salt/tests/integration/modules/test_win_lgpo.py

# -*- coding: utf-8 -*-

from __future__ import absolute_import, print_function, unicode_literals

import io
import logging
import os
import re

import salt.utils.files
import salt.utils.platform
import salt.utils.win_reg as reg
from tests.support.case import ModuleCase
from tests.support.helpers import destructiveTest, random_string
from tests.support.runtests import RUNTIME_VARS
from tests.support.unit import skipIf

log = logging.getLogger(__name__)


@skipIf(not salt.utils.platform.is_windows(), "windows test only")
class WinLgpoTest(ModuleCase):
    """
    Tests for salt.modules.win_lgpo
    """

    osrelease = None

    def _testRegistryPolicy(
        self,
        policy_name,
        policy_config,
        registry_value_hive,
        registry_value_path,
        registry_value_vname,
        expected_value_data,
    ):
        """
        Takes a registry based policy name and config and validates that the
        expected registry value exists and has the correct data

        policy_name
            name of the registry based policy to configure
        policy_config
            the configuration of the policy
        registry_value_hive
            the registry hive that the policy registry path is in
        registry_value_path
            the registry value path that the policy updates
        registry_value_vname
            the registry value name
        expected_value_data
            the expected data that the value will contain
        """
        ret = self.run_function(
            "lgpo.set_computer_policy", (policy_name, policy_config)
        )
        self.assertTrue(ret)
        val = reg.read_value(
            hive=registry_value_hive,
            key=registry_value_path,
            vname=registry_value_vname,
        )
        self.assertTrue(
            val["success"],
            msg="Failed to obtain the registry data for policy {0}".format(policy_name),
        )
        if val["success"]:
            self.assertEqual(
                val["vdata"],
                expected_value_data,
                "The registry value data {0} does not match the expected value {1} for policy {2}".format(
                    val["vdata"], expected_value_data, policy_name
                ),
            )

    def _testSeceditPolicy(
        self,
        policy_name,
        policy_config,
        expected_regexes,
        cumulative_rights_assignments=True,
    ):
        """
        Takes a secedit policy name and config and validates that the expected
        output is returned from secedit

        policy_name
            name of the secedit policy to configure
        policy_config
            the configuration of the policy
        expected_regexes
            the expected regexes to be found in the secedit output file
        """
        ret = self.run_function(
            "lgpo.set_computer_policy",
            (policy_name, policy_config),
            cumulative_rights_assignments=cumulative_rights_assignments,
        )
        self.assertTrue(ret)
        secedit_output_file = os.path.join(
            RUNTIME_VARS.TMP, random_string("secedit-output-")
        )
        secedit_output = self.run_function(
            "cmd.run", (), cmd="secedit /export /cfg {0}".format(secedit_output_file)
        )
        secedit_file_content = None
        if secedit_output:
            with io.open(secedit_output_file, encoding="utf-16") as _reader:
                secedit_file_content = _reader.read()
        for expected_regex in expected_regexes:
            match = re.search(
                expected_regex, secedit_file_content, re.IGNORECASE | re.MULTILINE
            )
            self.assertIsNotNone(
                match,
                'Failed validating policy "{0}" configuration, regex "{1}" not found in secedit output'.format(
                    policy_name, expected_regex
                ),
            )

    def _testAdmxPolicy(
        self,
        policy_name,
        policy_config,
        expected_regexes,
        assert_true=True,
        policy_class="Machine",
    ):
        """
        Takes a ADMX policy name and config and validates that the expected
        output is returned from lgpo looking at the Registry.pol file

        policy_name
            name of the ADMX policy to configure
        policy_config
            the configuration of the policy
        expected_regexes
            the expected regexes to be found in the lgpo parse output
        assert_true
            set to false if expecting the module run to fail
        policy_class
            the policy class this policy belongs to, either Machine or User
        """
        lgpo_function = "set_computer_policy"
        lgpo_class = "/m"
        lgpo_folder = "Machine"
        if policy_class.lower() == "user":
            lgpo_function = "set_user_policy"
            lgpo_class = "/u"
            lgpo_folder = "User"

