From 39f83ce38c02a7483f497de2f1950f52bf2cb9af Mon Sep 17 00:00:00 2001
From: Jordan Borean <jborean93@gmail.com>
Date: Wed, 13 Nov 2019 12:46:31 +1000
Subject: [PATCH] win_acl no longer needs SeSecurityPrivilege (#57804) (#64757)

* win_acl no longer needs SeSecurityPrivilege
Set-ACL raises missing SeSecurityPrivilege error when the inheritance
from the parent directory is disabled.

* fixes test sanity

* registry rights can only be modified with Set-ACL

* add changelog

(cherry picked from commit 95d613f3ab376af8c06399d256d931c6c00c21d6)
---
 ...4-win_acl-no-longer-needs-SeSecurityPrivilege.yml |  2 ++
 lib/ansible/modules/windows/win_acl.ps1              | 12 ++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/fragments/57804-win_acl-no-longer-needs-SeSecurityPrivilege.yml

diff --git a/changelogs/fragments/57804-win_acl-no-longer-needs-SeSecurityPrivilege.yml b/changelogs/fragments/57804-win_acl-no-longer-needs-SeSecurityPrivilege.yml
new file mode 100644
index 00000000000..4f210d4d6b8
--- /dev/null
+++ b/changelogs/fragments/57804-win_acl-no-longer-needs-SeSecurityPrivilege.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - win_acl - Fixed error when setting rights on directory for which inheritance from parent directory has been disabled.
diff --git a/lib/ansible/modules/windows/win_acl.ps1 b/lib/ansible/modules/windows/win_acl.ps1
index af55f2ae21f..019be77daf4 100644
--- a/lib/ansible/modules/windows/win_acl.ps1
+++ b/lib/ansible/modules/windows/win_acl.ps1
@@ -188,7 +188,11 @@ Try {
     If ($state -eq "present" -And $match -eq $false) {
         Try {
             $objACL.AddAccessRule($objACE)
-            Set-ACL -LiteralPath $path -AclObject $objACL
+            If ($path_item.PSProvider.Name -eq "Registry") {
+                Set-ACL -LiteralPath $path -AclObject $objACL
+            } else {
+                (Get-Item -LiteralPath $path).SetAccessControl($objACL)
+            }
             $result.changed = $true
         }
         Catch {
@@ -198,7 +202,11 @@ Try {
     ElseIf ($state -eq "absent" -And $match -eq $true) {
         Try {
             $objACL.RemoveAccessRule($objACE)
-            Set-ACL -LiteralPath $path -AclObject $objACL
+            If ($path_item.PSProvider.Name -eq "Registry") {
+                Set-ACL -LiteralPath $path -AclObject $objACL
+            } else {
+                (Get-Item -LiteralPath $path).SetAccessControl($objACL)
+            }
             $result.changed = $true
         }
         Catch {