this seems to work. seems the easiest way to "clear" existing permissions
to start over by disabling the inherited permissions. a normal user cant
list and gets access denied if they try to open a specific file that they
know the path to. an admin can do anything. am i missing anything? is there
a better way?
- name: disable inheritance on backupscripts
win_acl_inheritance:
path: C:\backupscripts
state: absent
- name: set administrator permissions for backup folder
win_acl:
path: C:\backupscripts
user: Administrators
type: allow
rights:
- FullControl
- name: set SYSTEM permissions for backup folder
win_acl:
path: C:\backupscripts
user: SYSTEM
type: allow
rights:
- FullControl
On Sunday, May 13, 2018 at 9:18:44 PM UTC-7, Jordan Borean wrote:
> Deny rights always override Allow rights in Windows ACLs. If a user is a
> member of the Administrator group *AND* the Users group the deny you
> applied on the 2nd win_acl task will cause an access is denied message. I'm
> pretty sure by default an Admin account is a member of both and that's
> probably what is tripping you up.
>
> As a side note, it's better not not apply FullControl as a right but use
> the granular entries to give the user only what they need. That's probably
> something you can look into once this is all working and you have a better
> understanding of the whole ACL side.
>
> Thanks
>
> Jordan
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/ba359134-2e3f-47a8-96bf-10edde676242%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