        ret = self.run_function(
            "lgpo.{0}".format(lgpo_function), (policy_name, policy_config)
        )
        log.debug("lgpo set_computer_policy ret == %s", ret)
        cmd = [
            "lgpo.exe",
            "/parse",
            lgpo_class,
            r"c:\Windows\System32\GroupPolicy\{}\Registry.pol".format(lgpo_folder),
        ]
        if assert_true:
            self.assertTrue(ret)
            lgpo_output = self.run_function("cmd.run", (), cmd=" ".join(cmd))
            # validate that the lgpo output doesn't say the format is invalid
            self.assertIsNone(
                re.search(r"Invalid file format\.", lgpo_output, re.IGNORECASE),
                msg="Failed validating Registry.pol file format",
            )
            # validate that the regexes we expect are in the output
            for expected_regex in expected_regexes:
                match = re.search(expected_regex, lgpo_output, re.IGNORECASE)
                self.assertIsNotNone(
                    match,
                    msg='Failed validating policy "{0}" configuration, regex '
                    '"{1}" not found in lgpo output:\n{2}'
                    "".format(policy_name, expected_regex, lgpo_output),
                )
        else:
            # expecting it to fail
            self.assertNotEqual(ret, True)

    def runTest(self):
        """
        runTest method
        """

    @classmethod
    def setUpClass(cls):
        """
        class setup function, only runs once

        downloads and extracts the lgpo.exe tool into c:/windows/system32
        for use in validating the registry.pol files

        gets osrelease grain for tests that are only applicable to certain
        windows versions
        """
        osrelease_grains = cls().run_function("grains.item", ["osrelease"])
        if "osrelease" in osrelease_grains:
            cls.osrelease = osrelease_grains["osrelease"]
        else:
            log.debug("Unable to get osrelease grain")
        if not os.path.exists(r"c:\windows\system32\lgpo.exe"):
            log.debug("lgpo.exe does not exist, attempting to download/extract")
            ret = cls().run_function(
                "state.single",
                ("archive.extracted", r"c:\windows\system32"),
                source="https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip",
                archive_format="zip",
                source_hash="sha256=6ffb6416366652993c992280e29faea3507b5b5aa661c33ba1af31f48acea9c4",
                enforce_toplevel=False,
            )
            log.debug("ret from archive.unzip == %s", ret)

    @destructiveTest
    def test_set_user_policy_point_and_print_restrictions(self):
        """
        Test setting/unsetting/changing the PointAndPrint_Restrictions user policy
        """
        # Disable Point and Print Restrictions
        self._testAdmxPolicy(
            r"Control Panel\Printers\Point and Print Restrictions",
            "Disabled",
            [
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*Restricted[\s]*DWORD:0",
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*TrustedServers[\s]*DELETE",
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*ServerList[\s]*DELETE",
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*InForest[\s]*DELETE",
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*NoWarningNoElevationOnInstall[\s]*DELETE",
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*UpdatePromptSettings[\s]*DELETE",
            ],
            policy_class="User",
        )
        # Enable Point and Print Restrictions
        self._testAdmxPolicy(
            r"Point and Print Restrictions",
            {
                "Users can only point and print to these servers": True,
                "Enter fully qualified server names separated by semicolons": "fakeserver1;fakeserver2",
                "Users can only point and print to machines in their forest": True,
                "When installing drivers for a new connection": "Show warning and elevation prompt",
                "When updating drivers for an existing connection": "Show warning only",
            },
            [
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*Restricted[\s]*DWORD:1",
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*TrustedServers[\s]*DWORD:1",
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*ServerList[\s]*SZ:fakeserver1;fakeserver2",
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*InForest[\s]*DWORD:1",
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*NoWarningNoElevationOnInstall[\s]*DWORD:0",
                r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*UpdatePromptSettings[\s]*DWORD:1",
            ],
            policy_class="User",
        )
        # set Point and Print Restrictions to 'Not Configured'
        self._testAdmxPolicy(
            r"Control Panel\Printers\Point and Print Restrictions",
            "Not Configured",
            [
                r"; Source file:  c:\\windows\\system32\\grouppolicy\\user\\registry.pol[\s]*; PARSING COMPLETED."
            ],
            policy_class="User",
        )

