Is it possible to access the registry of another user with Chef? I have the chef-client running as System and I want to modify the registry of User1? Is there a way to do this?
The registry_key resource provides a way to access HKEY_Users but I see no way to map the username to the SID.
This ended up being mildly convoluted and looking at it makes me cringe. But it seems to work!
I wanted to modify another user's environment variables via the registry, as described in this Server Fault answer, but I also wanted to create the user with Chef. The problem then is that Windows doesn't create the registry hive for a user until they login.
If the relevant user definitely exists you can skip to Modifying a User's Registry Keys.
Forcing Windows to Create the User Registry Hive
The Chef builtin
execute
andbatch
resources don't seem to support supplying a password, so it doesn't seem like theuser
attribute for either can be used on Windows. But the official Chef Windows cookbook includes awindows_task
resource that does include an attribute for specifying a user's password.The problem now is granting the relevant user the Local Security Policy right to 'log on as a batch job'. To accomplish that, we can use SecEdit.
Make sure your cookbook depends on the official Chef windows cookbook; in your cookbook's metadata.rb file add:
Here's the Chef recipe code:
You'll need to add a file to the COOKBOOK/files/default directory named BatchJobUsers-AddBatchLogonRight.inf; it should contain the following:
Modifying a User's Registry Keys
Make sure your cookbook depends on the official Chef windows cookbook; in your cookbook's metadata.rb file add:
In your recipe, add the following line:
Then you can use the function
resolve_user_to_sid
in your recipe like this:The
key
attribute has to be lazily evaluated (i.e. evaluated during the converge phase of Chef running the recipe) to handle the user not existing.