Purpose: To use an access control list to regulate which users should have Local Administrator accounts on a server. If a Local Admin is on a server that isn't on the ACL, that account is deleted.
Set up: I'm using an EPP template and the powershell module to execute code to compare a formatted list of Local Administrators on the machine against an interpolated $acl variable containing the list of authorized users.
I have a hash containing usernames and initial passwords, e.g:
$credentials = { "test" => "t3st!!", "test2" => "t3st3r!" }
along with an array containing just the usernames, to be used as an access control list of users that should be authorized, e.g:
$acl = $credentials.keys
init.pp:
<-- Other code here, other functions work properly, variables import correctly -->
exec { "Removing unauthorized Local Administrators":
command => epp('usermgmt_test/remove-user.epp'),
provider => powershell,
}
remove-user.epp:
$adminList = Get-LocalAdmin
$acl = Get-ACL
function Get-LocalAdmin {
# Get the list of local Administrators, format it, and convert to an array for later iteration
$list = net localgroup 'Administrators' | Select-Object -Skip 6
$list = $list | Select-Object -First ($list.Count - 2)
$list = $list.Trim()
$list.Split(" ")
}
function Get-ACL {
# Import the $acl variable from puppet, convert to string, format for powershell, convert to array for later iteration
$puppet = "<%= $acl %>"
$puppet = $puppet.Trim('[',']')
$puppet.Split(',')
}
ForEach ($user in $adminList) {
if (($acl -notcontains $user) -and ($user -ne 'Administrator')) {
net user $user /delete
}
}
Error:
The manifest on the test server applies without errors, but does not actually delete any users and returns this confusing statement:
$list.Split(" ")$puppet.Split(',')}Notice: /Stage[main]/Usermgmt_test/Exec[Removing unauthorized local Administrators]/returns: executed successfully
Problem:
I've checked that the $acl variable is interpolating properly into the EPP template and my test code in powershell works properly. I thought that it might be that Puppet was trying to interpolate the powershell variables, so I tried escaping those (\$) but that just threw a bunch of powershell errors. I'm kind of at a loss as to what I'm missing here. Any help would be greatly appreciated!