    @destructiveTest
    def test_set_computer_policy_NTP_Client(self):
        """
        Test setting/unsetting/changing NTP Client policies
        """
        # Disable Configure NTP Client
        self._testAdmxPolicy(
            r"System\Windows Time Service\Time Providers\Configure Windows NTP Client",
            "Disabled",
            [
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*NtpServer[\s]*DELETE",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*Type[\s]*DELETE",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*CrossSiteSyncFlags[\s]*DELETE",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMinutes[\s]*DELETE",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMaxTimes[\s]*DELETE",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*SpecialPollInterval[\s]*DELETE",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*EventLogFlags[\s]*DELETE",
            ],
        )
        # Enable Configure NTP Client
        self._testAdmxPolicy(
            r"System\Windows Time Service\Time Providers\Configure Windows NTP Client",
            {
                "NtpServer": "time.windows.com,0x9",
                "Type": "NT5DS",
                "CrossSiteSyncFlags": 2,
                "ResolvePeerBackoffMinutes": 15,
                "ResolvePeerBackoffMaxTimes": 7,
                "W32TIME_SpecialPollInterval": 3600,
                "W32TIME_NtpClientEventLogFlags": 0,
            },
            [
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*NtpServer[\s]*SZ:time.windows.com,0x9",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*Type[\s]*SZ:NT5DS",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*CrossSiteSyncFlags[\s]*DWORD:2",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMinutes[\s]*DWORD:15",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMaxTimes[\s]*DWORD:7",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*SpecialPollInterval[\s]*DWORD:3600",
                r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*EventLogFlags[\s]*DWORD:0",
            ],
        )
        # set Configure NTP Client to 'Not Configured'
        self._testAdmxPolicy(
            r"System\Windows Time Service\Time Providers\Configure Windows NTP Client",
            "Not Configured",
            [
                r"; Source file:  c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
            ],
        )

    @destructiveTest
    def test_set_computer_policy_RA_Unsolicit(self):
        """
        Test setting/unsetting/changing RA_Unsolicit policy
        """

        # Disable RA_Unsolicit
        log.debug("Attempting to disable RA_Unsolicit")
        self._testAdmxPolicy(
            "RA_Unsolicit",
            "Disabled",
            [
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:0",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DELETE",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*\*[\s]*DELETEALLVALUES",
            ],
        )
        # configure RA_Unsolicit
        log.debug("Attempting to configure RA_Unsolicit")
        self._testAdmxPolicy(
            "RA_Unsolicit",
            {
                "Configure Offer Remote Access": "Enabled",
                "Permit remote control of this computer": "Allow helpers to remotely control the computer",
                "Helpers": ["administrators", "user1"],
            },
            [
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*user1[\s]*SZ:user1[\s]*",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*administrators[\s]*SZ:administrators[\s]*",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:1",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DWORD:1",
            ],
        )
        # Not Configure RA_Unsolicit
        log.debug("Attempting to set RA_Unsolicit to Not Configured")
        self._testAdmxPolicy(
            "RA_Unsolicit",
            "Not Configured",
            [
                r"; Source file:  c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
            ],
        )

    @destructiveTest
    def test_set_computer_policy_Pol_HardenedPaths(self):
        # Disable Pol_HardenedPaths
        log.debug("Attempting to disable Pol_HardenedPaths")
        self._testAdmxPolicy(
            "Pol_HardenedPaths",
            "Disabled",
            [
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths[\s]*\*[\s]*DELETEALLVALUES"
            ],
        )
        # Configure Pol_HardenedPaths
        log.debug("Attempting to configure Pol_HardenedPaths")
        self._testAdmxPolicy(
            "Pol_HardenedPaths",
            {
                "Hardened UNC Paths": {
                    r"\\*\NETLOGON": "RequireMutualAuthentication=1, RequireIntegrity=1",
                    r"\\*\SYSVOL": "RequireMutualAuthentication=1, RequireIntegrity=1",
                }
            },
            [
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths[\s]*\\\\\*\\NETLOGON[\s]*SZ:RequireMutualAuthentication=1, RequireIntegrity=1[\s]*",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths[\s]*\\\\\*\\SYSVOL[\s]*SZ:RequireMutualAuthentication=1, RequireIntegrity=1[\s]*",
            ],
        )
        # Not Configure Pol_HardenedPaths
        log.debug("Attempting to set Pol_HardenedPaths to Not Configured")
        self._testAdmxPolicy(
            "Pol_HardenedPaths",
            "Not Configured",
            [
                r"; Source file:  c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
            ],
        )

