%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python2.7/site-packages/salt/modules/
Upload File :
Create Path :
Current File : //lib/python2.7/site-packages/salt/modules/win_lgpo.pyc

�
���^c@@sEdZddlmZmZmZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
Z
ddlZddlmZmZddlmZddljjZddlZddlZddlZddlZddlZddlmZddlm Z ej!e"�Z#dZ$id	d
6Z%ej&�j'Z(iie)6ie*6Z+iZ,e*Z-e.Z/e.Z0e.Z1e.Z2e.Z3e.Z4e.Z5e.Z6e.Z7e.Z8e.Z9e.Z:e.Z;e.Z<e.Z=e.Z>e.Z?e.Z@e.ZAe.ZBe.ZCe.ZDy�ddlEZEddlFZFddlGZGddlHZHddlGmIZIddlJmKZKe)Z-eIjLd
�Z/eIjLd�Z0eIjLd�Z1eIjLd�Z2eIjLd�Z3eIjLd�Z4eIjLd�Z5eIjLd�Z6eIjLd�Z7eIjLd�Z8eIjLd�Z9eIjLd�Z:eIjLd�Z;eIjLd�Z<eIjLd�Z=eIjLd�Z>eIjLd�Z?eIjLd�Z@eIjLd�ZAeIjLd �ZBeIjLd!�ZCeIjLd"�ZDejMjNZMe
jOjPeMjQ�d#�jRd$d%�ZSWneTk
r�e*Z-nXd&eUfd'��YZVd(�ZWd)�ZXd*�ZYd+�ZZd,d-d.�Z[d,d-d/�Z\d,d-d0�Z]d1�Z^e.d2�Z_d3�Z`d4�Zad5�Zbd6�Zcd7�Zdd8�Zed9�Zfd:�Zgd;�Zhd<�Zid=�Zjd>�Zkd?�Zld@�ZmdA�ZndB�ZodC�ZpdD�ZqdE�Zre*dF�Zse)dG�Zte*e)dH�ZudI�Zve*dJ�Zwe*e.dK�Zxd-e*e*e*dL�ZydM�ZzdN�Z{dO�Z|dP�Z}dQ�Z~dR�Ze*dS�Z�d-dTdU�Z�dV�Z�e*dW�Z�d-dX�Z�d-dY�Z�e.e)e*d-e*dZ�ZPe)d-d[�Z�d-d\�Z�e.e.e)d-d]�Z�dS(^u%
Manage Local Policy on Windows

This module allows configuring local group policy (i.e. ``gpedit.msc``) on a
Windows server.

.. versionadded:: 2016.11.0

Administrative Templates
========================

Administrative template policies are dynamically read from ADMX/ADML files on
the server.

Windows Settings
================

Policies contained in the "Windows Settings" section of the ``gpedit.msc`` GUI
are statically defined in this module. Each policy is configured for the section
(Machine/User) in the module's _policy_info class. The ``_policy_info`` class
contains a "policies" dict on how the module will configure the policy, where
the policy resides in the GUI (for display purposes), data validation data, data
transformation data, etc.

Current known limitations
=========================

- At this time, start/shutdown scripts policies are displayed, but are not
  configurable.
- Not all "Security Settings" policies exist in the _policy_info class

:depends:
  - pywin32 Python module
  - lxml
  - uuid
  - struct
  - salt.utils.win_reg
i(tabsolute_importtunicode_literalstprint_functionN(tCommandExecutionErrortSaltInvocationError(tdeserialize(tsix(trangeulgpousetuset_(tetree(tRegistryu .//*[local-name() = "trueValue"]u!.//*[local-name() = "falseValue"]u.//*[local-name() = "elements"]u#.//*[local-name() = "enabledValue"]u$.//*[local-name() = "disabledValue"]u".//*[local-name() = "enabledList"]u#.//*[local-name() = "disabledList"]u.//*[local-name() = "value"]u.//*[local-name() = "trueList"]u .//*[local-name() = "falseList"]up//*[translate(@*[local-name() = "key"], "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz") = $keyvalue]u//*[@key = $keyvalue]u$ancestor::*[local-name() = "policy"]uv//*[local-name() = "policy" and (@*[local-name() = "class"] = "Both" or @*[local-name() = "class"] = $registry_class)]uQ//*[local-name() = $displayNameType and @*[local-name() = "id"] = $displayNameId]u .//*[local-name() = "valueList"]uP.//*[local-name() = "item" and @*[local-name() = "displayName" = $display_name]]u�//*[local-name() = "policy" and @*[local-name() = "name"] = $policy_name and (@*[local-name() = "class"] = "Both" or @*[local-name() = "class"] = $registry_class)]uB//*[starts-with(text(), $policy_name) and @*[local-name() = "id"]]u�//*[local-name() = "policy" and @*[local-name() = "displayName"] = $display_name and (@*[local-name() = "class"] = "Both" or @*[local-name() = "class"] = $registry_class) ]u*ancestor::*[local-name() = "presentation"]u.//*[local-name() = "text"]uen_USu_u-t_policy_infocB@saeZdZd�Zed��Zed��Zed��Zed��Zed��Z	ed��Z
ed��Zed	��Zed
��Z
ed��Zed��Zed
��Zed��Zed��Zed��Zed��Zed��Zed��Zed��Zed��Zed��Zed��ZRS(um
    Policy Helper Class
    ===================

    The format of the policy dict is as follows:

    The top most two key/value pairs in the dict divide the policies object into
    the two sections of local group policy, using the keys "Machine" and "User".
    The value make-up of these dicts are described below in "Policy Section
    Definition"

    Policy Section Definition
    -------------------------

    A policy section dict has two required key/value pairs:

    ============  ==============================================================
    Key
    ============  ==============================================================
    lgpo_section  String matching how the policy section is displayed in the mmc
                  snap-in ("Computer Configuration" for "Machine" and "User
                  Configuration" for "User")
    policies      a dict containing the non-Administrative template policy
                  definitions, the key for each item is a short/unique
                  identifier for the policy, the value is described below in
                  "Policies Definition"
    ============  ==============================================================

    Policies Definition
    -------------------

    A policies definition item describes the particular policy. There are three
    child key/value pairs shared with all policy types:

    ============  ==============================================================
    Key           Value
    ============  ==============================================================
    lgpo_section  A list containing the hierarchical path to the policy in the
                  gpedit mmc snap-in.
    Policy        A string containing the name of the policy in the gpedit mmc
                  snap-in
    Settings      An object which describes valid settings for the policy. This
                  can be None for no validation, a list of possible settings, or
                  a dict with the following key/value pairs:

                  - **Function:** The class function to use to validate the
                    setting
                  - **Args:** A dict of kwargs to pass to the class function
    ============  ==============================================================

    Additionally, each policies definition will contain a key/value pair that
    defines the mechanism that will be used to configure the policy. The
    available mechanisms are:  NetUserModal, Registry, Secedit, and LsaRights

    Registry Mechanism
    ------------------

    Some policies simply set values in the Windows registry. The value of this
    key is a dict with the following make-up:

    =====  =====================================================================
    Key    Value
    =====  =====================================================================
    Hive   A string containing the Registry hive, such as ``HKEY_LOCAL_MACHINE``
    Path   A string containing the registry key path, such as
           ``SYSTEM\\CurrentControlSet\\Control\\Lsa``
    Value  A string containing the name of the registry value, such as
           **restrictanonymous**
    Type   A string containing the registry type of the value, such as
           ``REG_DWORD``
    =====  =====================================================================

    Secedit Mechanism
    -----------------

    Some policies are configurable via the "secedit.exe" executable. The value
    of this key is a dict with the following make-up:

    =======  ===================================================================
    Key      Value
    =======  ===================================================================
    Option   A string containing the name of the policy as it appears in an
             export from secedit, such as **PasswordComplexity**
    Section  A string containing the name of the section in which the "Option"
             value appears in an export from ``secedit``, such as "System
             Access"
    =======  ===================================================================

    LsaRights Mechanism
    -------------------

    LSA Rights policies are configured via the LsaRights mechanism. The value of
    this key is a dict with the following make-up:

    ======  ====================================================================
    Key     Value
    ======  ====================================================================
    Option  A string containing the programmatic name of the Lsa Right, such as
            **SeNetworkLogonRight**
    ======  ====================================================================

    NetUserModal Mechanism
    ----------------------

    Some policies are configurable by the **NetUserModalGet** and
    **NetUserModalSet** function from pywin32.  The value of this key is a dict
    with the following make-up:

    ======  ====================================================================
    Key     Value
    ======  ====================================================================
    Modal   The modal "level" that the particular option is specified in (0-3),
            see `here <https://msdn.microsoft.com/en-us/library/windows/desktop/
            aa370656(v=vs.85).aspx>`_
    Option  The name of the structure member which contains the data for the
            policy, for example **max_passwd_age**
    ======  ====================================================================

    NetSH Mechanism
    ---------------

    The firewall policies are configured by the ``netsh.exe`` executable. The
    value of this key is a dict with the following make-up:

    =======  ===================================================================
    Key      Value
    =======  ===================================================================
    Profile  The firewall profile to modify. Can be one of Domain, Private, or
             Public
    Section  The section of the firewall to modify. Can be one of state,
             firewallpolicy, settings, or logging.
    Option   The setting within that section
    Value    The value of the setting
    =======  ===================================================================

    More information can be found in the advfirewall context in netsh. This can
    be access by opening a netsh prompt. At a command prompt type the following:

    c:\>netsh
    netsh>advfirewall
    netsh advfirewall>set help
    netsh advfirewall>set domain help

    AdvAudit Mechanism
    ------------------

    The Advanced Audit Policies are configured using a combination of the
    auditpol command-line utility and modifying the audit.csv file in two
    locations. The value of this key is a dict with the following make-up:

    ======  ===================================
    Key     Value
    ======  ===================================
    Option  The Advanced Audit Policy to modify
    ======  ===================================

    Transforms
    ----------

    Optionally, each policy definition can contain a "Transform" key. The
    Transform key is used to handle data that is stored and viewed differently.
    This key's value is a dict with the following key/value pairs:

    ===  =======================================================================
    Key  Value
    ===  =======================================================================
    Get  The name of the class function to use to transform the data from the
         stored value to how the value is displayed in the GUI
    Put The name of the class function to use to transform the data supplied by
        the user to the correct value that the policy is stored in
    ===  =======================================================================

