salt.states.group

Management of user groups

The group module is used to create and manage group settings, groups can be either present or absent. User/Group names can be passed to the adduser, deluser, and members parameters. adduser and deluser can be used together but not with members.

In Windows, if no domain is specified in the user or group name (i.e. DOMAIN\username) the module will assume a local user or group.

cheese:
  group.present:
    - gid: 7648
    - system: True
    - addusers:
      - user1
      - users2
    - delusers:
      - foo

cheese:
  group.present:
    - gid: 7648
    - system: True
    - members:
      - foo
      - bar
      - user1
      - user2
salt.states.group.absent(name, local=False)

Ensure that the named group is absent

Parameters:
  • name (str) -- The name of the group to remove

  • local (Only on systems with lgroupdel available) --

    Ensure the group account is removed locally ignoring global account management (default is False).

    New in version 3007.0.

Example:

# Removes the local group `db_admin`
db_admin:
  group.absent
salt.states.group.present(name, gid=None, system=False, addusers=None, delusers=None, members=None, non_unique=False, local=False)

Changed in version 3006.0.

Ensure that a group is present

Parameters:
  • name (str) -- The name of the group to manage

  • gid (str) -- The group id to assign to the named group; if left empty, then the next available group id will be assigned. Ignored on Windows

  • system (bool) -- Whether or not the named group is a system group. This is essentially the '-r' option of 'groupadd'. Ignored on Windows

  • addusers (list) -- List of additional users to be added as a group members. Cannot conflict with names in delusers. Cannot be used in conjunction with members.

  • delusers (list) -- Ensure these user are removed from the group membership. Cannot conflict with names in addusers. Cannot be used in conjunction with members.

  • members (list) -- Replace existing group members with a list of new members. Cannot be used in conjunction with addusers or delusers.

  • non_unique (bool) --

    Allow creating groups with duplicate (non-unique) GIDs

    New in version 3006.0.

  • local (Only on systems with lgroupadd available) --

    Create the group account locally ignoring global account management (default is False).

    New in version 3007.0.

Example:

# Adds DOMAIN\db_admins and Administrators to the local db_admin group
# Removes Users
db_admin:
  group.present:
    - addusers:
      - DOMAIN\db_admins
      - Administrators
    - delusers:
      - Users

# Ensures only DOMAIN\domain_admins and the local Administrator are
# members of the local Administrators group. All other users are
# removed
Administrators:
  group.present:
    - members:
      - DOMAIN\domain_admins
      - Administrator