Configure Puppet User via Puppet

As I mentioned in my previous article on Puppet the Puppet service cannot really work using the System account but requires a technical account.

Luckily Puppet can be run manually via pupet agent --test. This can be used to make Puppet create and configure this required technical account.

First you need this:

Distribute it to all clients via Puppet:

class configuration::ntrights {
  if $operatingsystem == 'windows' {
    file { 'C:\Windows\Temp\UserRights.ps1':
      ensure => file,
      source_permissions => ignore,
      source => 'puppet:///files/UserRights.ps1',

Then distribute and run the following PowerShell script:

$sPuppetUser = "Puppet"
$pathUserRightsScript = "C:\Windows\Temp\UserRights.ps1"
if (!(Test-Path $pathUserRightsScript)) {return}
if (!([Environment]::UserName.Equals($sPuppetUser))) {
 # find out if Puppet user exists
 net user $sPuppetUser
 if ($?) {return}
 # if Puppet user does not exist, create it
$sPassword = SomeCleverFunctionOfYoursToCreatePassword
 net user $sPuppetUser $sPassword /add
 net localgroup "Administrators" /add $sPuppetUser
# configure Puppet service
 . $pathUserRightsScript
Grant-UserRight $sPuppetUser "SeServiceLogonRight"
 $puppetservice = Get-WmiObject Win32_Service | Where-Object {$_.Name -eq "Puppet"}
 $puppetservice.Change($null, $null, $null, $null, $null, $null, ".\$sPuppetUser", $sPassword, $null, $null, $null)
Set-Service "Puppet" -StartupType "Automatic"
 Restart-Service "Puppet"

# hide puppet user
$pathUserListKey = "HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
New-Item $pathUserListKey -Force
New-ItemProperty $pathUserListKey $sPuppetUser -Value 0

Note that you have to write your own function to create a password to your liking. My algorithm isn't very good so I will not publish it. Also note that there is a space between "Windows" and "NT" in "Microsoft\Windows NT\CurrentVersion" which I left out above to make the text more readable!

Distribute the script like this:

class configuration::configure_puppet_windows_user {
  if $operatingsystem == 'windows' {
    file { 'C:\Windows\Temp\ConfigurePuppetUser.ps1':
      ensure => file,
      source_permissions => ignore,
      source => 'puppet:///files/ConfigurePuppetUser.ps1',
      before => Exec['configure_puppet_user'],
    exec { 'configure_puppet_user':
      require => File['C:\Windows\Temp\ConfigurePuppetUser.ps1'],
command => 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -file C:\Windows\Temp\ConfigurePuppetUser.ps1',

Note that the text marked red is one line.

What this does:

  • If the current user is not "puppet", i.e. when you run puppet agent --test manually, the script will, if the user "puppet" does not exist
    • create the local user "puppet" and set its password
    • add the user "puppet" to the local administrators group
    • grant the user the right to log on as a service via the UserRight.ps1 file mentioned above
    • configure the service "Puppet" to run with this new user and password
    • configure the service to start automatically
    • restart the service
  • either way it will hide the "puppet" user from the login screen

I hope this keeps working. Use it if you will.

Puppet Labs documentation: Type Reference

Puppet Labs documentation: Overview of Puppet on Windows

Instant Puppet 3 Starter: an eBook I find usable (The publisher gave me this discount code to share: ALLEBKS50)

 © Andrew Brehm 2016