    For example, "Minimum password age" is stored in seconds, but is displayed
    in days.  Thus the "Get" and "Put" functions for this policy do these
    conversions so the user is able to set and view the policy using the same
    data that is shown in the GUI.
    cC@s�\idd6dd6dd6dd6d	d	6d	d6|_id
d6dd6dd6dd6dd6|_id
d6dd6dd6dd6d	d6d	d6|_idd6dd6dd6dd6dd6dd6d	d6d	d6|_idd6dd6dd6d	d6d	d6|_idd6dd6d	d6d	d6|_idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6|_	id$d6dd6dd6d	d6d	d6|_
idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6|_idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6|_idd%6dd&6d	d6d	d6|_
idd6dd6i|j
d 6td!6d"6i|j
d 6td!6d#6|_d'd(d)d*d+g|_d'd(d)d,d-g|_d'd(d)d.d/g|_d'd(d)d*d0g|_d'd(d)d1d2g|_d'd(d)d.d3g|_d'd(d)d*d4g|_id5d6d6d6d7d6d	d6d	d6|_id8d6d9d6d	d6d	d6|_id:d6d;d6d<d6d	d6d	d6|_id=d6d>d6d?d6d	d6d	d6|_id@d6dAd6d	d6d	d6|_idBd6dCd6dDd6d	d6d	d6|_idEdF6dGdH6dIdJ6dKdL6|_idMdN6dOdP6dKdL6|_idQdR6dSdT6dKdL6|_idUdR6dVdT6dKdL6|_idUdR6dSdT6dKdL6|_ idWdX6d:dY6dKdL6|_!i	dZd6d[d6d\d6d]d6d^d_6d`da6dbdc6d	d6d	d6|_"iddd6ded6dfd6dgd6dhd6did6d	d6d	d6|_#id8d6djd6d9d6d	d6d	d6|_$idZd6dkdl6dmdn6d	d6d	d6|_%idod6dpd6dqd6d	d6d	d6|_&idod6drd6dsd6dtd6dudv6d	d6d	d6|_'idwd6dxd6dyd6d	d6d	d6|_(idod6dzd6d{d6d|d6d}dv6d	d6d	d6|_)idwd6d~d6d}d6d	d6d	d6|_*idd6dd6|_+idd6dd6i|j+d 6td!6d"6i|j+d 6td!6d#6|_,iid'd6i�id�d�6d'd(d�d�gd6id�d�6t-j.j/t-j0d��d�d�d�d�d��d�6d�6d�6id�d�6d'd(d�d�gd6id�d�6t-j.j/t-j0d��d�d�d�d�d��d�6d�6d�6id�d�6d'd(d�d�gd6it-j.j/t-j0d��d�d�d�d�d��d�6d�d�6d�d�6d�d�dgd�6d�6id�d6d�d6d�6d�6id�d�6d'd(d�d�gd6id�d�6t-j.j/t-j0d��d�d�d�d�d��d�6d�6d�6id�d�6d'd(d�d�gd6id�d�6t-j.j/t-j0d��d�d�d�d�d��d�6d�6d�6id�d�6d'd(d�d�gd6it-j.j/t-j0d��d�d�d�d�d��d�6d�d�6d�d�6d�d�dgd�6d�6id�d6d�d6d�6d�6id�d�6|jd6|j+j1�d�6id�d�6d�d�6d�6|j,d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|j!j1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|j!d 6td!6d"6i|j!d 6td!6d#6d�6d�6id�d�6|jd6|j!j1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|j!d 6td!6d"6i|j!d 6td!6d#6d�6d�6id�d�6|jd6|j!j1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|j!d 6td!6d"6i|j!d 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|j j1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|j d 6td!6d"6i|j d 6td!6d#6d�6d�6id�d�6|jd6|j j1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|j d 6td!6d"6i|j d 6td!6d#6d�6d�6id�d�6|jd6|j j1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|j d 6td!6d"6i|j d 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d6idd�6|jd6|jj1�d�6id�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d6idd�6|jd6dd�6id�d�6dd�6dd�6d�6d6idd�6|jd6dd�6id�d�6dd�6dd�6d�6d6id	d�6|jd6dd�6id�d�6dd�6dd�6d�6d
6idd�6|jd6dd�6id�d�6dd�6dd�6d�6d
6idd�6|jd6dd�6id�d�6dd�6dd�6d�6d6idd�6|jd6dd�6id�d�6dd�6dd�6d�6d6idd�6|jd6|jj1�d�6id�d�6dd�6dd�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d6idd�6|jd6|jj1�d�6id�d�6dd�6dd�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d6idd�6|jd6|jj1�d�6id�d�6dd�6dd�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d6idd�6|jd6|jj1�d�6id�d�6dd�6dd�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d6idd�6|jd6|jj1�d�6id�d�6dd�6dd�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d6idd�6|jd6|jj1�d�6id�d�6dd�6dd�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d6id d�6|jd6id!d"6idd#6d$d%6d&6d�6idd'6d(d�6d)6d*6id+d�6|jd6id!d"6idd#6d,d%6d-d.6d&6d�6idd'6d/d�6d)6id0d6d1d6id-d.6d"6id-d.6d#6d�6d26id3d�6|jd6id!d"6idd#6d,d%6d&6d�6idd'6d4d�6d)6id0d6d1d6d�6d56id6d�6|jd6id!d"6idd#6d7d%6d&6d�6idd'6d8d�6d)6d96id:d�6|jd6|j+j1�d�6id;d�6d�d�6d�6|j,d�6d;6id<d�6|jd6|j+j1�d�6id=d�6d�d�6d�6|j,d�6d>6id?d�6|j+j1�d�6|jd6id@d�6d�d�6d�6|j,d�6dA6idBd�6|jj1�d�6|jd6id�d�6dCd�6dDd�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6dD6idEd�6|j+j1�d�6|jd6idFd�6d�d�6d�6|j,d�6dG6idHd�6|jd6|jj1�d�6id�d�6d�d�6dId�6d�d�6d�6|j	d�6dJ6idKd�6dd�6|jd6idLd�6d�d�6d�6idMd6dNd6d�6dO6idPd�6dd�6|jd6idQd�6d�d�6d�6idMd6dNd6d�6dR6idSd�6|jj1�d�6|jd6id�d�6d�d�6dTd�6d�d�6d�6|j	d�6dT6idUd�6|jj1�d�6|jd6id�d�6d�d�6dTd�6d�d�6d�6|j	d�6dV6idWd�6|jj1�d�6|jd6id�d�6dXd�6dYd�6d�d�6d�6|j	d�6dY6idZd�6id!d"6idd#6d[d%6d&6d�6|jd6id�d�6d\d�6d]d�6d�d�6d�6d]6id^d�6|jj1�d�6|jd6id�d�6d\d�6d_d�6d�d�6d�6|j	d�6d_6id`d�6|jj1�d�6|jd6id�d�6d\d�6dad�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6da6idbd�6|jj1�d�6|jd6id�d�6dXd�6dcd�6d�d�6d�6|j	d�6dc6iddd�6|jj1�d�6|jd6id�d�6dXd�6ded�6d�d�6d�6|j	d�6de6idfd�6|jj1�d�6|jd6id�d�6dXd�6dgd�6d�d�6d�6|j	d�6dg6idhd�6|jj1�d�6|jd6id�d�6dXd�6did�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6di6idjd�6|jj1�d�6|jd6id�d�6dXd�6dkd�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6dk6idld�6|jj1�d�6|jd6id�d�6dXd�6dmd�6d�d�6d�6|j	d�6dm6idnd�6|jj1�d�6|jd6id�d�6dXd�6dod�6d�d�6d�6|j	d�6do6idpd�6|jj1�d�6|jd6id�d�6dXd�6dqd�6d�d�6d�6|j	d�6dq6idrd�6|jj1�d�6|jd6id�d�6dXd�6dsd�6d�d�6d�6|j	d�6ds6idtd�6|jj1�d�6|jd6id�d�6dXd�6dud�6d�d�6d�6|j	d�6du6idvd�6|jj1�d�6|jd6id�d�6dXd�6dwd�6d�d�6d�6|j	d�6dw6idxd�6id!d"6idd#6dyd%6d&6d�6|jd6id�d�6d\d�6dzd�6d�d�6d�6dz6id{d�6id!d"6idd#6dyd%6d&6d�6|jd6id�d�6dCd�6d|d�6d�d�6d�6d|6id}d�6id!d"6idd#6d~d%6d&6d�6|jd6id�d�6dCd�6dd�6d�d�6d�6d6id�d�6|jd6id�d�6dCd�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6|jd6id�d�6dCd�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6|jj1�d�6|jd6id�d�6dCd�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jj1�d�6|jd6id�d�6dXd�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6id!d"6idd#6d�d%6d&6d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6d�6id�d�6|j
j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|j
d 6td!6d"6i|j
d 6td!6d#6d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6t2d�t2d�gd�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�d6d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6dXd�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|j
j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|jd�6d�6id�d�6d�d%d&d�gd�6|jd6id�d�6d\d�6d�d�6d�d�6d�6id�d6d�d6d�6d�6id�d�6|j
j1�d�6|jd6id�d�6d\d�6d�d�6d�d�6d�6|jd�6d�6id�d�6|j
j1�d�6|jd6id�d�6d\d�6d�d�6d�d�6d�6|jd�6d�6id�d�6d�d�t2d�d�t2d�gd�6|jd6id�d�6d�d�6d�6id�d6d�d6d�6d�6id�d�6|j
j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|jd�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|j
j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|jd�6d�6id�d�6|j
j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|jd�6d�6id�d�6|j
j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|jd�6d�6id�d�6|j
j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|jd�6d�6id�d�6|j
j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|jd�6d�6id�d�6id!d"6idd#6dyd%6d&6d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6d�6id�d�6|j
j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|jd�6d�6id�d�6|jd6id!d"6idd#6d�d%6d&6d�6idd'6d�d�6d)6id�d6d�d6d�6d�6id�d�6|jd6id!d"6idd#6d�d%6d&6d�6idd'6d�d�6d)6d�6id�d�6|jd6id!d"6idd#6d�d%6d&6d�6idd'6d�d�6d)6id�d6d�d6d�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�6|jd�6d�6id�d�6|jd6|jj1�d�6id�d�6d�6|jd�6d�6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d	6id
d�6|jd6|jj1�d�6id
d�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d
6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6idd�6|jd6|jj1�d�6idd�6d�6|jd�6d6id d�6|jd6|jj1�d�6id d�6d�6|jd�6d!6id"d�6|jd6|jj1�d�6id"d�6d�6|jd�6d#6id$d�6|jd6|jj1�d�6id$d�6d�6|jd�6d%6id&d�6|jd6|jj1�d�6id&d�6d�6|jd�6d'6id(d�6|jd6|jj1�d�6id(d�6d�6|jd�6d)6id*d�6|jd6|jj1�d�6id*d�6d�6|jd�6d+6id,d�6|jd6|jj1�d�6id,d�6d�6|jd�6d-6id.d�6|jd6|jj1�d�6id.d�6d�6|jd�6d/6id0d�6|jd6|jj1�d�6id0d�6d�6|jd�6d16id2d�6|jd6|jj1�d�6id2d�6d�6|jd�6d36id4d�6|jd6|jj1�d�6id4d�6d�6|jd�6d56id6d�6|jd6|jj1�d�6id6d�6d�6|jd�6d76id8d�6|jd6|jj1�d�6id8d�6d�6|jd�6d96id:d�6|jd6|jj1�d�6id:d�6d�6|jd�6d;6id<d�6|jd6|jj1�d�6id<d�6d�6|jd�6d=6id>d�6|jd6|jj1�d�6id>d�6d�6|jd�6d?6id@d�6|jd6|jj1�d�6id@d�6d�6|jd�6dA6idBd�6|jd6|jj1�d�6idBd�6d�6|jd�6dC6idDd�6|jd6|jj1�d�6idDd�6d�6|jd�6dE6idFd�6|jd6|jj1�d�6idFd�6d�6|jd�6dG6idHd�6|jd6|jj1�d�6idHd�6d�6|jd�6dI6idJd�6|jd6|jj1�d�6idJd�6d�6|jd�6dK6idLd�6|jd6|jj1�d�6idLd�6d�6|jd�6dM6idNd�6|jd6|jj1�d�6idNd�6d�6|jd�6dO6idPd�6|jd6|jj1�d�6idPd�6d�6|jd�6dQ6idRd�6|jd6|jj1�d�6idRd�6d�6|jd�6dS6idTd�6|jd6|jj1�d�6idTd�6d�6|jd�6dU6idVd�6|jd6|jj1�d�6idVd�6d�6|jd�6dW6idXd�6|jd6|jj1�d�6idXd�6d�6|jd�6dY6idZd�6|jd6|jj1�d�6idZd�6d�6|jd�6d[6id\d�6|jd6|jj1�d�6id\d�6d�6|jd�6d]6id^d�6|jd6|jj1�d�6id^d�6d�6|jd�6d_6id`d�6|jd6|jj1�d�6id`d�6d�6|jd�6da6idbd�6|jd6|jj1�d�6idbd�6d�6|jd�6dc6iddd�6|jd6|jj1�d�6iddd�6d�6|jd�6de6idfd�6|jd6|jj1�d�6idfd�6d�6|jd�6dg6idhd�6|jd6dd�6idid�6dj6idkd6dld6d�6di6idmd�6|jd6dd�6idnd�6dj6idkd6dld6d�6dn6idod�6|jd6dd�6idpd�6dj6idkd6dld6d�6dp6idqd�6|jd6dd�6idrd�6dj6idkd6dld6d�6dr6idsd�6|jd6dd�6idtd�6dj6idkd6dld6d�6dt6idud�6|jd6dd�6idvd�6dj6idkd6dld6d�6dv6idwd�6|jd6dd�6idxd�6dj6idkd6dld6d�6dx6idyd�6|jd6dd�6idzd�6dj6idkd6dld6d�6dz6id{d�6|jd6dd�6id|d�6dj6idkd6dld6d�6d|6id}d�6|jd6dd�6id~d�6dj6idkd6dld6d�6d~6idd�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jd6dd�6id�d�6dj6idkd6dld6d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|jd 6td!6d"6i|jd 6td!6d#6d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6dd�6d�d�6d�6|j	d�6d�6id�d�6dd�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6dd�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6dd�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�d6i|j"d 6td!6d"6i|j"d 6td!6d#6d�6d�6id�d�6|jj1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6|j	d�6d�6id�d�6|jd6|j+j1�d�6id�d�6d�d�6d�6|j,d�6d�6id�d�6|j#j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|j#d 6td!6d"6i|j#d 6td!6d#6d�6d�6id�d�6|j$j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|j$d 6td!6d"6i|j$d 6td!6d#6d�6d�6id�d�6dd�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�d6i|j%d 6td!6d"6i|j%d 6td!6d#6d�6d�6id�d�6dd�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�d6i|j%d 6td!6d"6i|j%d 6td!6d#6d�6d�6id�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6id�d6d�6d�6id�d�6|j&j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|j&d 6td!6d"6i|j&d 6td!6d#6d�6d�6id�d�6|j'j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|j'd 6td!6d"6i|j'd 6td!6d#6d�6d�6id�d�6|j(j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|j(d 6td!6d"6i|j(d 6td!6d#6d�6d�6id�d�6|j)j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|j)d 6td!6d"6i|j)d 6td!6d#6d�6d�6id�d�6|j*j1�d�6|jd6id�d�6d�d�6d�d�6d�d�6d�6idd6dd6i|j*d 6td!6d"6i|j*d 6td!6d#6d�6d�6id�d�6|jj1�d�6|jd6id�d�6dCd�6dd�6d�d�6d�6|j	d�6d6idd�6|jj1�d�6|jd6id�d�6dd�6dd�6d�d�6d�6|j	d�6d6idd�6|jj1�d�6|jd6id�d�6dd�6dd�6d�d�6d�6|j	d�6d6idd�6|jj1�d�6|jd6id�d�6dd�6d	d�6d�d�6d�6|j	d�6d	6id
d�6|jd6id�d�6dd�6dd�6d�d�6d�6id�d6d�6d
6idd�6|jj1�d�6|jd6id�d�6dd�6dd�6d�d�6d�6|j	d�6d6d6d�6idd6id6d6|_3iit-j.j/t-j0d��d�d�dd�d6dd6dd6dd6dd6d6it-j.j/t-j0d��d�d�d�d�d6d�d6d'd6dd6dd6d�6|_4d|_5t-j.j/t-j0d��d�d�d�|_6dS( NuNo auditingiuSuccessiuFailureiuSuccess, FailureiuNot DefineduNo AuditinguSuccess and FailureuNot Configuredu	No ActionuLock WorkstationuForce Logoffu/Disconnect if a Remote Desktop Services sessionu(value not set)uElevate without promptingu,Prompt for credentials on the secure desktopu(Prompt for consent on the secure desktopuPrompt for credentialsuPrompt for consentiu+Prompt for consent for non-Windows binariesiu%Automatically deny elevation requestsuDisableduEnabledu_dict_lookupuGetuPutulookupuvalue_lookupuGetArgsuPutArgsuDefaultu0u1uComputer ConfigurationuWindows SettingsuSecurity SettingsuLocal PoliciesuSecurity Optionsu'Windows Firewall with Advanced SecurityuCWindows Firewall with Advanced Security - Local Group Policy ObjectuAccount PoliciesuPassword PolicyuAudit Policyu#Advanced Audit Policy Configurationu1System Audit Policies - Local Group Policy ObjectuAccount Lockout PolicyuUser Rights AssignmentuThis policy is disabledu"Users can't add Microsoft accountsu1Users can't add or log on with Microsoft accountsuNoneuRequire signinguOffuAccept if provided by clientuRequire from clientu(User display name, domain and user namesuUser display name onlyuDo not display user informationu0Classic - local users authenticate as themselvesu.Guest only - local users authenticate as Guestu<User input is not required when new keys are stored and usedu+User is prompted when the key is first usedu3User must enter a password each time they use a keyuBlock (default)ublockinbounduBlock all connectionsublockinboundalwaysuAllowuallowinbounduNot configuredu
notconfigureduBlocku
blockoutbounduAllow (default)u
allowoutboundu
Yes (default)uenableuNoudisableuYesuNo (default)uOn (recommended)uonuoffu
No minimumuDES_CBC_CRCuDES_CBD_MD5uRC4_MHAC_MD5uAES128_HMAC_SHA1iuAES256_HMAC_SHA1iuFuture Encryption Typesi�uSend LM & NTLM responseu:Send LM & NTLM - use NTLMv2 session security if negotiateduSend NTLM response onlyuSend NTLMv2 response onlyu$Send NTLMv2 response only. Refuse LMu+Send NTLMv2 response only. Refuse LM & NTLMuNegotiate signinguRequire NTLMv2 session securityiuRequire 128-bit encryptioni uDisableu#Enable auditing for domain accountsu Enable auditing for all accountsu,Enable for domain accounts to domain serversuEnable for domain accountsuEnable for domain serversu
Enable alliu	Allow alluDeny all domain accountsuDeny all accountsu*Deny for domain accounts to domain serversuDeny for domain accountsuDeny for domain serversuDeny allu	Audit allulgpo_sectionuStartup ScriptsuPolicyuScripts (Startup/Shutdown)uStartupuSectionuWINDIRuSystem32uGroupPolicyuMachineuScriptsuscripts.iniuIniPathu	ScriptIniuStartupScriptsuStartup Powershell Scriptsu
psscripts.iniuStartupPowershellScriptsu:Startup - For this GPO, run scripts in the following orderu
ScriptsConfiguStartExecutePSFirstuSettingNameutrueufalseuSettingsu#_powershell_script_order_conversionu+_powershell_script_order_reverse_conversionu	TransformuStartupPowershellScriptOrderuShutdown ScriptsuShutdownuShutdownScriptsuShutdown Powershell ScriptsuShutdownPowershellScriptsu;Shutdown - For this GPO, run scripts in the following orderuEndExecutePSFirstuShutdownPowershellScriptOrderu4Network access: Allow anonymous SID/Name translationuLSAAnonymousNameLookupuOptionu
System AccessuSecedituBNetwork access: Do not allow anonymous enumeration of SAM accountsuHKEY_LOCAL_MACHINEuHiveu$SYSTEM\CurrentControlSet\Control\LsauPathuRestrictAnonymousSamuValueu	REG_DWORDuTypeuRegistryuDNetwork access: Restrict clients allowed to make remote calls to SAMu$System\CurrentControlSet\Control\LsauRestrictRemoteSAMuREG_SZu_string_put_transformuMNetwork access: Do not allow anonymous enumeration of SAM accounts and sharesuRestrictAnonymousu\Network access: Do not allow storage of passwords and credentials for network authenticationuDisableDomainCredsuANetwork access: Let Everyone permissions apply to anonymous usersueveryoneincludesanonymousuEveryoneIncludesAnonymousu<Network access: Named Pipes that can be accessed anonymouslyu9SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersuNullSessionPipesuREG_MULTI_SZu_multi_string_put_transformu2Network access: Remotely accessible registry pathsuKSYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPathsuRemoteRegistryExactPathsu@Network access: Remotely accessible registry paths and sub-pathsuFSYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPathsuRemoteRegistryPathsuCNetwork access: Restrict anonymous access to Named Pipes and Sharesu9System\CurrentControlSet\Services\LanmanServer\ParametersuRestrictNullSessAccessu7Network access: Shares that can be accessed anonymouslyuNullSessionSharesu=Network access: Sharing and security model for local accountsu
ForceGuestuNetwork firewall: Domain: StateudomainuProfileustateuStateuNetSHuWfwDomainStateu Network firewall: Private: StateuprivateuWfwPrivateStateuNetwork firewall: Public: StateupublicuWfwPublicStateu-Network firewall: Domain: Inbound connectionsufirewallpolicyuInbounduWfwDomainInboundConnectionsu.Network firewall: Private: Inbound connectionsuWfwPrivateInboundConnectionsu-Network firewall: Public: Inbound connectionsuWfwPublicInboundConnectionsu.Network firewall: Domain: Outbound connectionsuOutbounduWfwDomainOutboundConnectionsu/Network firewall: Private: Outbound connectionsuWfwPrivateOutboundConnectionsu.Network firewall: Public: Outbound connectionsuWfwPublicOutboundConnectionsu:Network firewall: Domain: Settings: Display a notificationusettingsuInboundUserNotificationuWfwDomainSettingsNotificationu;Network firewall: Private: Settings: Display a notificationuWfwPrivateSettingsNotificationu:Network firewall: Public: Settings: Display a notificationuWfwPublicSettingsNotificationu>Network firewall: Domain: Settings: Apply local firewall rulesuLocalFirewallRulesu#WfwDomainSettingsLocalFirewallRulesu?Network firewall: Private: Settings: Apply local firewall rulesu$WfwPrivateSettingsLocalFirewallRulesu>Network firewall: Public: Settings: Apply local firewall rulesu#WfwPublicSettingsLocalFirewallRulesuINetwork firewall: Domain: Settings: Apply local connection security rulesuLocalConSecRulesu%WfwDomainSettingsLocalConnectionRulesuJNetwork firewall: Private: Settings: Apply local connection security rulesu&WfwPrivateSettingsLocalConnectionRulesuINetwork firewall: Public: Settings: Apply local connection security rulesu%WfwPublicSettingsLocalConnectionRulesu'Network firewall: Domain: Logging: NameulogginguFileNameuWfwDomainLoggingNameu(Network firewall: Private: Logging: NameuWfwPrivateLoggingNameu'Network firewall: Public: Logging: NameuWfwPublicLoggingNameu2Network firewall: Domain: Logging: Size limit (KB)uMaxFileSizeuWfwDomainLoggingMaxFileSizeu3Network firewall: Private: Logging: Size limit (KB)uWfwPrivateLoggingMaxFileSizeu2Network firewall: Public: Logging: Size limit (KB)uWfwPublicLoggingMaxFileSizeu=Network firewall: Domain: Logging: Log successful connectionsuLogAllowedConnectionsu"WfwDomainLoggingAllowedConnectionsu>Network firewall: Private: Logging: Log successful connectionsu#WfwPrivateLoggingAllowedConnectionsu=Network firewall: Public: Logging: Log successful connectionsu"WfwPublicLoggingAllowedConnectionsu6Network firewall: Domain: Logging: Log dropped packetsuLogDroppedConnectionsu"WfwDomainLoggingDroppedConnectionsu7Network firewall: Private: Logging: Log dropped packetsu#WfwPrivateLoggingDroppedConnectionsu6Network firewall: Public: Logging: Log dropped packetsu"WfwPublicLoggingDroppedConnectionsuEnforce password historyu_in_range_inclusiveuFunctionuminiumaxuArgsuModalupassword_hist_lenuNetUserModaluPasswordHistoryuMaximum password agei�
%I����u
zero_valueumax_passwd_ageu_seconds_to_daysu_days_to_secondsuMaxPasswordAgeuMinimum password ageumin_passwd_ageuMinPasswordAgeuMinimum password lengthiumin_passwd_lenuMinPasswordLenu*Password must meet complexity requirementsuPasswordComplexityu+Store passwords using reversible encryptionuClearTextPassworduClearTextPasswordsu&Accounts: Administrator account statusuEnableAdminAccountuAdminAccountStatusu"Accounts: Block Microsoft accountsu9SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemuNoConnectedUseruAccounts: Guest account statusuEnableGuestAccountuGuestAccountStatusuJAccounts: Limit local account use of blank passwords to console logon onlyulimitblankpassworduseuLimitBlankPasswordUseu&Accounts: Rename administrator accountuNewAdministratorNameu
_strip_quotesu_add_quotesuRenameAdministratorAccountuAccounts: Rename guest accountuNewGuestNameuRenameGuestAccountu0Audit: Audit the access of global system objectsuAuditBaseObjectsurAudit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsuSceNoApplyLegacyAuditPolicyu0Interactive logon: Do not display last user nameu9Software\Microsoft\Windows\CurrentVersion\Policies\SystemuDontDisplayLastUserNameubInteractive logon: Number of previous logons to cache (in case domain controller is not available)i2u5Software\Microsoft\Windows NT\CurrentVersion\WinlogonuCachedLogonsCountuQInteractive logon: Require Domain Controller authentication to unlock workstationuForceUnlockLogonu.Interactive logon: Smart card removal behavioruScRemoveOptionu.Interactive logon: Do not require CTRL+ALT+DELu
DisableCADuPUser Account Control: Admin Approval Mode for the built-in Administrator accountuFilterAdministratorTokenujUser Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopuEnableUIADesktopToggleu`User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModeuConsentPromptBehaviorAdminuIUser Account Control: Behavior of the elevation prompt for standard usersuConsentPromptBehaviorUseruOUser Account Control: Detect application installations and prompt for elevationuEnableInstallerDetectionuLUser Account Control: Only elevate executables that are signed and validateduValidateAdminCodeSignaturesu_User Account Control: Only elevate UIAccess applications that are installed in secure locationsuEnableSecureUIAPathsuCUser Account Control: Run all administrators in Admin Approval Modeu	EnableLUAuOUser Account Control: Switch to the secure desktop when prompting for elevationuPromptOnSecureDesktopuWUser Account Control: Virtualize file and registry write failures to per-user locationsuEnableVirtualizationuCInteractive logon: Prompt user to change password before expirationi�uPasswordExpiryWarningu4Interactive logon: Machine account lockout thresholduMaxDevicePasswordFailedAttemptsu+Interactive logon: Machine inactivity limiti�'	uInactivityTimeoutSecsu>Interactive logon: Message text for users attempting to log onulegalnoticetextu?Interactive logon: Message title for users attempting to log onulegalnoticecaptionuFInteractive logon: Display user information when the session is lockeduDontDisplayLockedUserIdu%Interactive logon: Require smart cardu
ScForceOptionu@Microsoft network client: Digitally sign communications (always)u>SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ParametersuRequireSecuritySignatureuClient_RequireSecuritySignatureuJMicrosoft network client: Digitally sign communications (if server agrees)uEnableSecuritySignatureuClient_EnableSecuritySignatureuNMicrosoft network client: Send unencrypted password to third-party SMB serversuEnablePlainTextPassworduPMicrosoft network server: Amount of idle time required before suspending sessioni��uAutoDisconnectuFMicrosoft network server: Attempt S4U2Self to obtain claim informationuEnableS4U2SelfForClaimsu@Microsoft network server: Digitally sign communications (always)uServer_RequireSecuritySignatureuJMicrosoft network server: Digitally sign communications (if client agrees)uServer_EnableSecuritySignatureuDMicrosoft network server: Disconnect clients when logon hours expireuEnableForcedLogoffuAMicrosoft network server: Server SPN target name validation leveluSmbServerNameHardeningLevelu4Audit: Audit the use of Backup and Restore privilegeuFullPrivilegeAuditingu
REG_BINARYu*_binary_enable_zero_disable_one_conversionu2_binary_enable_zero_disable_one_reverse_conversionuDAudit: Shut down system immediately if unable to log security auditsuCrashOnAuditFailu.Devices: Allow undock without having to log onuUndockWithoutLogonu6Devices: Prevent users from installing printer driversuNSystem\CurrentControlSet\Control\Print\Providers\LanMan Print Services\ServersuAddPrinterDriversu4Devices: Allowed to format and eject removable mediau9999u2uAllocateDASDu_dasd_conversionu_dasd_reverse_conversionu>Devices: Restrict CD-ROM access to locally logged-on user onlyuAllocateCDRomsu>Devices: Restrict floppy access to locally logged-on user onlyuAllocateFloppiesu.Devices: Unsigned driver installation behavioru3,0u3,u0MACHINE\Software\Microsoft\Driver Signing\PolicyuRegistry Valuesu_driver_signing_reg_conversionu&_driver_signing_reg_reverse_conversionuDriverSigningPolicyu;Domain controller: Allow server operators to schedule tasksu
SubmitControlu3Domain controller: LDAP server signing requirementsu1System\CurrentControlSet\Services\NTDS\ParametersuLDAPServerIntegrityu:Domain controller: Refuse machine account password changesu5SYSTEM\CurrentControlSet\Services\Netlogon\ParametersuRefusePasswordChangeuEDomain member: Digitally encrypt or sign secure channel data (always)u5System\CurrentControlSet\Services\Netlogon\ParametersuRequireSignOrSealuDDomain member: Digitally encrypt secure channel data (when possible)uSealSecureChanneluADomain member: Digitally sign secure channel data (when possible)uSignSecureChannelu7Domain member: Disable machine account password changesuDisablePasswordChangeu3Domain member: Maximum machine account password ageuMaximumPasswordAgeuADomain member: Require strong (Windows 2000 or later) session keyuRequireStrongKeyuAccount lockout durationi��[ulockout_durationu_seconds_to_minutesu_minutes_to_secondsuLockoutDurationuAccount lockout thresholdi�ulockout_thresholduLockoutThresholdu#Reset account lockout counter afterulockout_observation_windowu
LockoutWindowuAudit account logon eventsuAuditAccountLogonuEvent AudituAudit account managementuAuditAccountManageuAudit directory service accessu
AuditDSAccessuAudit logon eventsuAuditLogonEventsuAudit object accessuAuditObjectAccessuAudit policy changeuAuditPolicyChangeuAudit privilege useuAuditPrivilegeUseuAudit process trackinguAuditProcessTrackinguAudit system eventsuAuditSystemEventsuAudit Credential ValidationuAdvAudituAuditCredentialValidationu%Audit Kerberos Authentication Serviceu"AuditKerberosAuthenticationServiceu(Audit Kerberos Service Ticket Operationsu$AuditKerberosServiceTicketOperationsu Audit Other Account Logon EventsuAuditOtherAccountLogonEventsu"Audit Application Group ManagementuAuditApplicationGroupManagementu!Audit Computer Account ManagementuAuditComputerAccountManagementu#Audit Distribution Group Managementu AuditDistributionGroupManagementu%Audit Other Account Management Eventsu!AuditOtherAccountManagementEventsuAudit Security Group ManagementuAuditSecurityGroupManagementuAudit User Account ManagementuAuditUserAccountManagementuAudit DPAPI ActivityuAuditDPAPIActivityuAudit PNP ActivityuAuditPNPActivityuAudit Process CreationuAuditProcessCreationuAudit Process TerminationuAuditProcessTerminationuAudit RPC EventsuAuditRPCEventsuAudit Token Right AdjusteduAuditTokenRightAdjustedu,Audit Detailed Directory Service Replicationu(AuditDetailedDirectoryServiceReplicationuAudit Directory Service AccessuAuditDirectoryServiceAccessuAudit Directory Service ChangesuAuditDirectoryServiceChangesu#Audit Directory Service Replicationu AuditDirectoryServiceReplicationuAudit Account LockoutuAuditAccountLockoutuAudit User / Device ClaimsuAuditUserDeviceClaimsuAudit Group MembershipuAuditGroupMembershipuAudit IPsec Extended ModeuAuditIPsecExtendedModeuAudit IPsec Main ModeuAuditIPsecMainModeuAudit IPsec Quick ModeuAuditIPsecQuickModeuAudit LogoffuAuditLogoffuAudit Logonu
AuditLogonuAudit Network Policy ServeruAuditNetworkPolicyServeruAudit Other Logon/Logoff EventsuAuditOtherLogonLogoffEventsuAudit Special LogonuAuditSpecialLogonuAudit Application GenerateduAuditApplicationGenerateduAudit Certification ServicesuAuditCertificationServicesuAudit Detailed File ShareuAuditDetailedFileShareuAudit File ShareuAuditFileShareuAudit File SystemuAuditFileSystemu#Audit Filtering Platform Connectionu AuditFilteringPlatformConnectionu$Audit Filtering Platform Packet Dropu AuditFilteringPlatformPacketDropuAudit Handle ManipulationuAuditHandleManipulationuAudit Kernel ObjectuAuditKernelObjectu Audit Other Object Access EventsuAuditOtherObjectAccessEventsuAudit Registryu
AuditRegistryuAudit Removable StorageuAuditRemovableStorageu	Audit SAMuAuditSAMu#Audit Central Access Policy StaginguAuditCentralAccessPolicyStaginguAudit Audit Policy ChangeuAuditAuditPolicyChangeu"Audit Authentication Policy ChangeuAuditAuthenticationPolicyChangeu!Audit Authorization Policy ChangeuAuditAuthorizationPolicyChangeu&Audit Filtering Platform Policy Changeu"AuditFilteringPlatformPolicyChangeu%Audit MPSSVC Rule-Level Policy Changeu AuditMPSSVCRuleLevelPolicyChangeu Audit Other Policy Change EventsuAuditOtherPolicyChangeEventsu!Audit Non Sensitive Privilege UseuAuditNonSensitivePrivilegeUseu Audit Other Privilege Use EventsuAuditOtherPrivilegeUseEventsuAudit Sensitive Privilege UseuAuditSensitivePrivilegeUseuAudit IPsec DriveruAuditIPsecDriveruAudit Other System EventsuAuditOtherSystemEventsuAudit Security State ChangeuAuditSecurityStateChangeuAudit Security System ExtensionuAuditSecuritySystemExtensionuAudit System IntegrityuAuditSystemIntegrityu-Access Credential Manager as a trusted calleruSeTrustedCredManAccessPrivilegeu	LsaRightsu_sidConversionu_usernamesToSidObjectsu%Access this computer from the networkuSeNetworkLogonRightu#Act as part of the operating systemuSeTcbPrivilegeuAdd workstations to domainuSeMachineAccountPrivilegeu"Adjust memory quotas for a processuSeIncreaseQuotaPrivilegeuAllow log on locallyuSeInteractiveLogonRightu,Allow log on through Remote Desktop ServicesuSeRemoteInteractiveLogonRightuBackup files and directoriesuSeBackupPrivilegeuBypass traverse checkinguSeChangeNotifyPrivilegeuChange the system timeuSeSystemtimePrivilegeuChange the time zoneuSeTimeZonePrivilegeuCreate a pagefileuSeCreatePagefilePrivilegeuCreate a token objectuSeCreateTokenPrivilegeuCreate global objectsuSeCreateGlobalPrivilegeuCreate permanent shared objectsuSeCreatePermanentPrivilegeuCreate symbolic linksuSeCreateSymbolicLinkPrivilegeuDebug programsuSeDebugPrivilegeu-Deny access to this computer from the networkuSeDenyNetworkLogonRightuDeny log on as a batch jobuSeDenyBatchLogonRightuDeny log on as a serviceuSeDenyServiceLogonRightuDeny log on locallyuSeDenyInteractiveLogonRightu+Deny log on through Remote Desktop Servicesu!SeDenyRemoteInteractiveLogonRightu>Enable computer and user accounts to be trusted for delegationuSeEnableDelegationPrivilegeu#Force shutdown from a remote systemuSeRemoteShutdownPrivilegeuGenerate security auditsuSeAuditPrivilegeu)Impersonate a client after authenticationuSeImpersonatePrivilegeuIncrease a process working setuSeIncreaseWorkingSetPrivilegeuIncrease scheduling priorityuSeIncreaseBasePriorityPrivilegeuLoad and unload device driversuSeLoadDriverPrivilegeuLock pages in memoryuSeLockMemoryPrivilegeuLog on as a batch jobuSeBatchLogonRightuLog on as a serviceuSeServiceLogonRightu Manage auditing and security loguSeSecurityPrivilegeuModify an object labeluSeRelabelPrivilegeu"Modify firmware environment valuesuSeSystemEnvironmentPrivilegeu Perform volume maintenance tasksuSeManageVolumePrivilegeuProfile single processuSeProfileSingleProcessPrivilegeuProfile system performanceuSeSystemProfilePrivilegeu$Remove computer from docking stationuSeUndockPrivilegeuReplace a process level tokenuSeAssignPrimaryTokenPrivilegeuRestore files and directoriesuSeRestorePrivilegeuShut down the systemuSeShutdownPrivilegeu"Synchronize directory service datauSeSyncAgentPrivilegeu(Take ownership of files or other objectsuSeTakeOwnershipPrivilegeu6Recovery console: Allow automatic administrative logonuBSoftware\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsoleu
SecurityLeveluRecoveryConsoleSecurityLeveluLRecovery console: Allow floppy copy and access to all drives and all foldersu
SetCommanduRecoveryConsoleSetCommanduUSystem Cryptography: Force strong key protection for user keys stored on the computeru(Software\Policies\Microsoft\CryptographyuForceKeyProtectionuWSystem Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signingu8System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicyuFIPSAlgorithmPolicyuZDCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntaxu+Software\Policies\Microsoft\Windows NT\DCOMuMachineAccessRestrictionuZDCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntaxuMachineLaunchRestrictionuFNetwork security: Allow Local System to use computer identity for NTLMuUseMachineIdu9Network security: Allow LocalSystem NULL session fallbacku+SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0uallownullsessionfallbacku`Network security: Allow PKU2U authentication requests to this computer to use online identities.u*SYSTEM\CurrentControlSet\Control\Lsa\pku2uu
AllowOnlineIDuANetwork security: Configure encryption types allowed for KerberosuMSOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\Kerberos\ParametersuSupportedEncryptionTypesu_dict_lookup_bitwise_adduKrbSupportedEncryptionTypesuMNetwork security: Do not store LAN Manager hash value on next password changeuNoLMHashu6Network security: Force logoff when logon hours expireuForceLogoffWhenHourExpireu2Network security: LAN Manager authentication leveluLmCompatibilityLevelu2Network security: LDAP client signing requirementsu&SYSTEM\CurrentControlSet\Services\ldapuLDAPClientIntegrityu\Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsu+System\CurrentControlSet\Control\Lsa\MSV1_0uNTLMMinClientSecu\Network security: Minimum session security for NTLM SSP based (including secure RPC) serversuNTLMMinServerSecuUNetwork security: Restrict NTLM: Add remote server exceptions for NTLM authenticationuClientAllowedNTLMServersuENetwork security: Restrict NTLM: Add server exceptions in this domainuDCAllowedNTLMServersu<Network security: Restrict NTLM: Audit Incoming NTLM Trafficu+SYSTEM\CurrentControlSet\Control\LSA\MSV1_0uAuditReceivingNTLMTrafficuINetwork security: Restrict NTLM: Audit NTLM authentication in this domainuAuditNTLMInDomainu6Network security: Restrict NTLM: Incoming NTLM trafficuRestrictReceivingNTLMTrafficuCNetwork security: Restrict NTLM: NTLM authentication in this domainuRestrictNTLMInDomainuHNetwork security: Restrict NTLM: Outgoing NTLM traffic to remote serversuRestrictSendingNTLMTrafficu?Shutdown: Allow system to be shut down without having to log onuShutdownWithoutLogonu'Shutdown: Clear virtual memory pagefileuBSystem\CurrentControlSet\Control\SESSION MANAGER\MEMORY MANAGEMENTuClearPageFileAtShutdownuESystem objects: Require case insensitivity for non-Windows subsystemsu7System\CurrentControlSet\Control\SESSION MANAGER\KerneluObCaseInsensitiveu_System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)u0System\CurrentControlSet\Control\SESSION MANAGERuProtectionModeu$System settings: Optional subsystemsu;System\CurrentControlSet\Control\SESSION MANAGER\SubSystemsuoptionaluOptionalSubsystemsu_System settings: Use Certificate Rules on Windows Executables for Software Restriction Policiesu9SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiersuAuthenticodeEnabledupoliciesuUser ConfigurationuUseruRegistry.polupolicy_pathu
HKEY_USERSuhiveugPCUserExtensionNamesugpt_extension_locationuN[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}]ugpt_extension_guidugPCMachineExtensionNamesuN[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]u剐来ugpt.ini(7tNonetaudit_lookuptadvanced_audit_lookuptsc_removal_lookuptuac_admin_prompt_lookuptuac_user_prompt_lookuptenabled_one_disabled_zerotFalsetTruet#enabled_one_disabled_zero_transformts4u2self_optionstaudit_transformtadvanced_audit_transformt!enabled_one_disabled_zero_stringst+enabled_one_disabled_zero_strings_transformtsecurity_options_gpedit_pathtwindows_firewall_gpedit_pathtpassword_policy_gpedit_pathtaudit_policy_gpedit_patht!advanced_audit_policy_gpedit_patht"account_lockout_policy_gpedit_patht"user_rights_assignment_gpedit_pathtblock_ms_accountst ldap_server_signing_requirementst smb_server_name_hardening_levelstlocked_session_user_infotforce_guesttforce_key_protectiontfirewall_inbound_connectionstfirewall_outbound_connectionstfirewall_rule_mergingt firewall_log_packets_connectionstfirewall_notificationtfirewall_statetkrb_encryption_typestlm_compat_levelstldap_signing_reqstntlm_session_security_levelstntlm_audit_settingstntlm_domain_audit_settingstincoming_ntlm_settingstntlm_domain_auth_settingstoutgoing_ntlm_settingst(enabled_one_disabled_zero_no_not_definedt2enabled_one_disabled_zero_no_not_defined_transformtostpathtjointgetenvtkeystchrtpoliciestadmx_registry_classestreg_pol_headertgpt_ini_path(tself((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt__init__Cs














































































































































































