    @destructiveTest
    def test_set_computer_policy_WindowsUpdate(self):
        """
        Test setting/unsetting/changing WindowsUpdate policy
        """
        # Configure Automatic Updates has different options in different builds
        # and releases of Windows, so we'll get the elements and add them if
        # they are present. Newer elements will need to be added manually as
        # they are released by Microsoft
        result = self.run_function(
            "lgpo.get_policy_info",
            ["Configure Automatic Updates"],
            policy_class="machine",
        )
        the_policy = {}
        the_policy_check_enabled = [
            r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:0",
        ]
        the_policy_check_disabled = [
            r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:1",
        ]
        for item in result["policy_elements"]:
            if "Configure automatic updating" in item["element_aliases"]:
                the_policy.update(
                    {
                        "Configure automatic updating": "4 - Auto download and schedule the install",
                    }
                )
                the_policy_check_enabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DWORD:4",
                )
                the_policy_check_disabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DELETE",
                )
            elif "Install during automatic maintenance" in item["element_aliases"]:
                the_policy.update({"Install during automatic maintenance": True})
                the_policy_check_enabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DWORD:1\s*",
                )
                the_policy_check_disabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DELETE",
                )
            elif "Scheduled install day" in item["element_aliases"]:
                the_policy.update({"Scheduled install day": "7 - Every Saturday"})
                the_policy_check_enabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DWORD:7",
                )
                the_policy_check_disabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DELETE",
                )
            elif "Scheduled install time" in item["element_aliases"]:
                the_policy.update({"Scheduled install time": "17:00"})
                the_policy_check_enabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DWORD:17",
                )
                the_policy_check_disabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DELETE",
                )
            elif (
                "Install updates for other Microsoft products"
                in item["element_aliases"]
            ):
                the_policy.update(
                    {"Install updates for other Microsoft products": True}
                )
                the_policy_check_enabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AllowMUUpdateService[\s]*DWORD:1\s*"
                )
                the_policy_check_disabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AllowMUUpdateService[\s]*DELETE"
                )
            elif "AutoUpdateSchEveryWeek" in item["element_aliases"]:
                the_policy.update({"AutoUpdateSchEveryWeek": True})
                the_policy_check_enabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallEveryWeek[\s]*DWORD:1\s*"
                )
                the_policy_check_disabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallEveryWeek[\s]*DELETE"
                )
            elif "First week of the month" in item["element_aliases"]:
                the_policy.update({"First week of the month": True})
                the_policy_check_enabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallFirstWeek[\s]*DWORD:1\s*"
                )
                the_policy_check_disabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallFirstWeek[\s]*DELETE"
                )
            elif "Second week of the month" in item["element_aliases"]:
                the_policy.update({"Second week of the month": True})
                the_policy_check_enabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallSecondWeek[\s]*DWORD:1\s*"
                )
                the_policy_check_disabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallSecondWeek[\s]*DELETE"
                )
            elif "Third week of the month" in item["element_aliases"]:
                the_policy.update({"Third week of the month": True})
                the_policy_check_enabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallThirdWeek[\s]*DWORD:1\s*"
                )
                the_policy_check_disabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallThirdWeek[\s]*DELETE"
                )
            elif "Fourth week of the month" in item["element_aliases"]:
                the_policy.update({"Fourth week of the month": True})
                the_policy_check_enabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallFourthWeek[\s]*DWORD:1\s*"
                )
                the_policy_check_disabled.append(
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallFourthWeek[\s]*DELETE"
                )

        # enable Automatic Updates
        self._testAdmxPolicy(
            r"Windows Components\Windows Update\Configure Automatic Updates",
            the_policy,
            the_policy_check_enabled,
        )

        # disable Configure Automatic Updates
        self._testAdmxPolicy(
            r"Windows Components\Windows Update\Configure Automatic Updates",
            "Disabled",
            the_policy_check_disabled,
        )

        # set Configure Automatic Updates to 'Not Configured'
        self._testAdmxPolicy(
            r"Windows Components\Windows Update\Configure Automatic Updates",
            "Not Configured",
            [
                r"; Source file:  c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
            ],
        )

    @destructiveTest
    def test_set_computer_policy_ClipboardRedirection(self):
        """
        Test setting/unsetting/changing ClipboardRedirection policy
        """
        # Enable/Disable/Not Configured "Do not allow Clipboard redirection"
        self._testAdmxPolicy(
            r"Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection",
            "Enabled",
            [
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:1"
            ],
        )
        self._testAdmxPolicy(
            r"Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection",
            "Disabled",
            [
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0"
            ],
        )
        self._testAdmxPolicy(
            r"Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection",
            "Not Configured",
            [
                r"; Source file:  c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
            ],
        )

