this issue



                Zendesk Support