$




















































































































































































	cK@s|r
tStSdS(u.
        ensures a value is not empty
        N(RR(tclstvaltkwargs((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt	_notEmpty
scK@s>|jdd�}|dk	r6||kr.dS|dSdSdS(u6
        converts a number of seconds to days
        u
zero_valueii�QuNot DefinedN(tgetR(RDRERFt
zero_value((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_seconds_to_daysscK@s>|jdd�}|dk	r6|dkr.|S|dSdSdS(u6
        converts a number of days to seconds
        u
zero_valueii�QuNot DefinedN(RHR(RDRERFRI((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_days_to_seconds!scK@s|dk	r|dSdSdS(u9
        converts a number of seconds to minutes
        i<uNot DefinedN(R(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_seconds_to_minutes.scK@s|dk	r|dSdSdS(u7
        converts number of minutes to seconds
        i<uNot DefinedN(R(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_minutes_to_seconds8scK@s|jdd�S(u-
        strips quotes from a string
        u"u(treplace(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt
_strip_quotesBscK@s
dj|�S(u.
        add quotes around the string
        u"{0}"(tformat(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_add_quotesIscK@siyP|dk	rKt|�dkr%dSt|�dkr;dSdj|�SndSWntk
rddSXdS(	u;
        converts a binary 0/1 to Disabled/Enabled
        iuDisablediuEnableduInvalid Value: {0!r}uNot Definedu
Invalid ValueN(RtordRPt	TypeError(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt*_binary_enable_zero_disable_one_conversionPs
cK@sS|dk	rK|j�dkr(td�S|j�dkrDtd�SdSndSdS(uZ
        converts Enabled/Disabled to unicode char to write to a REG_BINARY value
        uDISABLEDiuENABLEDiN(RtupperR=(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt2_binary_enable_zero_disable_one_reverse_conversionbs

