win_user_right – Manage Windows User Rights¶
New in version 2.4.
Synopsis¶
- Add, remove or set User Rights for a group or users or groups.
- You can set user rights for both local and domain accounts.
Parameters¶
| Parameter | Choices/Defaults | Comments | 
|---|---|---|
| action 
                    string
                                                                 | 
 | addwill add the users/groups to the existing right.removewill remove the users/groups from the existing right.setwill replace the users/groups of the existing right. | 
| name 
                    string
                                             / required                     | The name of the User Right as shown by the  Constant Namevalue from https://technet.microsoft.com/en-us/library/dd349804.aspx.The module will return an error if the right is invalid. | |
| users 
                    list
                                             / required                     | A list of users or groups to add/remove on the User Right. These can be in the form DOMAIN\user-group, user-group@DOMAIN.COM for domain users/groups. For local users/groups it can be in the form user-group, .\user-group, SERVERNAME\user-group where SERVERNAME is the name of the remote server. You can also add special local accounts like SYSTEM and others. Can be set to an empty list with action=set to remove all accounts from the right. | 
Notes¶
Note
- If the server is domain joined this module can change a right but if a GPO governs this right then the changes won’t last.
See Also¶
See also
- win_group – Add and remove local groups
- The official documentation on the win_group module.
- win_group_membership – Manage Windows local group membership
- The official documentation on the win_group_membership module.
- win_user – Manages local Windows user accounts
- The official documentation on the win_user module.
Examples¶
---
- name: Replace the entries of Deny log on locally
  win_user_right:
    name: SeDenyInteractiveLogonRight
    users:
    - Guest
    - Users
    action: set
- name: Add account to Log on as a service
  win_user_right:
    name: SeServiceLogonRight
    users:
    - .\Administrator
    - '{{ansible_hostname}}\local-user'
    action: add
- name: Remove accounts who can create Symbolic links
  win_user_right:
    name: SeCreateSymbolicLinkPrivilege
    users:
    - SYSTEM
    - Administrators
    - DOMAIN\User
    - group@DOMAIN.COM
    action: remove
- name: Remove all accounts who cannot log on remote interactively
  win_user_right:
    name: SeDenyRemoteInteractiveLogonRight
    users: []
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Status¶
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors¶
- Jordan Borean (@jborean93)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
