Skip to main content

windows_password_policy Resource

All Desktop resources page


Use the windows_password_policy resource to setup password complexity, password length, etc.

New in Chef Desktop 1.0.

Syntax

The full syntax for all of the properties that are available to the windows_password_policy resource is:

windows_password_policy 'name' do
  change_password_at_next_logon              true, false # default value: false
  group_name_for_expired_passwords           String # default value: "Users"
  group_name_for_password_never_expires      String # default value: "Administrators"
  maximum_password_age                       Integer # default value: 365
  minimum_password_length                    Integer # default value: 12
  password_never_expires                     true, false
  require_complex_passwords                  true, false # default value: true
  action                                     Symbol # defaults to :set if not specified
end

where:

  • windows_password_policy is the resource.
  • name is the name given to the resource block.
  • action identifies which steps Chef Infra Client will take to bring the node into the desired state.
  • change_password_at_next_logon, group_name_for_expired_passwords, group_name_for_password_never_expires, maximum_password_age, minimum_password_length, password_never_expires, and require_complex_passwords are the properties available to this resource.

Actions

The windows_password_policy resource has the following actions:

:nothing
This resource block doesn’t act unless notified by another resource to take action. Once notified, this resource block either runs immediately or is queued up to run at the end of a Chef Infra Client run.
:set
Sets the password policy using the properties.

Properties

The windows_password_policy resource has the following properties:

change_password_at_next_logon
Ruby Type: true, false | Default Value: false

Force all users in a local user group to change passwords at next logon

group_name_for_expired_passwords
Ruby Type: String | Default Value: Users

The group whose passwords were just to change at the next login

group_name_for_password_never_expires
Ruby Type: String | Default Value: Administrators

The group to which the password_never_expires rule applies. Defaults to Admins

maximum_password_age
Ruby Type: Integer | Default Value: 365

The maximum age in days for a password before it must be changed, defaults to 365

minimum_password_length
Ruby Type: Integer | Default Value: 12

Sets the minimum password length, defaults to 12 Characters

password_never_expires
Ruby Type: true, false

True/False to never expire the passwords, set to True by default

require_complex_passwords
Ruby Type: true, false | Default Value: true

A True/False option to require special characters, upper, lower, etc in the password

Common Resource Functionality

Chef resources include common properties, notifications, and resource guards.

Common Properties

The following properties are common to every resource:

compile_time

Ruby Type: true, false | Default Value: false

Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).

ignore_failure

Ruby Type: true, false, :quiet | Default Value: false

Continue running a recipe if a resource fails for any reason. :quiet won’t display the full stack trace and the recipe will continue to run if a resource fails.

retries

Ruby Type: Integer | Default Value: 0

The number of attempts to catch exceptions and retry the resource.

retry_delay

Ruby Type: Integer | Default Value: 2

The delay in seconds between retry attempts.

sensitive

Ruby Type: true, false | Default Value: false

Ensure that sensitive resource data isn’t logged by Chef Infra Client.

Notifications

notifies

Ruby Type: Symbol, 'Chef::Resource[String]'

A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.

If the referenced resource doesn’t exist, an error is raised. In contrast, subscribes won’t fail if the source resource isn’t found.

A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:

:before

Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.

:delayed

Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.

:immediate, :immediately

Specifies that a notification should be run immediately, for each resource notified.

The syntax for notifies is:

notifies :action, 'resource[name]', :timer
subscribes

Ruby Type: Symbol, 'Chef::Resource[String]'

A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.

Note that subscribes doesn’t apply the specified action to the resource that it listens to - for example:

file '/etc/nginx/ssl/example.crt' do
  mode '0600'
  owner 'root'
end

service 'nginx' do
  subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end

In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes doesn’t make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.

If the other resource doesn’t exist, the subscription won’t raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource doesn’t exist.

A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:

:before

Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.

:delayed

Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.

:immediate, :immediately

Specifies that a notification should be run immediately, for each resource notified.

The syntax for subscribes is:

subscribes :action, 'resource[name]', :timer

Guards

A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:

  • A string is executed as a shell command. If the command returns 0, the guard is applied. If the command returns any other value, then the guard property isn’t applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.
  • A block is executed as Ruby code that must return either true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property isn’t applied.

A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it’s being executed, and then if the desired state is present, for Chef Infra Client to don’thing.

Properties

The following properties can be used to define a guard that’s evaluated during the execution phase of a Chef Infra Client run:

not_if

Prevent a resource from executing when the condition returns true.

only_if

Allow a resource to execute only if the condition returns true.

Examples

The following examples demonstrate various approaches for using the windows_password_policy resource in recipes:

Configure the local password policy:

windows_password_policy 'Settings for password complexity, length and duration' do
  require_complex_passwords true
  minimum_password_length 12
  maximum_password_age 365
  action :set
end

Thank you for your feedback!

×