cK@s{|dk	rs|dks0|dks0|dkr4dS|dksL|dkrPdS|dksh|d	krld
SdSndSdS(
u1
        converts 0/1/2 for dasd reg key
        u0iuuAdministratorsu1iuAdministrators and Power Usersu2iu$Administrators and Interactive UsersuNot DefinedN(R(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_dasd_conversionqs$cK@ss|dk	rk|j�dkr"dS|j�dkr8dS|j�dkrNdS|j�dkrddSd	Snd
SdS(uA
        converts DASD String values to the reg_sz value
        uADMINISTRATORSu0uADMINISTRATORS AND POWER USERSu1u$ADMINISTRATORS AND INTERACTIVE USERSu2uNOT DEFINEDu9999u
Invalid ValueuNot DefinedN(RRU(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_dasd_reverse_conversion�scK@s�|jdd�}|jdd�}|jdd�}t|tj�r�|j�dkr^tSyt|�}Wq�tk
r�tSXn|dk	r�||ko�|kns�||kr�tStSntSdS(u�
        checks that a value is in an inclusive range
        The value for 0 used by Max Password Age is actually 0xffffffff
        uminiumaxiu
zero_valueunot definedN(
RHt
isinstanceRtstring_typestlowerRtintt
ValueErrorRR(RDRERFtminimumtmaximumRI((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_in_range_inclusive�s
(cK@s�tjd|�|d
k	r�|jd�}t|�dkr�|ddkrQdS|ddkredS|dd	kryd
S|ddkr�dSdSq�dSndSd
S(u}
        converts the binary value in the registry for driver signing into the
        correct string representation
        u'we have %s for the driver signing valueu,iiu0uSilently Succeedu1uWarn but allow installationu2uDo not allow installationuNot Definedu
Invalid ValueN(tlogtdebugRtsplittlen(RDRERFt_val((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_driver_signing_reg_conversion�scK@s�|dk	r�|j�dkr1djddg�S|j�dkr\djdtd�g�S|j�dkr�djdtd�g�Sd	Snd
SdS(um
        converts the string value seen in the GUI to the correct registry value
        for secedit
        uSILENTLY SUCCEEDu,u3u0uWARN BUT ALLOW INSTALLATIONiuDO NOT ALLOW INSTALLATIONiu
Invalid ValueuNot DefinedN(RRUR:R=(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt&_driver_signing_reg_reverse_conversion�scK@s�t|tj�r$|jd�}ng}x�|D]�}yPtjd|�}|drsdj|d|d�}ndj|d�}Wn0tk
r�tj|�}t	j
d|�nX|j|�q1W|S(uL
        converts a list of pysid objects to string representations
        u,uiu{1}\{0}iu{0}uhUnable to convert SID "%s" to a friendly name.  The SID will be disaplayed instead of a user/group name.(RYRRZRct
win32securitytLookupAccountSidRPt	ExceptiontConvertSidToStringSidRatwarningtappend(RDRERFt	usernamest_sidtuserSid((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_sidConversion�s


cK@s�|s
|St|tj�r.|jd�}ng}xp|D]h}y'tjd|�d}|j|�Wq;tk
r�}tj	d�t
dj||���q;Xq;W|S(u=
        converts a list of usernames to sid objects
        u,uiuHandle this explicitlyuGThere was an error obtaining the SID of user "{0}". Error returned: {1}(RYRRZRcRhtLookupAccountNameRmRjRat	exceptionRRP(RDRERFtsidst_usertsidte((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_usernamesToSidObjects�s

cK@sTtjd|�|d	ks(|dkr,dS|dkr<dS|dkrLdSdSd	S(
u|
        converts true/false/None to the GUI representation of the powershell
        startup/shutdown script order
        uscript order value = %suNoneuNot Configuredutrueu$Run Windows PowerShell scripts firstufalseu#Run Windows PowerShell scripts lastu
Invalid ValueN(RaRbR(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt#_powershell_script_order_conversionscK@sP|j�dj�krdS|j�dj�kr8dS|dkrHdSdSdS(uc
        converts powershell script GUI strings representations to
        True/False/None
        u$Run Windows PowerShell scripts firstutrueu#Run Windows PowerShell scripts lastufalseuNot Configuredu
Invalid ValueN(RUR(RDRERF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt+_powershell_script_order_reverse_conversionscK@s�tjd|�|jdt�}d|kr�x�tj|d�D]�\}}|r�tj|�j�tj|�j�kr�tjd|�|SqBtj|�j�tj|�j�krBtjd|�|SqBWndS(u�
        Retrieves the key or value from a dict based on the item
        kwarg lookup dict to search for item
        kwarg value_lookup bool to determine if item should be compared to keys
        or values
        u
item == %suvalue_lookupulookupureturning key %sureturning value %su
Invalid Value(RaRbRHRRt	iteritemst	text_typeR[(RDtitemRFtvalue_lookuptktv((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_dict_lookup*s **c
K@sb|jdt�}|jdt�}d}t|�j�dkrFdS|rht|t�s_dSd}nt|tj�s~dSg}d|krZx�tj	|d�D]�\}}|r�tj
|�j�g|D]}|j�^q�krS||}qSq�t}	|s|dkrt}	qn|	r�t|t�r�||@|kr�|j
|�q�q�WndS|S(uY
        kwarg value_lookup bool to determine if item_list should be compared to keys
        or values

        kwarg test_zero is used to determine if 0 should be tested when value_lookup is false
        lookup should be a dict with integers for keys

        if value_lookup is True, item is expected to be a list
            the function will return the sum of the keys whose values are in the item list
        if value_lookup is False, item is expected to be an integer
            the function will return the values for the keys
            which successfully "bitwise and" with item
        uvalue_lookupu	test_zerounot definedu
Invalid ValueiulookupN(RHRRtstrR[RYtlistRt
integer_typesR{R|RR\Rm(
RDR}RFR~t	test_zerotret_valRR�tztdo_test((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_dict_lookup_bitwise_add@s2	 4%cK@sSt|t�r|St|tj�rK|j�dkr;dS|jd�SndSdS(uO
        transform for a REG_MULTI_SZ to properly handle "Not Defined"
        unot definedu,u
Invalid ValueN(RYR�RRZR[RRc(RDR}RF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_multi_string_put_transformlscK@s3t|tj�r/|j�dkr(dS|SndS(uI
        transfrom for a REG_SZ to properly handle "Not Defined"
        unot definedN(RYRRZR[R(RDR}RF((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_string_put_transform{s(t__name__t
__module__t__doc__RCtclassmethodRGRJRKRLRMRORQRTRVRWRXR`RfRgRqRxRyRzR�R�R�R�(((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyR
�sN�	����������������




,cC@s0tjjj�stdfSts,tdfStS(u'
    Only works on Windows systems
    uwin_lgpo: Not a Windows Systemu)win_lgpo: Required modules failed to load(tsalttutilstplatformt
is_windowsRtHAS_WINDOWS_MODULESt__virtualname__(((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt__virtual__�s


cC@s�d}|jjd�}|dkr8|j|d}n	|j}dj||�|_x�|j�D]t}t|jtj�rcd}|jjd�}|dkr�|j|d}n	|j}dj||�|_qcqcW|S(uI
    helper function to recursively update the namespaces of an item
    uu}iiu
{{{0}}}{1}(ttagtfindRPtgetiteratorRYRRZ(R}t
new_namespacet	temp_itemtitchild((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_updateNamespace�s		cC@sLxE|j�D]7}d|jkr
d|jkrD||jd<qDq
q
W|S(u�
    helper function to add the reg key to each policies element definitions if
    the key attribute is not defined to make xpath searching easier for each
    child in the policy <elements> item
    u	valueNameukey(R�tattrib(tpolicy_itemtregkeyR�((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_updatePolicyElements�s
cC@sptjjj|d��}|j�}WdQXtjdd|jd�dd�}tj	j
tj|��}|S(u�
    attempts to remove the "encoding='unicode'" from an xml file
    as lxml does not support that on a windows node currently
    see issue #38100
    urbNu encoding=[\'"]+unicode[\'"]+uuutf-16tcounti(
R�R�tfilestfopentreadtretsubtdecodetlxmlRtparseRtStringIO(txml_filetftxml_contenttmodified_xmltxmltree((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_remove_unicode_encoding�s
$uc:\Windows\PolicyDefinitionsuen-USc#C@st}tjjd�}|jtjjd��|jtjjd��|jtjjd��tjjd�}tjd�}tjd�}tjd�}tjd	�}tjd
�}	x%tjjj	|�D]\}
}}|
|kr�x�|D]�}
t
jj|
|
�}tjjdt
�}ytjj|d|�}Wn[tjjk
r�yt|�}Wq�tk
r�tjd
�tjd|�q�q�XnX|j�j}d}d%|kr�|d%|d<|jd%�d}n|jdj|�d|�d}|jdj|�d|�d}|jdj|�d|�}x:|D]2}|}t||�}||�dj|�qPW|jdj|�d|�}x�|D]x}|}t||�}d|jkrt||jd�}|jdt|jdj�<n||�dj|�q�W|jdj|�d|�}x:|D]2}|}t||�}||�dj|�qLWt
jj|
|t
jj |
�dd�}t!d|�s�tj"d||
�t
jj|
|j#d�dt
jj |
�dd�}t!d|�s�tj"d|d |
�t
jj|
|t
jj |
�dd�}t!d|�s�tj"d ||
�t
jj|
|j#d�dt
jj |
�dd�}t!d|�s�d!}t$|j|||
���q�q�q�nytjj|�}Wn[tjjk
riyt|�}Wqjtk
retjd
�tjd"|�q�qjXnXd%|kr�|d%|d<|jd%�n||�} x:| D]2}!|!}"t|"|�}"|	|�dj|"�q�Wq�Wq�q�W|t%d#<|t%d$<d%S(&u�
    helper function to process all ADMX files in the specified policy_def_path
    and build a single XML doc that we can search/use for ADMX policy processing
    upolicyDefinitionsu
categoriesupoliciesupolicyNamespacesupolicyDefinitionResourcesu/policyDefinitions/policiesu/policyDefinitions/categoriesu#/policyDefinitions/policyNamespacesu1//*[local-name() = "policyDefinitionResources"]/*u/policyDefinitionResourcestremove_commentstparseruHandle this explicitlyupA error was found while processing admx file %s, all policies from this file will be unavailable via this moduleuuNoneuNone:u;/{0}policyDefinitions/{0}policyNamespaces/{0}target/@prefixt
namespacesiu>/{0}policyDefinitions/{0}policyNamespaces/{0}target/@namespaceu//{0}policyDefinitions/{0}categories/{0}categoryu+/{0}policyDefinitions/{0}policies/{0}policyukeyu./{0}policyDefinitions/{0}policyNamespaces/{0}*u.admlufile.file_existsu�An ADML file in the specified ADML language "%s" does not exist for the ADMX "%s", the the abbreviated language code will be tried.u-uzAn ADML file in the specified ADML language code %s does not exist for the ADMX "%s", the fallback language will be tried.iu�An ADML file in the specified ADML fallback language "%s" does not exist for the ADMX "%s" the abbreviated fallback language code will be tried.urAn ADML file in the specified ADML language "{0}" and the fallback language "{1}" do not exist for the ADMX "{2}".u}An error was found while processing adml file %s, all policy language data from this file will be unavailable via this moduleulgpo.policy_definitionsulgpo.policy_resourcesN(&tINSTALL_LANGUAGER�RtElementRmtXPathR�R�R9tos_walkR8R:t	XMLParserRR�tXMLSyntaxErrorR�RjRaRsterrortgetroottnsmapRtpoptxpathRPR�R�R�tadm_policy_key_mapR[tsplitextt__salt__tinfoRcRt__context__(#R9tlanguagetdisplay_language_fallbacktt_policy_definitionstt_policy_definition_resourcestpolicydefs_policies_xpathtpolicydefs_categories_xpathtpolicydefs_policyns_xpatht$policydefs_resources_localname_xpathtpolicydef_resources_xpathtroottdirsR�t	t_admfiletadmfileR�R�R�tnamespace_stringtthis_prefixtthis_namespacet
categoriestcategoryttemp_catR>tpolicyttemp_poltpolicy_namespacest	policy_nsttemp_nst	adml_filetmsgtpolicydefs_resourcestpolicydefs_resourcett_poldef((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_load_policy_definitions�s�				%


	
	

	
	
!	
		
				
	

	
&
cC@s7dtkr/tjd�td|d|�ntdS(Nulgpo.policy_definitionsu LGPO: Loading policy definitionsR9R�(R�RaRbR�(R9R�((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_get_policy_definitionsXs
cC@s7dtkr/tjd�td|d|�ntdS(Nulgpo.policy_resourcesuLGPO: Loading policy resourcesR9R�(R�RaRbR�(R9R�((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_get_policy_resources`s
cC@s3i}x&|D]}|jd||jd<q
W|S(u3
    build a namespace map for an ADMX element
    u	namespaceuprefix(R�(tusing_elementstthisMapRw((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_buildElementNsmaphs
cC@sdtkr�tjd�td�}tj|�}i|jd6}x�|D]�}d|d<|d|d<|dd	kr�d
|d<nQ|ddkr�d|d<n4|dd
kr�d|d<ndj|d�|d<|||d<qLW|td<n|r	td|StdSdS(u
    Loads audit.csv defaults into a dict in __context__ called
    'lgpo.audit_defaults'. The dictionary includes fieldnames and all
    configurable policies as keys. The values are used to create/modify the
    ``audit.csv`` file. The first entry is `fieldnames` used to create the
    header for the csv file. The rest of the entries are the audit policy names.
    Sample data follows:

    {
        'fieldnames': ['Machine Name',
                       'Policy Target',
                       'Subcategory',
                       'Subcategory GUID',
                       'Inclusion Setting',
                       'Exclusion Setting',
                       'Setting Value'],
        'Audit Sensitive Privilege Use': {'Auditpol Name': 'Sensitive Privilege Use',
                                          'Exclusion Setting': '',
                                          'Inclusion Setting': 'No Auditing',
                                          'Machine Name': 'WIN-8FGT3E045SE',
                                          'Policy Target': 'System',
                                          'Setting Value': '0',
                                          'Subcategory': u'Audit Sensitive Privilege Use',
                                          'Subcategory GUID': '{0CCE9228-69AE-11D9-BED3-505054503030}'},
        'Audit Special Logon': {'Auditpol Name': 'Special Logon',
                                'Exclusion Setting': '',
                                'Inclusion Setting': 'No Auditing',
                                'Machine Name': 'WIN-8FGT3E045SE',
                                'Policy Target': 'System',
                                'Setting Value': '0',
                                'Subcategory': u'Audit Special Logon',
                                'Subcategory GUID': '{0CCE921B-69AE-11D9-BED3-505054503030}'},
        'Audit System Integrity': {'Auditpol Name': 'System Integrity',
                                   'Exclusion Setting': '',
                                   'Inclusion Setting': 'No Auditing',
                                   'Machine Name': 'WIN-8FGT3E045SE',
                                   'Policy Target': 'System',
                                   'Setting Value': '0',
                                   'Subcategory': u'Audit System Integrity',
                                   'Subcategory GUID': '{0CCE9212-69AE-11D9-BED3-505054503030}'},
        ...
    }

    .. note::
        `Auditpol Name` designates the value to use when setting the value with
        the auditpol command

    Args:
        option (str): The item from the dictionary to return. If ``None`` the
            entire dictionary is returned. Default is ``None``