    @destructiveTest
    def test_set_computer_policy_LockoutDuration(self):
        """
        Test setting LockoutDuration
        """
        # For LockoutDuration to be meaningful, first configure
        # LockoutThreshold
        self._testSeceditPolicy("LockoutThreshold", 3, [r"^LockoutBadCount = 3"])

        # Next set the LockoutDuration non-zero value, as this is required
        # before setting LockoutWindow
        self._testSeceditPolicy("LockoutDuration", 60, [r"^LockoutDuration = 60"])

        # Now set LockoutWindow to a valid value <= LockoutDuration. If this
        # is not set, then the LockoutDuration zero value is ignored by the
        # Windows API (leading to a false sense of accomplishment)
        self._testSeceditPolicy("LockoutWindow", 60, [r"^ResetLockoutCount = 60"])

        # set LockoutDuration zero value, the secedit zero value is -1
        self._testSeceditPolicy("LockoutDuration", 0, [r"^LockoutDuration = -1"])

    @destructiveTest
    def test_set_computer_policy_GuestAccountStatus(self):
        """
        Test setting/unsetting/changing GuestAccountStatus
        """
        # disable GuestAccountStatus
        self._testSeceditPolicy(
            "GuestAccountStatus", "Disabled", [r"^EnableGuestAccount = 0"]
        )
        # enable GuestAccountStatus
        self._testSeceditPolicy(
            "GuestAccountStatus", "Enabled", [r"^EnableGuestAccount = 1"]
        )

    @destructiveTest
    def test_set_computer_policy_PasswordComplexity(self):
        """
        Test setting/unsetting/changing PasswordComplexity
        """
        # disable PasswordComplexity
        self._testSeceditPolicy(
            "Password must meet complexity requirements",
            "Disabled",
            [r"^PasswordComplexity = 0"],
        )
        # enable PasswordComplexity
        self._testSeceditPolicy(
            "PasswordComplexity", "Enabled", [r"^PasswordComplexity = 1"]
        )

    @destructiveTest
    def test_set_computer_policy_PasswordLen(self):
        """
        Test setting/unsetting/changing PasswordLength
        """
        # set Minimum password length
        self._testSeceditPolicy(
            "Minimum password length", 10, [r"^MinimumPasswordLength = 10"]
        )
        # set MinimumPasswordLength = 0
        self._testSeceditPolicy("MinPasswordLen", 0, [r"^MinimumPasswordLength = 0"])

    @destructiveTest
    def test_set_computer_policy_SeNetworkLogonRight(self):
        """
        Test setting/unsetting/changing PasswordLength
        """
        # set SeNetworkLogonRight to only Administrators
        self._testSeceditPolicy(
            "Access this computer from the network",
            ["Administrators"],
            [r"^SeNetworkLogonRight = \*S-1-5-32-544"],
            cumulative_rights_assignments=False,
        )
        # set SeNetworkLogonRight back to the default
        self._testSeceditPolicy(
            "SeNetworkLogonRight",
            ["Everyone", "Administrators", "Users", "Backup Operators"],
            [
                r"^SeNetworkLogonRight = \*S-1-1-0,\*S-1-5-32-544,\*S-1-5-32-545,\*S-1-5-32-551"
            ],
        )

    @destructiveTest
    def test_set_computer_policy_multipleAdmxPolicies(self):
        """
        Tests setting several ADMX policies in succession and validating the configuration w/lgop
        """
        # set one policy
        self._testAdmxPolicy(
            r"Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection",
            "Disabled",
            [
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0"
            ],
        )

        # set another policy and make sure both this policy and the previous are okay
        self._testAdmxPolicy(
            "RA_Unsolicit",
            {
                "Configure Offer Remote Access": "Enabled",
                "Permit remote control of this computer": "Allow helpers to remotely control the computer",
                "Helpers": ["administrators", "user1"],
            },
            [
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*user1[\s]*SZ:user1[\s]*",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*administrators[\s]*SZ:administrators[\s]*",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:1",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DWORD:1",
            ],
        )
        # Configure Automatic Updates and validate everything is still okay
        self._testAdmxPolicy(
            r"Windows Components\Windows Update\Configure Automatic Updates",
            "Disabled",
            [
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*user1[\s]*SZ:user1[\s]*",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*administrators[\s]*SZ:administrators[\s]*",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:1",
                r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DWORD:1",
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:1",
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DELETE",
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DELETE",
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DELETE",
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DELETE",
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AllowMUUpdateService[\s]*DELETE",
            ],
        )

