win_acl: registry support for special service accounts (#26629)

* Fixes #22968 * `APPLICATION PACKAGE AUTHORITY` ACLs also apply to the registry * fixed nested for loop
7 years ago · 81c22522a5
parent 6de119ed3e
commit 81c22522a5
1 changed files with 16 additions and 21 deletions
--- a/lib/ansible/modules/windows/win_acl.ps1
+++ b/lib/ansible/modules/windows/win_acl.ps1
@ -279,32 +279,27 @@ Try {
 
    # Check if the ACE exists already in the objects ACL list
    $match = $false
-    If ($path -match "^HK(CC|CR|CU|LM|U):\\") {
-        ForEach($rule in $objACL.Access){
+
+    # Workaround to handle special use case 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' and
+    # 'APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES'- can't translate fully qualified name (win32 API bug/oddity)
+    # 'ALL APPLICATION PACKAGES' exists only on Win2k12 and Win2k16 and 'ALL RESTRICTED APPLICATION PACKAGES' exists only in Win2k16
+    $specialIdRefs = "ALL APPLICATION PACKAGES","ALL RESTRICTED APPLICATION PACKAGES"
+    ForEach($rule in $objACL.Access){
+        $idRefShortValue = ($rule.IdentityReference.Value).split('\')[-1]
+
+        if ( $idRefShortValue -in $specialIdRefs ) {
+            $ruleIdentity = (New-Object Security.Principal.NTAccount $idRefShortValue).Translate([Security.Principal.SecurityIdentifier])
+        }
+        else {
            $ruleIdentity = $rule.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
+        }
+
+        If ($path -match "^HK(CC|CR|CU|LM|U):\\") {
            If (($rule.RegistryRights -eq $objACE.RegistryRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
                $match = $true
                Break
            }
-        }
-    }
-    Else {
-        # Workaround to handle special use case 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' and
-        # 'APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES'- can't translate fully qualified name (win32 API bug/oddity)
-        # 'ALL APPLICATION PACKAGES' exists only on Win2k12 and Win2k16 and 'ALL RESTRICTED APPLICATION PACKAGES' exists only in Win2k16
-
-        $specialIdRefs = "ALL APPLICATION PACKAGES","ALL RESTRICTED APPLICATION PACKAGES"
-
-        ForEach($rule in $objACL.Access){
-
-            $idRefShortValue = ($rule.IdentityReference.Value).split('\')[-1]
-
-            if ( $idRefShortValue -in $specialIdRefs ) {
-                $ruleIdentity = (New-Object Security.Principal.NTAccount $idRefShortValue).Translate([Security.Principal.SecurityIdentifier])
-            }
-            else {
-                $ruleIdentity = $rule.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
-            }
+        } else {
            If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { 
                $match = $true
                Break