    Returns:
        dict: If ``None`` or one of the audit settings is passed
        list: If ``fieldnames`` is passed
    ulgpo.audit_defaultsu*Loading auditpol defaults into __context__uauditpol.get_auditpol_dumpu
fieldnamesuuMachine NameuSubcategoryu
Auditpol NameuCentral Policy Stagingu#Audit Central Access Policy StaginguPlug and Play EventsuAudit PNP ActivityuToken Right Adjusted EventsuAudit Token Right Adjustedu	Audit {0}N(R�RaRbt	__utils__tcsvt
DictReadert
fieldnamesRP(toptiontdumptreadertaudit_defaultstrow((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_get_audit_defaultsrs(8







c	
C@sUdtkrAtjjdd�}tjj|ddd�}tjj|ddd	d
ddd�}td
|�s�td
|�r�td||�q�td�}td|�td|dj|��ni}tj	j
j|dd��C}tj
|�}x*|D]"}|ji|d|d6�qWWdQX|td<ntdj|d�S(u
    Get the Advanced Auditing policy as configured in
    ``C:\Windows\Security\Audit\audit.csv``

    Args:
        option (str): The name of the setting as it appears in audit.csv

    Returns:
        bool: ``True`` if successful, otherwise ``False``
    ulgpo.adv_audit_datau
SystemRootu
C:\Windowsusecurityuauditu	audit.csvuSystem32uGroupPolicyuMachineu	Microsoftu
Windows NTuAuditufile.file_existsu	file.copyu
fieldnamesu
file.makedirsu
file.writeu,tmodeuru
Setting ValueuSubcategoryN(R�R8tenvironRHR9R:R�R�R�R�R�R�R�R�tupdateR(	R�tsystem_roottf_audittf_audit_gpotfield_namestaudit_settingstcsv_fileR�R�((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_findOptionValueAdvAudit�s(	
 
c
C@s�tjjdd�}tjj|ddd�}tjj|dddd	d
dd�}tjdd
dtdddd�}idd6dd6dd6dd6dd6}ztj	j
j|dd���}tj
|�}tj	j
j|jdd
��b}	tj|	d|j�}
|
j�t}x�|D]�}|d|kr�|dks�|||d<||d<tjd j||��|
j|�ntjd!j|��t}q$|
j|�q$W|sP|dksGtjd j||��t|�}
|
ji|
d"d"6|
d#d#6|
dd6|
d$d$6||d6|
d%d%6|d6�nt}nWd&QXWd&QX|r�td'|j|d(t�td)|�td'|j|d(t�nWd&|j�td*|j�X|S(+u�
    Helper function that sets the Advanced Audit settings in the two .csv files
    on Windows. Those files are located at:
    C:\Windows\Security\Audit\audit.csv
    C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv

    Args:
        option (str): The name of the option to set
        value (str): The value to set. ['None', '0', '1', '2', '3']

    Returns:
        bool: ``True`` if successful, otherwise ``False``
    u
SystemRootu
C:\Windowsusecurityuauditu	audit.csvuSystem32uGroupPolicyuMachineu	Microsoftu
Windows NTuAuditR�uwtdeletetsuffixu.csvtprefixuNo AuditinguNoneu0uSuccessu1uFailureu2uSuccess and Failureu3urR�uSubcategoryuInclusion Settingu
Setting ValueuLGPO: Setting {0} to {1}uLGPO: Removing {0}uMachine Nameu
Policy TargetuSubcategory GUIDuExclusion SettingNu	file.copytremove_existingu
file.makedirsufile.remove(R8R�RHR9R:ttempfiletNamedTemporaryFileRR�R�R�R�R�R�tnamet
DictWriterR�twriteheaderRaRbRPtwriterowRR�R�tclose(R�tvalueR�R�R�tf_temptauditpol_valuesR�R�ttmp_filetwritert
value_writtenR�tdefaults((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_set_audit_file_data�sf		

!



	
	!
cC@sTidd6dd6dd6dd6dd	6}t|�}td
d|dd
||�S(u�
    Helper function that updates the current applied settings to match what has
    just been set in the audit.csv files. We're doing it this way instead of
    running `gpupdate`

    Args:
        option (str): The name of the option to set
        value (str): The value to set. ['None', '0', '1', '2', '3']

    Returns:
        bool: ``True`` if successful, otherwise ``False``
    uNo AuditinguNoneu0uSuccessu1uFailureu2uSuccess and Failureu3uauditpol.set_settingRu
Auditpol NameR(R�R�(R�RR
R((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_set_auditpol_dataTs



cC@s�td|d|�s-tdj|���ntd|d|�s[tjdj|��n|dkr�tjdj|��tdj|�n'tjdj||��|td|<t	S(	u]
    Helper function to update the Advanced Audit policy on the machine. This
    function modifies the two ``audit.csv`` files in the following locations:

    C:\Windows\Security\Audit\audit.csv
    C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv

    Then it applies those settings using ``auditpol``

    After that, it updates ``__context__`` with the new setting

    Args:
        option (str): The name of the option to set
        value (str): The value to set. ['None', '0', '1', '2', '3']

    Returns:
        bool: ``True`` if successful, otherwise ``False``
    R�Ru#Failed to set audit.csv option: {0}u"Failed to apply audit setting: {0}u'LGPO: Removing Advanced Audit data: {0}ulgpo.adv_audit_datau,LGPO: Updating Advanced Audit data: {0}: {1}N(
RRRPRRaRbRR�R�R(R�R((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_setOptionValueAdvAuditls	
cC@s�dtkritd<n|tdkrxtjdj|��tjjjd|dd�}tdji||6�ntjdjtd||��td||S(Nulgpo.netsh_datau(LGPO: Loading netsh data for {0} profiletprofiletstoreulgpou LGPO: netsh returning value: {0}(	R�RaRbRPR�R�twin_lgpo_netshtget_all_settingsR�(RR�tsettings((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_findOptionValueNetSH�s
	c	C@s�|dkr$tdj|���ntjdj||||��|dkr�tjjjd|d|d	krv|ndd
|dkr�|nddd
�n|dkr�tjjj	d|d|d|dd
�n|dkrtjjj
d|d|dd
�n|dkr}|dkr6|dkr6d}q6n|jd�rR|d}ntjjjd|d|d|dd
�ntjdj|��t
dj|�tS(NufirewallpolicyusettingsuloggingustateuLGPO: Invalid section: {0}uLLGPO: Setting the following
Profile: {0}
Section: {1}
Option: {2}
Value: {3}RtinbounduInboundtoutbounduOutboundRulgpotsettingRtstateuFileNameuMaxFileSizeuNot configuredu
notconfigureduLogiu)LGPO: Clearing netsh data for {0} profileulgpo.netsh_data(ufirewallpolicyusettingsuloggingustate(uFileNameuMaxFileSize(R]RPRaRbR�R�Rtset_firewall_settingsRtset_settingst	set_statet
startswithtset_logging_settingsR�R�R(RtsectionR�R((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_setOptionValueNetSH�s6

cC@s�zntjjtddjt��}tdddd|g�tj|dd��}|j	�}Wd	QX|SWd	td
|�r�td|�nXd	S(u�
    Helper function that loads secedit data. It runs `secedit /export /cfg
    <file_name>` which creates a file that contains the secedit data.

    Returns:
        str: The contents of the file generated by the secedit command
    ucachedirusecedit-{0}.txtucmd.runuseceditu/exportu/cfgtencodinguutf-16Nufile.file_existsufile.remove(
R8R9R:t__opts__RPtUUIDR�tiotopent	readlines(tf_exptfptsecedit_data((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_load_secedit_data�scC@s1dtkr)tjd�t�td<ntdS(u�
    Helper function that returns the secedit data in __context__ if it exists
    and puts the secedit data in __context__ if it does not.

    Returns:
        str: secedit data from __context__
    ulgpo.secedit_datauLGPO: Loading secedit data(R�RaRbR,(((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_get_secedit_data�s
cC@sDt�}x4|D],}|j|�r|jd�dj�SqWdS(uN
    Helper function that looks for the passed option in the secedit data
    u=iuNot Defined(R-RRctstrip(R�R+t_line((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_get_secedit_value�s
	
cC@s�tjjtddjt��}tjjtddjt��}z^td||�ddd|d|g}td	|�}|d
kr�tjd�t	St
SWdtd
|�r�td|�ntd
|�r�td|�nXdS(u?
    Helper function to write secedit data to the database
    ucachedirusecedit-{0}.sdbusecedit-{0}.infu
file.writeuseceditu
/configureu/dbu/cfgucmd.retcodeiulgpo.secedit_dataNufile.file_existsufile.remove(R8R9R:R$RPR%R�R�R�RR(tinf_datatf_sdbtf_inftcmdtretcode((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_write_secedit_data�s""
cC@s�i}d|kry||dkrrt�}|d|dkrT|d|d}nt||d|�||�S|Sn#d|kr�|dkr�dSn|SdS(u�
    helper function to transform the policy value into something that more
    closely matches how the policy is displayed in the gpedit GUI
    u	TransformuArgsuRegistryu(value not set)uNot DefinedN(R
tgetattr(RR�ttransform_typett_kwargst_policydata((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_transform_values	cC@s�tjdj||��d|kr�|dr�t|dt�rY||dkr�tSq�t|dt�r�t�}t||dd�||dd�s�tSq�q�nt	St	S(u�
    helper function to validate specified value is appropriate for the policy
    if the 'Settings' key is a list, the value will check that it is in the list
    if the 'Settings' key is a dict we will try to execute the function name
        from the 'Function' key, passing the value and additional arguments from
        the 'Args' dict
    if the 'Settings' key is None, we won't do any validation and just return
        True
    if the Policy has 'Children', we'll validate their settings too
    uvalidating {0} for policy {1}uSettingsuFunctionuArgs(
RaRbRPRYR�RtdictR
R7R(RR�R:((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_validateSetting$s
	(
cC@soyD|r?tjdtj�}|g}tj|||�}ntSWn$tk
rj}tjd|�t	SXdS(u;
    helper function to add an account right to a user
    u7Error attempting to add account right, exception was %sN(
Rht
LsaOpenPolicyRtPOLICY_ALL_ACCESStLsaAddAccountRightsRRjRaRsR(t	sidObjectt
user_rightt
_polHandletuser_rights_listt_retRw((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_addAccountRights?s		cC@sfy>tjdtj�}|g}tj||t|�}tSWn!tk
ra}tj	d�tSXdS(u@
    helper function to remove an account right from a user
    u(Error attempting to delete account rightN(
RhR>RR?tLsaRemoveAccountRightsRRRjRaRs(RARBRCRDRERw((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_delAccountRightsPs	
cC@s1g}tjdtj�}tj||�}|S(uI
    helper function to return all the user rights assignments/users
    N(RhR>RR?t!LsaEnumerateAccountsWithUserRight(RBRtt	polHandle((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_getRightsAssignments^scC@s�|jd�r�|jd�r�tjdd|�}|jd�}|d}|d}t|d|d	|�}|r�x|D]
}|jSWq�nd
S(u/
    helper function to take the 'displayName' attribute of an element and find
    the value from the ADML data

    adml_xml_data :: XML data of all ADML files to search
    display_name :: the value of the displayName attribute from the ADMX entry
                    to search the ADML data for
    u$(u)u(^\$\(|\)$)uu.iitdisplayNameTypet
displayNameIdN(RtendswithR�R�RctADML_DISPLAY_NAME_XPATHttextR(t
adml_xml_datatdisplay_nametdisplayname_typetdisplayname_idtsearch_resultstresult((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_getAdmlDisplayNamehs	

		
c
C@s8|jdj|��}d}|r4x
|D]}tj|j�j}t|�}|rA|d}t|�rAx�|j�D]�}||kr�Pq{tj|j�jdkr|r�dj	d�|t
|dd�j�fD��}qt
|dd�rt
|dd�j�nd}q{d}q{W|jd�r>d}q>qAn|dksY|d	kr�|jd
�}x�|D]3}	|	j
ro|d|	j
j�jd�j�SqoWq+|dks�|d
ks�|dks�|dks�|dks�|dks�|dkr+|j
r-|d|j
j�jd�j�Sq+q+WndS(uP
    helper function to check for a presentation label for a policy element
    u'//*[@*[local-name() = "refId"] = "{0}"]uiutextu cs@s|]}|r|VqdS(N((t.0RP((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pys	<genexpr>�su.utextBoxucomboBoxu.//*[local-name() = "label"]u:udecimalTextBoxulongDecimalTextBoxudropdownListulistBoxucheckBoxumultiTextBoxN(R�RPRtQNameR�t	localnametPRESENTATION_ANCESTOR_XPATHtTEXT_ELEMENT_XPATHtgetchildrenR:R7trstripRNRPtlstripR(
t	adml_datatref_idRUtprepended_textRVt
the_localnametpresentation_elementtp_itemtlabel_itemst
label_item((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_getAdmlPresentationRefId�sF

43

	+	.cC@s�|t|krt||Std|�}|rvd|jkrvt||jd�}|r�|t||<|}q�nK|r�d|jkr�t||jd�}|r�|t||<|}q�n|jd�j�}|S(uD
    helper function to retrieve the full policy name if needed
    R�udisplayNameuidu:(tadm_policy_name_mapR�R�RWRhR^(R�tpolicy_nametreturn_full_policy_namest
adml_languageR`tfullPolicyName((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_getFullPolicyName�scC@s8|r4|r4tj||tj�}|r1tSq4ntS(u�
    helper function to do a search of Policy data from a registry.pol file
    returns True if the regex search_string is found, otherwise False
    (R�tsearcht
IGNORECASERR(t
search_stringtpolicy_datatmatch((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_regexSearchRegPolData�s
cC@s�d}g}djd�}|r*i}n|r�t�}t|j|��dkr�|jt|j|�djd��}nd}tj	|�}tj
||tj�}g|D]}	|	^q�}|r�x�|D]�}
||
j�|j
djd�|
j��!j|�}t|�dkrG|djd�jtd��}nt|�d	krN|d
}|dks{|dkr�|r�|dkr�xUtjd
|�D]}
|
}q�Wq�|dkr�x#tjd|�D]}
|
}q�Wq�qKd}qN|dkr-|jd�jtd��jtd��}qN|jd�jtd��}n|rntjd�|||<q�t|�dkr�tjd�|j|�q�q�Wq�n|r�|}n|S(u�
    helper function to do a search of Policy data from a registry.pol file
    returns the "data" field
    https://msdn.microsoft.com/en-us/library/aa374407(VS.85).aspx
    [key;value;type;size;data]
    u;u	utf-16-leiiu	utf-32-leu]iiiiu	REG_DWORDu	REG_QWORDtItQuREG_MULTI_SZu!we want value names and the valueu/we have multiple matches, we will return a listN(RtencodeR	RdRct
vtype_reverseRRR�R�tescapetfinditerRptstarttindextendR^R=tstructtunpackRaRbRm(RqRrtreturn_value_nameRtvaluestencoded_semicolontregistrytvtypetmatchestmRst	pol_entryt	valueNameR�((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_getDataFromRegPolData�sV		,
	%

	0!


	c	C@s�d}tj|�}g}xc||�D]U}	d}
d}x|	j�D]�}|d}d|jkrv|jd}
n|}
d|jkr�|jd}n)tjdtj|	�j|j|j�Px}||�D]o}t||
|||�}|r3t	t
j|�|�r@|
d}
tjd|
||�q@q�|j
|�q�WqGW|r(|dkr}||
kr}tjd|�tSq(q(W|r�tS|Sd	S(
u�
    helper function to process an enabled/disabled/true/falseList set

    if test_items is True, it will determine if the policy is enabled or
    disabled returning True if all items are configured in the registry.pol file
    and false if they are not

    if test_items is False, the expected strings for the items will be returned
    as a list

    returns True if the enabled/disabledList is 100% configured in the
    registry.pol file, otherwise returns False
    ut.//*[local-name() = "decimal" or local-name() = "delete" or local-name() = "longDecimal" or local-name() = "string"]iiukeyu	valueNameuX%s item with attributes %s in policy %s does not have the required "valueName" attributeucfound the search string in the pol file,%s of %s items for policy %s are configured in registry.polu%s all items are setN(RR�R]R�RaR�RYRZt_processValueItemRtR�RyRbRmRR(tpolicy_elementRjt
policy_keytxpath_objecttpolicy_file_datat
test_itemstxpath_stringtvalue_item_child_xpathtexpected_stringstlist_elementtconfigured_itemstrequired_itemsR}titem_keytitem_valuenamet
value_itemRq((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_checkListItem
sJ
		
	
c
C@s�x||�D]q}xh|j�D]Z}	t|	||||d|�}
|sN|
Sttj|
�|�r tjd|�tSq Wq
WtS(uR
    helper function to process the parent of a value item object
    if test_item is True, it will determine if the policy is enabled/disabled
    returns True if the value is configured in the registry.pol file, otherwise returns False

    if test_item is False, the expected search string will be returned

    value type parents:
        boolean: https://msdn.microsoft.com/en-us/library/dn606009(v=vs.85).aspx
        enabledValue: https://msdn.microsoft.com/en-us/library/dn606006(v=vs.85).aspx
        disabledValue: https://msdn.microsoft.com/en-us/library/dn606001(v=vs.85).aspx

