As I mentioned in my previous article on Puppet the Puppet service cannot really work using the System account but requires a technical account.
Luckily Puppet can be run manually via pupet agent --test. This can be used to make Puppet create and configure this required technical account.
First you need this: https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Query-user-26e259b0
Distribute it to all clients via Puppet:
class configuration::ntrights {
if $operatingsystem == 'windows' {
file { 'C:\Windows\Temp\UserRights.ps1':
ensure => file,
source_permissions => ignore,
source => 'puppet:///files/UserRights.ps1',
}#file
}#if
}#class
Then distribute and run the following PowerShell script:
$sPuppetUser = "Puppet"
$pathUserRightsScript = "C:\Windows\Temp\UserRights.ps1"
if (!(Test-Path $pathUserRightsScript)) {return}
if (!([Environment]::UserName.Equals($sPuppetUser))) {
# find out if Puppet user exists
net user $sPuppetUser
if ($?) {return}
# if Puppet user does not exist, create it
$sPassword = SomeCleverFunctionOfYoursToCreatePassword
net user $sPuppetUser $sPassword /add
net localgroup "Administrators" /add $sPuppetUser
# configure Puppet service
. $pathUserRightsScript
Grant-UserRight $sPuppetUser "SeServiceLogonRight"
$puppetservice = Get-WmiObject Win32_Service | Where-Object {$_.Name -eq "Puppet"}
$puppetservice.Change($null, $null, $null, $null, $null, $null, ".\$sPuppetUser", $sPassword, $null, $null, $null)
Set-Service "Puppet" -StartupType "Automatic"
Restart-Service "Puppet"
}#if
# hide puppet user
$pathUserListKey = "HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
New-Item $pathUserListKey -Force
New-ItemProperty $pathUserListKey $sPuppetUser -Value 0
Note that you have to write your own function to create a password to your liking. My algorithm isn't very good so I will not publish it. Also note that there is a space between "Windows" and "NT" in "Microsoft\Windows NT\CurrentVersion" which I left out above to make the text more readable!
Distribute the script like this:
class configuration::configure_puppet_windows_user {
if $operatingsystem == 'windows' {
file { 'C:\Windows\Temp\ConfigurePuppetUser.ps1':
ensure => file,
source_permissions => ignore,
source => 'puppet:///files/ConfigurePuppetUser.ps1',
before => Exec['configure_puppet_user'],
}#file
exec { 'configure_puppet_user':
require => File['C:\Windows\Temp\ConfigurePuppetUser.ps1'],
command => 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -file C:\Windows\Temp\ConfigurePuppetUser.ps1',
}#exec
}#if
}#class
Note that the text marked red is one line.
What this does:
- If the current user is not "puppet", i.e. when you run puppet agent --test manually, the script will, if the user "puppet" does not exist
- create the local user "puppet" and set its password
- add the user "puppet" to the local administrators group
- grant the user the right to log on as a service via the UserRight.ps1 file mentioned above
- configure the service "Puppet" to run with this new user and password
- configure the service to start automatically
- restart the service
- either way it will hide the "puppet" user from the login screen
I hope this keeps working. Use it if you will.
Puppet Labs documentation: Type Reference
Puppet Labs documentation: Overview of Puppet on Windows
Instant Puppet 3 Starter: an eBook I find usable (The publisher gave me this discount code to share: ALLEBKS50)