使用Chef访问另一个用户的注册表 [英] Access the registry of another user with Chef

问题描述

是否可以使用Chef访问另一个用户的注册表？我有Chef-Client作为System运行，并且我想修改User1的注册表？有没有办法做到这一点？

Is it possible to access the registry of another user with Chef? I have the chef-client running as System and I want to modify the registry of User1? Is there a way to do this?

registry_key 资源提供了一种方法访问HKEY_Users，但是我看不到将用户名映射到SID的方法。

The registry_key resource provides a way to access HKEY_Users but I see no way to map the username to the SID.

推荐答案

这最终被温和地盘绕了起来，看着它让我感到畏缩。

This ended up being mildly convoluted and looking at it makes me cringe. But it seems to work!

我想通过注册表修改其他用户的环境变量，如此服务器故障答案，但我也想用Chef创建用户。然后的问题是Windows在用户登录之前不会为用户创建注册表配置单元。

I wanted to modify another user's environment variables via the registry, as described in this Server Fault answer, but I also wanted to create the user with Chef. The problem then is that Windows doesn't create the registry hive for a user until they login.

如果确实存在相关用户，则可以跳过以修改用户的注册表项。

If the relevant user definitely exists you can skip to Modifying a User's Registry Keys.

Chef内置 execute 和 batch 资源似乎不支持提供密码，因此看起来不像 user 这两个属性均可在Windows上使用。但是 Chef Windows官方食谱包括 windows_task 做的 资源包括用于指定用户密码的属性。

The Chef builtin execute and batch resources don't seem to support supplying a password, so it doesn't seem like the user attribute for either can be used on Windows. But the official Chef Windows cookbook includes a windows_task resource that does include an attribute for specifying a user's password.

现在的问题是向相关用户授予本地安全策略权限作为批处理作业登录。为此，我们可以使用 SecEdit 。

The problem now is granting the relevant user the Local Security Policy right to 'log on as a batch job'. To accomplish that, we can use SecEdit.

确保您的食谱依赖于Chef Windows的官方食谱；在您食谱的 metadata.rb 文件中添加：

Make sure your cookbook depends on the official Chef windows cookbook; in your cookbook's metadata.rb file add:

depends "windows"

这里是厨师的食谱代码：

Here's the Chef recipe code:

group "BatchJobUsers" do
  append true
  members ["AnotherUser"]
  action :create
end

cookbook_file "BatchJobUsers-AddBatchLogonRight.inf" do
  path "#{ENV['TEMP']}\\BatchJobUsers-AddBatchLogonRight.inf"
  action :create_if_missing
end

execute "secedit" do
  cwd "#{ENV['TEMP']}"
  command "secedit /configure /db secedit.sdb /cfg BatchJobUsers-AddBatchLogonRight.inf"
end

windows_task "force-creation-of-AnotherUser-user-registry-hive" do
  command "echo Force creation of AnotherUser user registry hive"
  user "AnotherUser"
  password "password-for-another-user"
  action [:create, :run]
end

windows_task "force-creation-of-AnotherUser-user-registry-hive" do
  action :delete
end

您需要将文件添加到 COOKBOOK / files / default 名为 BatchJobUsers-AddBatchLogonRight.inf 的目录；它应包含以下内容：

You'll need to add a file to the COOKBOOK/files/default directory named BatchJobUsers-AddBatchLogonRight.inf; it should contain the following:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SeBatchLogonRight = "BatchJobUsers"

修改用户的注册表键

确保您的食谱依赖于Chef官方的Windows食谱；在您食谱的 metadata.rb 文件中添加：

depends "windows"

在您的食谱中，添加以下行：

In your recipe, add the following line:

::Chef::Recipe.send(:include, Windows::RegistryHelper)

然后您可以在食谱中使用函数 resolve_user_to_sid ，如下所示：

Then you can use the function resolve_user_to_sid in your recipe like this:

get_user_sid = lambda { resolve_user_to_sid("USER_NAME") }

registry_key "Create environment variable registry keys" do
  key lazy { "HKEY_USERS\\#{ get_user_sid.call }\\Environment"
  values [{
      :name => "Variable",
      :type => :string,
      :data => "variable_data"
          }]
  recursive true
  action :create
end

必须懒惰地评估 key 属性（即，在厨师运行配方的收敛阶段进行评估），以处理不存在的用户。

The key attribute has to be lazily evaluated (i.e. evaluated during the converge phase of Chef running the recipe) to handle the user not existing.

这篇关于使用Chef访问另一个用户的注册表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！