    t
check_deletedu9found the search string in the pol file, %s is configured(	R]R�RtR�RyRaRbRR(R�RjR�tpolicy_valueNameR�R�R�t	test_itemtelementR�Rq((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_checkValueItemParentGs		cC@s~td�jd�}|dkr%|St|tj�s^tdjt|�t	|����ndj
|jd�|g�SdS(Niu	utf-16-leu(Value {0} is not a string type
Type: {1}t(R=RwRRYRRZRSRPtreprttypeR:(Rtencoded_null((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_encode_stringhs	c
C@st�}d}d}djd�}td�jd�}	|rQ|jd�}n|ri|jd�}n|r�|r�|dkr�tjdt|��}q�|dkr�tjdt|��}q�|d	kr�t|�}q�n|r�d	}djd
jd�||	|djd�||	|t|j	|�jd�|t
jtd
j
td��jd���jd�|djd�|	djd�g�}nvdjd
jd�||	|||	|t|j	|�jd�|t
jt|��jd�||djd�g
�}|S(us
    helper function similar to _processValueItem to build a search string for a
    known key/value/type/data
    R�u;u	utf-16-leiu	REG_DWORDRuu	REG_QWORDRvuREG_SZu[u**del.u	utf-32-leu {0}u u]N(R	RRwR=R~tpackR\R�R:R�RtunichrRdRP(
treg_keyt
reg_valueNamet	reg_vtypetreg_dataR�R�tthis_element_valuetexpected_stringR�R�((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_buildKnownDataSearchStringts^	
3cC@st�}d-}d}	djd�}
td�jd�}|rQ|jd�}n|ri|jd�}ntj|�jdkrtj|�jdkrd}	d|jkr�tj	d	t
|jd��}q�	tjd
tj|�jtj|�j|j|j�d-Sn�tj|�jdkr�tj|�jdkr�d}	d|jkrutj	d
t
|jd��}q�	tjd
tj|�jtj|�j|j|j�d-Sntj|�jdkr�d}	t
|j�}n�tj|�jdkr�	t}tj|�jdkrX|tkr.t}n|s=d}	ntj	dd�}t}n�tj|�jdkrd}	|}
|d-k	r�tj	d	t
|��}nd|jkr�|jdj�dkr�d}	|
d-k	r�tj|
�jd�}q�q�n|r�d}	q�n�tj|�jdkr�d}	|}
|d-k	r[tj	d
t
|��}nd|jkr�|jdj�dkr�d}	|
d-k	r�tj|
�jd�}q�q�q�n8tj|�jdkrd}	d|jkr|jdj�dkrd}	qnt
|�}n�tj|�jdkr}|s>dnd}	|d-k	r�djtd�j|�td��}q�nttj|�jdkr�t}d}g}|}|d-k	r�tgtdt|�d�D]}t|�^q��}nd|jkr�|jdj�dkr�djdjd�|||
djd�||
t|j|	�jd �|
tjtd!jtd��jd���jd �|
d"jd�|d#jd�g�}q�nd|jkr�d}	n|jjd$d�j�dkrZ|d-k	r�g|j�D]}t|�^q}g|j�D]}t|�^q<}q�n�d%|jkr�|jd%d&kr�|d-k	r�g|D]}d'j|jd%|�^q�}q�q�n.|d-k	r�g|D]}t|�^q�}n|s!|d-k	r�tjd(|�|}tjd)||�x�t |�D]�\}}|djdjd�|||
||jd�||
t|j|	�jd �|
tjtd'j||td��jd���jd �|
t
||�d#jd�g
�}q3Wq�|djdjd�|||
g�}q�djdjd�|||
djd�||
t|j|	�jd �|
tjtd!jtd��jd���jd �|
d"jd�|d#jd�g�}n*tj|�jd*kr�|d-k	r�q�n|r�	|r�	|d-k	r�	djdjd�|||
|||
t|j|	�jd �|
tjt|��jd �|
|d#jd�g
�}q�	djdjd�|||
|||
t|j|	�jd �|
g	�}q�	n|stj|�jd+ks�	|r�
djdjd�|||
d,jd�|||
t|j|	�jd �|
tjtd!jtd��jd���jd �|
d"jd�|d#jd�g�}qdjdjd�|||
|||
t|j|	�jd �|
tjt|��jd �|
|d#jd�g
�}n|S(.uc
    helper function to process a value type item and generate the expected
    string in the Registry.pol file

    element - the element to process
    reg_key - the registry key associated with the element (some inherit from
              their parent policy)
    reg_valuename - the registry valueName associated with the element (some
                    inherit from their parent policy)
    policy - the parent policy element
    parent_element - the parent element (primarily passed in to differentiate
                     children of "elements" objects
    check_deleted - if the returned expected string should be for a deleted
                    value
    this_element_value - a specific value to place into the expected string
                         returned for "elements" children whose values are
                         specified by the user
    uREG_SZu;u	utf-16-leiudecimaluelementsu	REG_DWORDuvalueRuu�The %s child %s element for the policy with attributes: %s does not have the required "value" attribute. The element attributes are: %sulongDecimalu	REG_QWORDRvustringubooleanuIiustoreAsTextutrueutextu
expandableu
REG_EXPAND_SZu	multiTextuREG_MULTI_SZu	{0}{1}{1}ulistR�uadditiveufalseu[u
**delvals.u	utf-32-leu {0}u u]u
explicitValueuvaluePrefixuu{0}{1}u5_processValueItem has an explicit element_value of %su1element_valuenames == %s and element_values == %suenumudeleteu**del.N(!R	RRwR=RRYRZR�R~R�R\RaR�R�RPRRR[RR|RPR:R�RRdR�R�R�RHR<R�Rbt	enumerate(R�R�t
reg_valuenameR�tparent_elementR�R�R�R�t
this_vtypeR�R�t standard_element_expected_stringt
requested_valtdel_keystelement_valuenamestelement_valuesR�RR�R�R}((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyR��s�	0"	
0"	
			!$-;3	!%+2"		
$
3
3c6C@stjd|�t�}t|j|d�}g}i}i}	i}
td|�}td|�}|r�tjdj|��tj	t
jjj
djtd���dtj	t
jjj
djtd���dtj	tj|jjd	��d|���jd
jd	��}
tjdt|
��tj�}x?|
D]7}|jdjtd��jd	��djd	�j�}|rA|tkr�t|d
t|�}tjdt|��n8t|d
|�}tjd|�tjdt|��x{|D]p}tj|�jdkr>||krq|j|�qqqx0t|�D]"}||krK|j|�qKqKWqWqAqAWtjdtj�|�|rtjd�tj�}t |d|�}x*|D]"}||kr�|j!|�q�q�Wx�|D]�}|j"|j#}||kr*i||<nd|||j$d<|r�||
kr^i|
|<nt%d|d|j$dd|d|�|
||j$d<ntjd|j$d�||	kr�i|	|<nt&d|d|d|�|	||j$d<q�Wtjdtj�|�ntjdt|��tj�}xY
|D]Q
}dR}d}t(}t)}d|j$kry|j$d}ntj*d |j$�Pd!|j$kr�|j$d!}nd|j$kr�|j$d}ntj*d"|j$�P|j"|j#}t+|�r�|dkr�t,|�st-|�r.t)}t(}nt.||||t+|�r�d#}tjd$|�||krxi||<n||||<q�nt-|�r)|dkr)t/|�s�t+|�r�t)}t(}nt.||||t-|�r)d%}tjd&|�||kri||<n||||<q)nt/|�r�|dkr�t,|�sYt-|�rht)}t(}nt0|||t/|�r�d#}tjd'|�||kr�i||<n||||<q�nt,|�r]|dkr]t/|�s�t+|�rt)}t(}nt0|||t,|�r]d%}tjd(|�||krIi||<n||||<q]n|rA|rAt1tjt2||d)d*��|�r�d#}tjd+|�||kr�i||<n||||<qAt1tjt2||d)dRd,t(��|�rAd%}tjd-|�||kr-i||<n||||<qAnt3|�rh|s_|d#krhi}i}d} x�t3|�D]�}!x�|!j4�D]�}"t%d|"d|"j$d.d|d|�}#dR||#<|}$|}%d|"j$kr�|"j$d}$nd!|"j$kr	|"j$d!}%ntj|"�jd/kr|"j4�r�
t5|"�r�	|#|kr�	t.|"||$|%t5|�r�	t(||#<tjd0|"j$d.�q�	nt6|"�r�	|#|kr�	t.|"||$|%t6|�r�	t)||#<| d1} tjd2|"j$d.�q�	nt7|"�rY
|#|krY
tjd3�t0|"||t7|�rY
t(||#<tjd0|"j$d.�qY
nt8|"�r||#|kr|tjd4�t0|"||t8|�r�
t)||#<| d1} tjd2|"j$d.�q�
q|qGt1tjt9|"|$|%||!d,t(��|�r(t)||#<| d1} tjd2|"j$d.�qGt1tjt9|"|$|%||!d,t)��|�rGt(||#<tjd0|"j$d.�qGq�tj|"�jd5ks�tj|"�jd6ks�tj|"�jd7ks�tj|"�jd8kr�t1tjt9|"|$|%||!d,t(��|�r=d%||#<| d1} tjd9|"j$d.�qGt1tjt9|"|$|%||!d,t)��|�rGt:t9|"|$|%||!d,t)�|�}&|&||#<tjd:|"j$d.|&�qGq�tj|"�jd;kr�
t1tjt9|"|$|%||!d,t(��|�r4
tjd<|"j$d.�d%||#<| d1} qGx|"j4�D]�}'t.|'|"j$d.|$|%t;|�rA
t<|'�r�
tjd=�t0|'||$t<|�r�
tjd>�t=||'j$d?�||#<Pq�
q�
t=||'j$d?�||#<PqA
qA
Wq�tj|"�jd@kr�t)}(dA|"j$krI|"j$dAj�dBkrItjdC�t(}(nt1tjt9|"|$|%||!d,t)��t
jjj
dD�|�r�t:t9|"|$|%||!d,t)�|dE|(�}&|&||#<tjdF|"j$d.|&�qGt1tjt9|"|$|%||!d,t(��|�rGd%||#<| d1} tjdGj|"j$d.��qGq�q�Wq~W|r,t|j>��dkrbt|j>��t|j>��krb| t|j>��kr�tjdHj|��||kr�i||<nd%|||<q)||kri||<n||||<tjdIj|��qbqe|d#kre||krQi||<n||||<qeqhn|r2||kr2|||kr2||
kr�i|
|<nt%d|d|j$dd|d|�|
||<|j$d|||kr2|
||})|||j?|j$d�}*|*||||)<q2n||kr<|||kr<||	krgi|	|<nt&d|d|d|�|	||<q<q<WtjdJtj�|�n|rs|rs|rstjdK�tj�}i}+i},xmt@|�D]_}-x�t@||-�D]�}|
|-|||-kr�|	|-|}.|.jA�|.j|
|-|�||-j?|�|dLjB|.�<t(|,|
|-|<q
||-j?|�||-|
|-|<|-|+kr�i|+|-<n||+|-|
|-|<q
Wxo|+|-D]c}/|	|-|+|-|/}.|.jA�|.j|/�tjdM|.�||-j?|/�|dLjB|.�<q�Wq�WtjdNtj�|�nx4t@|�D]&}-||-ikr�|j?|-�q�q�W|r|r|	r�tjdO�tj�}x|	D]�}-x�|	|-D]�}0|0||-kr�i}1t(}2xv|	|-|0D]f}3i}4|2rt|0}5|rM|
|-|0}5ni||-j?|0�|56|4|3<t)}2n
|1|4|3<|4}1qW|1r�tCjD||1�}q�q�q�W|-|kr�||-ikr�|j?|-�q�q�WtjdNtj�|�nii|dP6|j|dQ6}n|S(Su
    rewrite of _getAllAdminTemplateSettingsFromRegPolFile where instead of
    looking only at the contents of the file, we're going to loop through every
    policy and look in the registry.pol file to determine if it is
    enabled/disabled/not configured
    uPOLICY CLASS == %supolicy_pathR�uPOLICY CLASS {0} has file datau\]{0}$iR�u^\[{0}u	utf-16-leu][uParsing %s policies...u{0};tkeyvalueu)Found %s policies using the mapped methodu
%s not mappedu+Found %s policies using the original methodupolicyuParsing complete: %s secondsu!Gathering non configured policiestregistry_classuNot ConfiguredunameR�RjRkRlu-building hierarchy for non-configured item %stpolicy_definitionuGathering complete: %s secondsuExamining %s policies...ukeyu9policy item %s does not have the required "key" attributeu	valueNameu:policy item %s does not have the required "name" attributeuEnabledu-%s is enabled by detected ENABLED_VALUE_XPATHuDisabledu/%s is disabled by detected DISABLED_VALUE_XPATHu,%s is enabled by detected ENABLED_LIST_XPATHu.%s is disabled by detected DISABLED_LIST_XPATHu	REG_DWORDu1u9%s is enabled by no explicit enable/disable list or valueR�u:%s is disabled by no explicit enable/disable list or valueuidubooleanuelement %s is configured trueiuelement %s is configured falseuchecking trueListuchecking falseListudecimalutextulongDecimalu	multiTextuelement %s is disabledu"element %s is enabled, value == %suenumuenum element %s is disableduenum item has a valueListu!all valueList items exist in fileudisplayNameulistu
explicitValueutrueu.explicitValue list, we will return value namesu(?!\*\*delvals\.)R�u element %s is enabled values: %suelement {0} is disabledu${0} is disabled by all enum elementsu{0} is enabled by enum elementsu Examination complete: %s secondsu$Compiling non hierarchical return...u\ufull_path_list == %su Compilation complete: %s secondsu Compiling hierarchical return...uAdministrative Templatesulgpo_sectionN(ERaRbR
t_read_regpol_fileR?R�R�RPR�R�R�R�tstringutilstto_bytesR=RyR@RwRcRdttimeR�R[R�tREGKEY_XPATH_MAPPEDtREGKEY_XPATHRlRRYRZRmtPOLICY_ANCESTOR_XPATHtALL_CLASS_POLICY_XPATHtremoveR�R�R�Rnt_build_parent_listRRRR�tENABLED_VALUE_XPATHtDISABLED_LIST_XPATHtDISABLED_VALUE_XPATHR�tENABLED_LIST_XPATHR�RtR�tELEMENTS_XPATHR]tTRUE_VALUE_XPATHtFALSE_VALUE_XPATHtTRUE_LIST_XPATHtFALSE_LIST_XPATHR�R�tVALUE_XPATHtVALUE_LIST_XPATHRWR<R�R�treverseR:t
dictupdateR�(6tpolicy_classRlRkthierarchical_returntreturn_not_configuredtmodule_policy_dataR�t
admx_policiestpolicy_valst	hierarchyt
full_namestadmx_policy_definitionstadml_policy_resourcestpolicy_filedata_splitt
start_timeR�tpolicy_item_keyt
admx_itemst	admx_itemtnot_configured_policiestnot_configured_policytnot_configured_policy_namespacetadmx_policytthis_valuenametthis_policy_settingtelement_only_enabled_disabledt%explicit_enable_disable_value_settingtthis_keytthis_policynametthis_policynamespacetrequired_elementstconfigured_elementstpolicy_disabled_elementst
elements_itemt
child_itemtthis_element_namet	child_keytchild_valuenametconfigured_valuet	enum_itemR�t	full_nameRt
unpathed_dicttpathed_dicttpolicy_namespacetfull_path_listtpath_neededthierarchy_itemttdictt
first_itemR}tnewdictt
h_policy_name((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_checkAllAdmxPolicies�sr	!'!
:	
				







	

	
	
		
		
	
	

		
		

	
	
		

	
	
	
	

			

		
			

					
	

			


	
	

					
	

		

+$


"




 #


(

	

c	
C@s�g}t|jj��d}|jdj|�d|j�}td|�}|r�|d}dj|�}t|j|d|j��}tj||j�}t	d|d|d|d	|d
|d|�}n|S(u[
    helper function to build a list containing parent elements of the ADMX
    policy
    iu{0}:parentCategory/@refR�R�u)/policyDefinitions/policyNamespaces/{0}:*R9R�tparent_categorytpolicy_nsmapRkRl(
R�R�R<R�RPR�R�R�R�t_admx_policy_parent_walk(	R�RkRltparent_listR�RR�tnsmap_xpathtthis_namespace_map((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyR��s.
		c
C@sutd|�}d}d}|jd�dkr�|jd�d}|jd�d}|j|�}tj|t|j|d|���}n|j||�}|j|d|�rq|j|d|�d}	td|	d	|	j	d
d|d|�}
|j
|
�|	jd
j|�d|�rqtd|d|d|	jd
j|�d|�dd|d|d|�}qqn|S(uo
    helper function to recursively walk up the ADMX namespaces and build the
    hierarchy for the policy
    R�u7/policyDefinitions/categories/{0}:category[@name="{1}"]u-/policyDefinitions/policyNamespaces/{0}:usingu:iiR�R�RjunameRkRlu{0}:parentCategory/@refR9R�RR(R�R�RcRPR�R�R�R�RnR�RmR(R9R�RRRkRlR�tcategory_xpath_stringtusing_xpath_stringttparent_categorytthis_parent_name((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyR�s:
	

