Details
Normal Description
Hi,
When managing a user on a Windows 2016 I've used a resource like so:
define profiles::windows::account(
|
$account_name = $title,
|
$password,
|
$is_admin,
|
){
|
|
|
if ($is_admin == true){
|
$groups = ['Users','Administrators']
|
}
|
else {
|
$groups = ['Users','Remote Desktop Users']
|
}
|
|
|
user { "${title}":
|
ensure => present,
|
name => $title,
|
password => Sensitive($password),
|
managehome => true,
|
groups => $groups,
|
auth_membership => 'inclusive',
|
}
|
|
|
}
|
However when I create a user with this and then switch is_admin to false puppet adds the remote desktop group but doesn't remove the administrators group.
Notice: /Stage[main]/Profiles::Windows::Accounts/Profiles::Windows::Account[test_user]/User[test_user]/groups: groups changed BUILTIN\Administrators,BUILTIN\Users to ['BUILTIN\Administrators', 'BUILTIN\Users', 'BUILTIN\Remote Desktop Users']
From the docs the inclusive auth_membership should remove the user from the group?
Puppet agent version: 5.5.6
Puppet server version: 5.3.1 running on CentOs 7.