	
"cC@sLd}tjj|�rHtjjj|d��}|j�}WdQXn|S(uK
    helper function to read a reg policy file and return decoded data
    urbN(	RR8R9texistsR�R�R�R�R�(treg_pol_patht
returndatatpol_file((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyR��s
cC@s�|r�tjjjd�}djtjjjd�tj|�d|tj|�dg�}tj||tj�}|r�||j	�|j
d|j��d!SndS(u�
    helper function to do a search of Policy data from a registry.pol file
    for a policy_regpath and policy_regkey combo
    u(\*\*Del\.|\*\*DelVals\.){0,1}R�u\[t;t]iN(
R�R�R�R�R:R�RyRoRpR{R|R}R(Rrtpolicy_regpatht
policy_regkeytspecialValueRegext_thisSearchRs((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_regexSearchKeyValueCombo�s*cC@s�y�d}tjj|�s,td|�ntjjj|d��E}|j|j	d��sx|j
|j	d��n|j
|�WdQXy�d}tjj|�r�tjjj|d��}|j�}WdQXntd|�s�d	|}ntd
j
tj|��|�r�tjdj
tj|��|tjtjB�}	||	j�|	j�!}
tdj
tj|��|
�s-|
jd
�}
||
d|
d<d
j|
�}
|d|	j�!|
||	j�}q-nTtjd|tjtjB�}dj
||j�|j�!||||j��}td|�retjd|tjtjB�}||j�|j�!}
|
jd
�}
tjdtjdt|
d���}|j�dj�kr�|d|ddf}n3|j�dj�kr|dd|df}ntjdtjd|��d}dj
|d|j�!d|||j��}n�tjd|tjtjB�}|j�dj�kr�d}n!|j�dj�kr�d}ndj
||j�|j�!dtdj
tj|d�jd�tj|d�jd��d�||j��}|rstjjj|d��}|j
|�WdQXnWn>tk
r�}dj
||�}t j!|�t"|��nXWn>tk
r�}dj
||�}t j!|�t"|��nXdS( uS
    helper function to actually write the data to a Registry.pol file

    also updates/edits the gpt.ini file to include the ADM policy extensions
    to let the computer know user and/or machine registry policy files need
    to be processed

    data_to_write: data to write into the user/machine registry.pol file
    policy_file_path: path to the registry.pol file
    gpt_ini_path: path to gpt.ini file
    gpt_extension: gpt extension list name from _policy_info class for this registry class gpt_extension_location
    gpt_extension_guid: admx registry extension guid for the class
    u剐来u
file.makedirsuwbu	utf-16-leNuuru\[General\]\r\nu[General]
u{0}=u^{0}=.*\r\nu{0}u=iiu^\[General\]\r\nu{0}{1}={2}
{3}uVersion=u^Version=.*\r\ns>2Hs>IugPCMachineExtensionNamesugPCUserExtensionNamesuVersionu{0}{1}iiuwuCAn error occurred attempting to write to {0}, the exception was {1}(ii(ii(#R8R9R
R�R�R�R�R�RRwtwriteR�RtRPR�RyRoRpt	MULTILINER{R}RcR:R~RR�R\R[RR|tzfillRjRaRsR(t
data_to_writetpolicy_file_pathRAt
gpt_extensiontgpt_extension_guidR@R
tgpt_ini_datatgpt_filetgpt_ext_loctgpt_ext_strtgeneral_locationtversion_loctversion_strtversion_numstversion_numRwR�((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_write_regpol_data
s�
		+		("			"

cC@s�|sd}ntjjjd�}x�|D]�}|jd�djd�}tj|d|jd�ddtj�}t	j
d|�t|||�}|r�t	j
d	||�|j||�}q+t	j
d
|�dj
||g�}q+W|S(u�
    helper function to take a list of strings for registry.pol file data and
    update existing strings or append the strings
    R�u(\*\*Del\.|\*\*DelVals\.){0,1}Rit[itflagsuitem value name is %sureplacing %s with %suappending %s(R�R�R�R�RcR_R�R�RpRaRbRRNR:(tstring_listRrRtthis_stringt
list_item_keytlist_item_value_nametdata_to_replace((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_policyFileReplaceOrAppendListus&	
		cC@s�|sd}ntjjjd�}d}d}d}|s�|jd�djd�}tj|d|jd�ddtj	�}t
jd|�t|||�}n|r�t
jd	||�|j
||�}n%t
jd
|�dj||g�}|S(u�
    helper function to take a ADMX policy string for registry.pol file data and
    update existing string or append the string to the data
    R�u(\*\*Del\.|\*\*DelVals\.){0,1}RiR&iR'uitem value name is %sureplacing %s with %suappending %sN(R�R�R�R�RRcR_R�R�RpRaRbRRNR:(R)Rrtappend_onlyRR�titem_value_nameR,((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_policyFileReplaceOrAppend�s(		uMachinecC@s,d}t�}d}td|�}td|�}y�td|d|dtdtdt�}x�|D]�}	x�||	D]�}
tj||	|
�j�d	kr�|j|	i�j	|
d:�d:k	rtjd
|
�qqutjd|
�|	|kri||	<n||	|
||	|
<quWqdWx�
|D]�
}	x�
||	D]�
}tjd|�t}d:}
d:}tj||	|�j�d
kr�tjd|�|j
|j|�di|	d6�}|r�|d}d|jkr�|jd|ks�|jddkr�d|jkr|jd}
ntjd|j�Pd|jkrN|jd}nt|�r�t}t|||
|td:dtdt�}t||�}nt|�r�t}t|||
td:dt�}tjd|�t||�}n|r%|r%t|
|dd:dt�}t||�}nt|�r�tjd|�x<t|�D]+}x"|j�D]}|
}|}d|jkr�|jd}nd|jkr�|jd}ntj|�jdkrMt|�s�t|�rMitd6td6}x}|D]J}t|||||d:dt�}tjd ||�t||�}q�Wqatj|�jdks�tj|�jd!ks�tj|�jd"ks�tj|�jd#ks�tj|�jd$ks�tj|�jd%krt |||||dt�}tjd&|�t||�}qatj|�jd'krat |||||dt�}tjd&|�t||�}qaqaWqNWq�q�tjd(||�q�tjd)|j�q�q7tjd*|�|j
|j|�di|	d6�}tjd+|�|r7|d}d|jkr�|jd|ks<|jddkr�d|jkr[|jd}
ntjd|j�Pd|jkr�|jd}nt!|�r�t}t|||
|t!d:dtdt�}t||�}nt"|�r+t}t|||
t"d:dt�}tjd,|�t||�}n|re|ret|
|dd-dt�}t||�}nt|�r�xAt|�D]0}x'|j�D]}|
}|}d|jkr�|jd}nd|jkr�|jd}n|jd.||	|kr�tj|�jdkr�t|�s,t|�r�g}||	||jd.r�t|||td:dt�}tjd/j|��nt|||td:dt�}t||�}q�tj|�jdkrd	t#|�s�t$|�rd	d0}||	||jd.r+	t||||t#d:dtdt�}n't||||t$d:dtdt�}t||�}q�tj|�jdks�	tj|�jd!ks�	tj|�jd"ks�	tj|�jd#ks�	tj|�jd$kr5
t |||||dtd1||	||jd.�}tjd2|�t||�}q�tj|�jd%kr0xW|j�D]�}||	||jd.t%||jd3�j&�krZ
t||jd.||t'd:dtdt�}t||�}t(|�r%t|||t(d:dt�}tjd4|jd.�t||�}nPqZ
qZ
Wq�tj|�jd'kr�t |||||dtd1||	||jd.�}tjd2|�t||d5t�}q�q�q�Wq~Wq�q�q�q7q7Wq&Wt)||j*|d6|j+|j*|d7|j*|d8�Wn$t,k
r'}tj-d9|�tSXtS(;u�
    helper function to prep/write adm template data to the Registry.pol file

    each file begins with REGFILE_SIGNATURE (u'剐来') and
    REGISTRY_FILE_VERSION (u'\x01\00')

    https://msdn.microsoft.com/en-us/library/aa374407(VS.85).aspx
    +    https://msdn.microsoft.com/en-us/library/cc232696.aspx
    [Registry Path<NULL>;Reg Value<NULL>;Reg Type;SizeInBytes;Data<NULL>]
    R�u%//ns1:*[@id = "{0}" or @name = "{0}"]R�R�RlRkR�R�unot configureduPolicy "%s" removedu!adding %s to base_policy_settingsuworking on admPolicy %sudisabledutime to disable %sR�uns1iuclassuBothukeyu9policy item %s does not have the required "key" attributeu	valueNameR�R�R�u'working with disabledList portion of %su	REG_DWORDuchecking elements of %subooleanutrueListu	falseListuworking with %s portion of %sudecimalutextulongDecimalu	multiTextuenumu"I have disabled value string of %sulistuGpolicy %s was found but it does not appear to be valid for the class %su;policy item %s does not have the requried "class" attributeu&time to enable and set the policy "%s"ufound this_policy == %su&working with enabledList portion of %su1uidu$working with trueList portion of {0}uR�u!I have enabled value string of %sudisplayNameu$working with valueList portion of %sR.upolicy_pathugpt_extension_locationugpt_extension_guiduRUnhandled exception %s occurred while attempting to write Adm Template Policy FileN(.R
R�R�R�RRR|R[RHR�RRaRbR�RPR�R�R�RR�R0R�R�R-R�R�R]RRYRZR�R�R�R�R�R�R�RWR.R�R�R%R?RARjRs(tadmtemplate_dataRlR�t
existing_dataRrtpolicySearchXpathR�R�tbase_policy_settingst
adm_namespacet
adm_policyt	admPolicyR�R�R�tthis_policytdisabled_value_stringtdisabled_list_stringsR�R�R�R�t	temp_dictt	this_listtenabled_value_stringtenabled_list_stringstlist_stringstvalue_stringR�Rw((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_writeAdminTemplateRegPolFile�sf
		
#$

#%
&	
			
		
							
		%
&	
		
				
					+cC@s�d}tjj|dd�r�tjjj|ddd��}|j�}WdQX|r�y2t	|j
d�jd��}tj
d|�Wn3tk
r�}tjd|d	�t|��nXd
|dkr�|dd
j�g|j�D]}|j�^q�kr�d|dkr�tj
d|dd�|ddj�g||dd
j�D]}|j�^q^kr�||dd
|ddj�SdSq�||dd
Sq�dSq�ndS(
u
    helper function to parse/read a GPO Startup/Shutdown script file

    psscript.ini and script.ini file definitions are here
        https://msdn.microsoft.com/en-us/library/ff842529.aspx
        https://msdn.microsoft.com/en-us/library/dd303238.aspx
    u	ScriptIniuIniPathurbNu	utf-16-leuuHave deserialized data %su7An error occurred attempting to deserialize data for %suPolicyuSectionuSettingNameuNeed to look for %s(RR8R9tisfileR�R�R�R�R�RR�R_RaRbRjRsRR[R<(tpolicy_infot
_existingDatatfhrR�R�((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_getScriptSettingsFromIniFiles(#IE"
cC@s�tjjtjd�ddddd�}tjjtjd�ddddd�}tjjtjd�ddddd�}tjjtjd�ddddd�}d	S(
u�
    helper function to write local GPO startup/shutdown script

    scripts are stored in scripts.ini and psscripts.ini files in
    ``WINDIR\System32\GroupPolicy\Machine|User\Scripts``

    these files have the hidden attribute set

    files have following format:
        empty line
        [Startup]
        0CmdLine=<path to script 0>
        0Parameters=<script 0 parameters>
        [Shutdown]
        0CmdLine=<path to shutdown script 0>
        0Parameters=<shutdown script 0 parameters>

    Number is incremented for each script added

    psscript file also has the option of a [ScriptsConfig] section, which has
    the following two parameters:
        StartExecutePSFirst
        EndExecutePSFirst

    these can be set to True/False to denote if the powershell startup/shutdown
    scripts execute first (True) or last (False), if the value isn't set, then
    it is 'Not Configured' in the GUI
    uWINDIRuSystem32uGroupPolicyuMachineuScriptsuscripts.iniu
psscripts.iniuUserN(R8R9R:R;(tpsscriptt_machineScriptPolicyPatht"_machinePowershellScriptPolicyPatht_userScriptPolicyPatht_userPowershellScriptPolicyPath((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_writeGpoScript"s0			cC@spg}td|�}td|�}t|d|d|�}|rt|�dkr�|d}td|d|jddtd	|�}|j|�|j|jd�td
|dtd	|�}	|	j	�|	j|�|jdj
|	��t||d)fSd}
td)g|
fSn<t
|d|�}g}|}
|s{d|kr{|jd�}|j�}t
|d|�}q{n|rTt}d
}g}t|�dkr�tjd|�t}x'|D]}t|dd
�j�|ks�|j|�q�|r�tjd|�dj|jjd�d|jd�}dj|j||�}g}|j|d|j�}|s�tjd|�|j|�nx�|D]�}tjd|�td
|dtd	|�}|j	�||kr*d}
tj|
||�t|�dkrZtjd�|j|�qZq�tjd||�tjd|�|j|�q�Wt|�dkr�|j|d�q�q�dj|jjd�d|jd�}t|d|d|�}|s�|j|�q�q�Wnx*|D]"}||kr�|j|�q�q�Wt|�dkr3|r3t}nx�|D]�}tjd|j|j�dj|jjd�d|jd�}tjd|�|s�tjd||�t|d|d|�}n|r:tjd j|��tjd!j|��t|�dks|r�|r�t}xa|D]Y}t}|r�td
|dtd	|�}|j	�tjd"||�||kr�t}q�nt}|r$tjd#||�d|jkrUtd|d|jddtd	|�}|j|�|j|jd�td
|dtd	|�}	|	j	�|	j|�|jdj
|	��t||d)fSd$}
|
j|�}
td)g|
fSq$q$W|s"d%j|
�}
td)g|
fSq%xy|D]n}td
|dtd	|�}|j	�|j|�|rd&j
|dj
|�g�}q�dj
|�}q�Wq:q:W|rTd'}
td)g|
j||�fSntd)gd(j||�fS(*uD
    (success_flag, policy_xml_item, policy_name_list, message)
    R�RjR�iiR�unameRkRlR�u\u8ADMX policy name/id "{0}" is used in multiple ADMX filesuu7multiple ADML entries found matching the policy name %sutextuwe have hierarchy of %su
$({0}.{1})u}uiduK//{0}:policy[@displayName = "{1}" and (@class = "Both" or @class = "{2}") ]R�u;No admx was found for the adml entry %s, it will be removedupolicy_name == %su7hierarchy %s does not match this item's hierarchy of %suYonly 1 admx was found and it does not match this adml, it is safe to remove from the listu+hierarchy %s matches item's hierarchy of %su!search_result %s added to resultsRRu1found an ADML entry matching the string! %s -- %susearching for displayName == %suGsearch for an admx entry matching display_name %s and registry_class %su%processing admx_search_results of {0}umultiple_adml_entries is {0}utesting %s == %su8found the ADMX policy matching the display name %s -- %suNADMX policy with the display name {0} does nothave the required name attribtueu%Unable to correlate {0} to any policyu, u�ADML policy name "{0}" is used as the display name for multiple policies.  These policies matched: {1}.  You can utilize these long names to specify the correct policyuUnable to find {0} policy {1}N(R�R�tADMX_SEARCH_XPATHRdRnR�RRmR�R�R:RRtADML_SEARCH_XPATHRcR�RaRbR7R.RPR�R�R�R�tADMX_DISPLAYNAME_SEARCH_XPATHR�(RjR�Rltpolicy_aliasesR�R�tadmx_search_resultst
the_policytpolicy_display_nameR�R�tadml_search_resultsR�thierarchy_policy_nametmultiple_adml_entriestsuggested_policiestadml_to_removetadml_search_resulttdisplay_name_searchvaltpolicy_search_stringtadmx_resultstthese_admx_search_resultst
search_resulttthis_hierarchytadmltfoundtpossible_policytthis_parent_list((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt_lookup_admin_templateYsH		

	
	

			
	
	

	
	
	

	
	

	
	


	

			cC@s�i|d6|d6gd6td6td6gd6dd6}|j�}t�}||jj�kr�d	j|jj��}d
j||�|d<|S||j|dkr|dj|j|d|d�t|d<d
|d<d|j|d|kr
t|d<n|Sx�|j|dD]�}|j|d|dj	�|j	�kr |dj|�t|d<d
|d<d|j|d|kr�t|d<n|Sq Wt
d|d|d|�\}}}	}
|r~x�t|�D]x}xo|j�D]a}t
d|d|jddtd|�}
|dji|jdd6|jd|
gd6�q�Wq�W|	|d<t|d<d
|d<|S|
|d<|S(u
    Returns information about a specified policy

    Args:
        policy_name (str):
            The name of the policy to lookup
        policy_class (str):
            The class of policy, i.e. machine, user, both
        adml_language (str):
            The ADML language to use for Administrative Template data lookup

    Returns:
        dict: Information about the specified policy

    CLI Example:

    .. code-block:: bash

        salt '*' lgpo.get_policy_info 'Maximum password age' machine

    You can use ``lgpo.get_policy_info`` to get all the possible names that
    could be used in a state file or from the command line (along with elements
    that need to be set/etc). The key is to match the text you see in the
    ``gpedit.msc`` gui exactly, including quotes around words or phrases. The
    "full path" style is really only needed when there are multiple policies
    that use the same base name. For example, ``Access data sources across
    domains`` exists in ~10 different paths. If you put that through
    ``get_policy_info`` you'll get back a message that it is used for multiple
    policies and you need to be more specific.

    CLI Example:

    .. code-block:: bash

        salt-call --local lgpo.get_policy_info ShellRemoveOrderPrints_2 machine

        local:
            ----------
            message:
            policy_aliases:
                - Turn off the "Order Prints" picture task
                - ShellRemoveOrderPrints_2
                - System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task
            policy_class:
                machine
            policy_elements:
            policy_found:
                True
            policy_name:
                ShellRemoveOrderPrints_2
            rights_assignment:
                False

    Escaping can get tricky in cmd/Powershell. The following is an example of
    escaping in Powershell using backquotes:

    .. code-block:: bash

        PS>salt-call --local lgpo.get_policy_info "Turn off the `\`"Order Prints`\`" picture task" machine

        local:
            ----------
            message:
            policy_aliases:
                - Turn off the "Order Prints" picture task
                - ShellRemoveOrderPrints_2
                - System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task
            policy_class:
                machine
            policy_elements:
            policy_found:
                True
            policy_name:
                Turn off the "Order Prints" picture task
            rights_assignment:
                False

    This function can then be used to get the options available for specifying
    Group Policy Objects to be used in state files. Based on the above any of
    these *should* be usable:

    .. code-block:: bash

        internet_communications_settings:
          lgpo.set:
            - computer_policy:
                Turn off the "Order Prints" picture task: Enabled

    .. code-block:: bash

        internet_communications_settings:
          lgpo.set:
            - computer_policy:
                ShellRemoveOrderPrints_2: Enabled

    When using the full path, it might be a good idea to use single quotes
    around the path:

    .. code-block:: bash

        internet_communications_settings:
          lgpo.set:
            - computer_policy:
                'System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task': 'Enabled'

    If you struggle to find the policy from ``get_policy_info`` using the name
    as you see in ``gpedit.msc``, the names such as "ShellRemoveOrderPrints_2"
    come from the ``.admx`` files. If you know nothing about ``.admx/.adml``
    relationships (ADML holds what you see in the GUI, ADMX holds the more
    technical details), then this may be a little bit too much info, but here is
    an example with the above policy using Powershell:


    .. code-block:: bash

        PS>Get-ChildItem -Path C:\Windows\PolicyDefinitions -Recurse -Filter *.adml | Select-String "Order Prints"

        C:\windows\PolicyDefinitions\en-US\ICM.adml:152:      <string id="ShellRemoveOrderPrints">Turn off the "Order Prints" picture task</string>
        C:\windows\PolicyDefinitions\en-US\ICM.adml:153:      <string id="ShellRemoveOrderPrints_Help">This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
        C:\windows\PolicyDefinitions\en-US\ICM.adml:155:The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.
        C:\windows\PolicyDefinitions\en-US\ICM.adml:157:If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.

    From this grep, we can see id "ShellRemoveOrderPrints" is the ID of the
    string used to describe this policy, then we search for it in the ADMX:

    .. code-block:: bash

        PS>Get-ChildItem -Path C:\Windows\PolicyDefinitions -Recurse -Filter *.admx | Select-String "ShellRemoveOrderPrints"

        C:\windows\PolicyDefinitions\ICM.admx:661:    <policy name="ShellRemoveOrderPrints_1" class="User" displayName="$(string.ShellRemoveOrderPrints)" explainText="$(string.ShellRemoveOrderPrints_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" valueName="NoOnlinePrintsWizard">
        C:\windows\PolicyDefinitions\ICM.admx:671:    <policy name="ShellRemoveOrderPrints_2" class="Machine" displayName="$(string.ShellRemoveOrderPrints)" explainText="$(string.ShellRemoveOrderPrints_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" valueName="NoOnlinePrintsWizard">

    Now we have two to pick from. And if you notice the ``class="Machine"`` and
    ``class="User"`` (which details if it is a computer policy or user policy
    respectively) the ``ShellRemoveOrderPrints_2`` is the "short name" we could
    use to pass through ``get_policy_info`` to see what the module itself is
    expecting.
    upolicy_nameupolicy_classupolicy_aliasesupolicy_foundurights_assignmentupolicy_elementsupolicy not foundumessageu, uOThe requested policy class "{0}" is invalid, policy_class should be one of: {1}upoliciesuPolicyuu	LsaRightsRjR�RlR�uidRku
element_iduelement_aliases(RttitleR
R>R<R:RPRmRR[RdR�R]RnR�(RjR�RltretRrtpolicy_classestpoltsuccesstpolicy_xml_itemtpolicy_name_listtmessageR�R�R�((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pytget_policy_infosf�

	



+



	
 



cC@s�i}i}t�}|d$ks3|j�dkrE|jj�}nv|j�g|jj�D]}|j�^q^kr�d}	t|	j|dj|jj�����n|j�g}x-|D]%}
|j|
d}i}x�|D]�}
d$}|
|j|
dkr!|j|
d|
}nexb|j|
dD]O}|j|
d|dj	�|
j	�kr3|j|
d|}|}
q3q3W|rK|
}d|kr�t
d|dd|dd	|dd
�d||
<tjd||
|
�nVd
|krt
d|d
d�}|||
<n&d|krVtd|ddd|dd�||
<n�d|kr�td|dd�||
<n�d|kr�|dd|kr�tjd$|dd�||dd<n||dd|dd||
<nVd|krt|dd�||
<n/d|krDtjd|
�t|�||
<n|
|kr�td||
d|j|
d|
dd�||
<n|r�|j|
�||d<|d}n|rfd|krHt}i}xWt|d�D]E}i}|ri|j|�|6||<t}n
|||<|}q�W|rEtj||�}qEqHqfq�d}	t|	j|
���q�Wtj|td|
d |d!|d"|d#|��}|j|
d|kr�i||j|
d6}|}ntj||�}q�W|S(%uY
    Get a policy value

    Args:

        policy_class (str):
            Some policies are both user and computer, by default all policies
            will be pulled, but this can be used to retrieve only a specific
            policy class User/USER/user = retrieve user policies
            Machine/MACHINE/machine/Computer/COMPUTER/computer = retrieve
            machine/computer policies

        return_full_policy_names (bool):
            True/False to return the policy name as it is seen in the
            ``gpedit.msc`` GUI or to only return the policy key/id.

        hierarchical_return (bool):
            True/False to return the policy data in the hierarchy as seen in the
            ``gpedit.msc`` GUI. The default of False will return data split only
            into User/Computer configuration sections

        adml_language (str):
            The ADML language to use for processing display/descriptive names
            and enumeration values of ADMX template data, defaults to en-US

        return_not_configured (bool):
            Include Administrative Template policies that are 'Not Configured'
            in the return data

    Returns:
        dict: A dictionary containing the policy values for the specified class

    CLI Example:

    .. code-block:: bash

        salt '*' lgpo.get machine return_full_policy_names=True
    ubothuaThe policy_class {0} is not an available policy class, please use one of the following: {1}, Bothu, upoliciesuPolicyuRegistryureg.read_valueuHiveuPathuValueuvdatau Value %r found for reg policy %suSeceditR�uOptionuNetSHRuProfileuAdvAudituNetUserModaluModalu	LsaRightsu	ScriptIniu!Working with ScriptIni setting %sRR�R8uGetulgpo_sectionuTThe specified policy {0} is not currently available to be configured via this moduleR�RlRkR�R�N(R
RR[R>R<RRPR:ReRUR�RaRbR0RR�twin32nettNetUserModalsGetRKRFR;R�RtreversedRR�R�R�(R�RkR�RlR�tvalst
modal_returnsR:R�R�tp_classtthis_class_policy_namest
class_valsRjt_polR�t
vals_key_nameRet	firstItemR�tlevelR�R;((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyRH�s�*	4*

+

 %

	

	c	C@s5i}|||<td|ddd|d|�}|S(u�
    Set a single computer policy

    Args:
        name (str):
            The name of the policy to configure

        setting (str):
            The setting to configure the named policy with

        cumulative_rights_assignments (bool): Determine how user rights
            assignment policies are configured. If True, user right assignment
            specifications are simply added to the existing policy. If False,
            only the users specified will get the right (any existing will have
            the right revoked)

        adml_language (str): The language files to use for looking up
            Administrative Template policy data (i.e. how the policy is
            displayed in the GUI).  Defaults to 'en-US' (U.S. English).

    Returns:
        bool: True if successful, otherwise False

    CLI Example:

    .. code-block:: bash

        salt '*' lgpo.set_computer_policy LockoutDuration 1440
    tcomputer_policytuser_policytcumulative_rights_assignmentsRlN(tset_R(RRR|RlRhRf((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pytset_computer_policyrs!
	c	C@s5i}|||<td|dddtd|�}|S(u|
    Set a single user policy

    Args:

        name (str):
            The name of the policy to configure

        setting (str):
            The setting to configure the named policy with

        adml_language (str):
            The language files to use for looking up Administrative Template
            policy data (i.e. how the policy is displayed in the GUI). Defaults
            to 'en-US' (U.S. English).

    Returns:
        bool: True if successful, Otherwise False

    CLI Example:

    .. code-block:: bash

        salt '*' lgpo.set_user_policy "Control Panel\Display\Disable the Display Control Panel" Enabled
    R{RzR|RlN(R}RR(RRRlRhRf((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pytset_user_policy�s
	c-C@s�|r+t|t�r+d}t|��n|rVt|t�rVd}t|��ni}||d<||d<|r�td|�}x|D]�}i}i}	i}
i}i}i}
i}t�}||r�x�	||D]	}dm}|}||j|dkr|j|d|}nexb|j|dD]O}|j|d|dj�|j�kr-|j|d|}|}q-q-W|r
td|||d	|j|d|d
d�}t	d|d	|j|d|�sd}t|j
||||���nd
|kr<tjd|�i|d6|d6|
|<qY
d|kr�tjd|�|dd|kr�g||dd<n||ddj
dj|dddtj|�g��qY
d|kr,tjd|�|	j|i|ddd6|ddd6|ddd6tj|�d6�qY
d|krj|
j|i|ddd6tj|�d6�qY
d|kr�tjd|�|dd |kr�i||dd <n|||dd |dd<qY
d!|krY
tjd"|�i|d6|d6||<qY
q�|||}tjd#|�td$|d%|d&|�\}}}}|r�|jd'}|j|j}||kr�i||<n||||<nt|��|r�|||kr�|dmk	r�tjd(tj|||�j��tjtj|||�j��tj|||�j�d)krY
tj|||�j�d*krY
t|�r
t|||t�r�	x�t|�D]V}xM|j�D]?}tjd+|jd,�dm}td-|d$|jd,d.td&|�}tjd/|jd,|�||||kr |}nI|jd,|||krK|jd,}nd0}t|j
||���d1|jkr�|jd1j�d2kr�||||s�d3}t|j
|���q�ntj|�jd4krt||||t�s�	d5}t|j
|���q�	n�tj|�jd6ksHtj|�jd7krd8}d9}d:|jkryt|jd:�}nd;|jkr�t|jd;�}nt||||�|ks�t||||�|kr�	d<}t|j
|||���q�	n�tj|�jd=kr�t }xL|j�D]>} ||||t!|| jd>�j"�kr,t}Pq,q,W|s�	d?}t|j
|���q�	ntj|�jd@krY	dA|jkr	|jdAj�d2kr	t||||t�sV	dB}|j
|�}t|��qV	q�	t||||t#�s�	dC}|j
|�}t|��q�	nZtj|�jdDkr�	t||||t#�s�	dC}|j
|�}t|��q�	n|||j$|�||||jd,<q�Wq�WqS
dE}|j
|�}t|��qV
tj|||�j�dFkrV
dG}|j
|�}t|��qV
qY
q�q�W|
r�x}|
D]r}!tjdH|!�|
|!ddmk	r|
|!ddIkrt%dJ|
|!dd
dK|
|!dd
dL|
|!dd
dM|
|!d|
|!dd
dN�}"n�t%dO|
|!dd
dK|
|!dd
dL|
|!dd
dM�}"|"dPr�|"dQdIkr�t%dR|
|!dd
dK|
|!dd
dL|
|!dd
dM�}"n|"sj
dS}t&|j
|!���qj
qj
Wn|r	
x|D]}#dm}$|s!t'||#dd!d�}$n||#dr�x\||#dD]I}%t(|%||#dd!d�}"|"s>dT}t|j
|#���q>q>Wn|$r�xk|$D]`}%|%||#dkr�t)|%||#dd!d�}"|"s�dU}t|j
|#���q�q�q�Wq�q�Wn|r�
tj|�dVjdWdXg�}&dYdZd[d\g}'xT|'D]L}(|(|krJ
dVj|&d]jd^|(d_g�dVj||(�g�}&qJ
qJ
WdVj|&d`dadbg�}&tjdc|&�t*|&�s�
dd}t&|��q�
n|	r8xF|	D];})tjdej
|)��tj|	|)�t+|	|)�q�
Wn|
r�xF|
D];})tjdfj
|)��tj|
|)�t,|
|)�qEWn|r2tj|�x�|D]�}*yQt-j.dm|*�}+t/j0|+||*�},tjdg|,�t-j1dm|*|,�}"Wq�t2k
r*dh}tj3|�t&|��q�Xq�Wn|r�t }"tjdi|�t4|d&|dj|�}"|"s�dk}t&|��q�q�q�q�WtSdl}t|��dmS(nu�
    Set a local server policy.

    Args:

        computer_policy (dict):
            A dictionary of "policyname: value" pairs of computer policies to
            set. 'value' should be how it is displayed in the gpedit GUI, i.e.
            if a setting can be 'Enabled'/'Disabled', then that should be passed

            Administrative Template data may require dicts within dicts, to
            specify each element of the Administrative Template policy.
            Administrative Templates policies are always cumulative.

            Policy names can be specified in a number of ways based on the type
            of policy:

                Windows Settings Policies:

                    These policies can be specified using the GUI display name
                    or the key name from the _policy_info class in this module.
                    The GUI display name is also contained in the _policy_info
                    class in this module.

                Administrative Template Policies:

                    These can be specified using the policy name as displayed in
                    the GUI (case sensitive). Some policies have the same name,
                    but a different location (for example, "Access data sources
                    across domains"). These can be differentiated by the "path"
                    in the GUI (for example, "Windows Components\Internet
                    Explorer\Internet Control Panel\Security Page\Internet
                    Zone\Access data sources across domains").

                    Additionally, policies can be specified using the "name" and
                    "id" attributes from the ADMX files.

                    For Administrative Templates that have policy elements, each
                    element can be specified using the text string as seen in
                    the GUI or using the ID attribute from the ADMX file. Due to
                    the way some of the GUI text is laid out, some policy
                    element names could include descriptive text that appears
                    lbefore the policy element in the GUI.

                    Use the get_policy_info function for the policy name to view
                    the element ID/names that the module will accept.

        user_policy (dict):
            The same setup as the computer_policy, except with data to configure
            the local user policy.

        cumulative_rights_assignments (bool):
            Determine how user rights assignment policies are configured.

            If True, user right assignment specifications are simply added to
            the existing policy

            If False, only the users specified will get the right (any existing
            will have the right revoked)

        adml_language (str):
            The language files to use for looking up Administrative Template
            policy data (i.e. how the policy is displayed in the GUI). Defaults
            to 'en-US' (U.S. English).

    Returns:
        bool: True is successful, otherwise False

    CLI Example:

    .. code-block:: bash

        salt '*' lgpo.set computer_policy="{'LockoutDuration': 2, 'RestrictAnonymous': 'Enabled', 'AuditProcessTracking': 'Succes, Failure'}"
    u+computer_policy must be specified as a dictu'user_policy must be specified as a dictuUseruMachineR�upoliciesuPolicyRR�R8uPutuDThe specified value {0} is not an acceptable setting for policy {1}.uRegistryu%s is a registry policyupolicyuvalueuSeceditu%s is a Secedit policyuSectionu uOptionu=uNetSHu%s is a NetSH policyuProfileuprofileusectionuoptionuAdvAudituNetUserModalu%s is a NetUserModal policyuModalu	LsaRightsu%s is a LsaRights policyusearching for "%s" in admx dataRjR�Rlunameu
setting == %sudisabledunot configureduchecking element %suidR�Rku/id attribute == "%s"  this_element_name == "%s"uIElement "{0}" must be included in the policy configuration for policy {1}urequiredutrueu.Element "{0}" requires a value to be specifiedubooleanu,Element {0} requires a boolean True or FalseudecimalulongDecimalii'uminValueumaxValueu/Element "{0}" value must be between {1} and {2}uenumudisplayNameu)Element "{0}" does not have a valid valueulistu
explicitValueu5Each list item of element "{0}" requires a dict valueu#Element "{0}" requires a list valueu	multiTextu6The policy "{0}" has elements which must be configureduenableduHThe policy {0} must either be "Enabled", "Disabled", or "Not Configured"u%s is a Registry policyu(value not set)u
reg.set_valueuHiveuPathuValueuTypeureg.read_valueusuccessuvdataureg.delete_valueugError while attempting to set policy {0} via the registry.  Some changes may not be applied as expectedu=An error occurred attempting to configure the user right {0}.uQAn error occurred attempting to remove previouslyconfigured users with right {0}.u
u	[Unicode]uUnicode=yesu
System AccessuEvent AudituRegistry ValuesuPrivilege Rightsuu[u]u	[Version]usignature="$CHICAGO$"u
Revision=1uini_data == %su_Error while attempting to set policies via secedit. Some changes may not be applied as expecteduSetting firewall policy: {0}u"Setting Advanced Audit policy: {0}uNEW MODAL SET = %suRAn unhandled exception occurred while attempting to set policy via NetUserModalSetu+going to write some adm template data :: %sR�uqError while attempting to write Administrative Template Policy data.  Some changes may not be applied as expecteduYou have to specify something!N(5RYR<RR�R
RR>RUR;R=RPRaRbRmR:RR|t
setdefaultRdR�R�R�R[R�R]RnRRRYRZtboolR\RRWR.R�R�R�RRKRFRHR6R"RRnRoR�R�tNetUserModalsSetRjRsRA(-RzR{R|RlR�R>R�Rst	_seceditst_netshst
_advauditst_modal_setst_admTemplateDatat	_regeditst
_lsarightsR:RjRvtpolicy_key_nameR�t_valueRiRRRkR�R�R�ttemp_element_nameR�tmin_valtmax_valRaR�tregeditREtlsarightt_existingUserstaccttini_datat_seceditSectionst_seceditSectionRt
_modal_sett_existingModalDatat_newModalSetData((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyR}�sO


	

	#!

"'$##
									5#
(

)

 





		(�R�t
__future__RRRR�R&R8tloggingR�tlocaletctypesRR�tuuidtsalt.exceptionsRRtsalt.serializers.configparserRtsalt.utils.dictupdateR�R�tsalt.utils.filesR�tsalt.utils.pathtsalt.utils.platformtsalt.utils.stringutilstsalt.utils.win_lgpo_netshtsalt.extRtsalt.ext.six.movesRt	getLoggerR�RaR�t__func_alias__tuuid4thexR%RRRiR�R�RR�R�R�R�R�R�R�R�R�R�R�R�R�R�ROR�tENUM_ITEM_DISPLAY_NAME_XPATHRMRNROR[R\RnRhR�R~Rtsalt.utils.win_regR	R�twindlltkernel32twindows_localeRHtGetSystemDefaultUILanguageRNR�tImportErrortobjectR
R�R�R�R�R�R�R�R�R�R�RRRRR"R,R-R0R6R;R=RFRHRKRWRhRnRtR�R�R�R�R�R�R�R�RR�RR%R-R0RARFRLRdRmR~RR}(((s9/usr/lib/python2.7/site-packages/salt/modules/win_lgpo.pyt<module>'sV
	"

������������������			
	
�	
V	+	a		)		"									
		,		
9?	
8���	 	+			h	�P	"9���)#

Zerion Mini Shell 1.0