    @destructiveTest
    def test_set_computer_policy_DisableDomainCreds(self):
        """
        Tests Enable/Disable of DisableDomainCreds policy
        """
        self._testRegistryPolicy(
            policy_name="DisableDomainCreds",
            policy_config="Enabled",
            registry_value_hive="HKEY_LOCAL_MACHINE",
            registry_value_path="SYSTEM\\CurrentControlSet\\Control\\Lsa",
            registry_value_vname="DisableDomainCreds",
            expected_value_data=1,
        )
        self._testRegistryPolicy(
            policy_name="Network access: Do not allow storage of passwords and credentials for network authentication",
            policy_config="Disabled",
            registry_value_hive="HKEY_LOCAL_MACHINE",
            registry_value_path="SYSTEM\\CurrentControlSet\\Control\\Lsa",
            registry_value_vname="DisableDomainCreds",
            expected_value_data=0,
        )

    @destructiveTest
    def test_set_computer_policy_ForceGuest(self):
        """
        Tests changing ForceGuest policy
        """
        self._testRegistryPolicy(
            policy_name="ForceGuest",
            policy_config="Guest only - local users authenticate as Guest",
            registry_value_hive="HKEY_LOCAL_MACHINE",
            registry_value_path="SYSTEM\\CurrentControlSet\\Control\\Lsa",
            registry_value_vname="ForceGuest",
            expected_value_data=1,
        )
        self._testRegistryPolicy(
            policy_name="Network access: Sharing and security model for local accounts",
            policy_config="Classic - local users authenticate as themselves",
            registry_value_hive="HKEY_LOCAL_MACHINE",
            registry_value_path="SYSTEM\\CurrentControlSet\\Control\\Lsa",
            registry_value_vname="ForceGuest",
            expected_value_data=0,
        )

    @destructiveTest
    def test_set_computer_policy_DisableUXWUAccess(self):
        """
        Tests changing DisableUXWUAccess
        #50079 shows using the 'Remove access to use all Windows Update features' failed
        Policy only exists on 2016
        """
        valid_osreleases = ["2016Server"]
        if self.osrelease not in valid_osreleases:
            self.skipTest(
                "DisableUXWUAccess policy is only applicable if the osrelease grain is {0}".format(
                    " or ".join(valid_osreleases)
                )
            )
        else:
            self._testAdmxPolicy(
                r"DisableUXWUAccess",
                "Enabled",
                [
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetDisableUXWUAccess[\s]*DWORD:1"
                ],
            )
            self._testAdmxPolicy(
                r"Remove access to use all Windows Update features",
                "Disabled",
                [
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetDisableUXWUAccess[\s]*DWORD:0"
                ],
            )
            self._testAdmxPolicy(
                r"Windows Components\Windows Update\Remove access to use all Windows Update features",
                "Not Configured",
                [
                    r"; Source file:  c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
                ],
            )

    @destructiveTest
    def test_set_computer_policy_Access_data_sources_across_domains(self):
        """
        Tests that a policy that has multiple names
        """
        self._testAdmxPolicy(
            r"Access data sources across domains", "Enabled", [], assert_true=False
        )
        self._testAdmxPolicy(
            r"Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Access data sources across domains",
            {"Access data sources across domains": "Prompt"},
            [
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3[\s]*1406[\s]*DWORD:1"
            ],
        )
        self._testAdmxPolicy(
            r"Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Access data sources across domains",
            {"Access data sources across domains": "Enable"},
            [
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3[\s]*1406[\s]*DWORD:0"
            ],
        )
        self._testAdmxPolicy(
            r"Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Access data sources across domains",
            "Disabled",
            [
                r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3[\s]*1406[\s]*DELETE"
            ],
        )

    @destructiveTest
    def test_set_computer_policy_ActiveHours(self):
        """
        Test configuring the ActiveHours policy, #47784
        Only applies to 2016Server
        # activehours.sls
            active_hours_policy:
              lgpo.set:
                - computer_policy:
                    'ActiveHours':
                        'ActiveHoursStartTime': '8 AM'
                        'ActiveHoursEndTime': '7 PM'
        """
        valid_osreleases = ["2016Server"]
        if self.osrelease not in valid_osreleases:
            self.skipTest(
                "ActiveHours policy is only applicable if the osrelease grain is {0}".format(
                    " or ".join(valid_osreleases)
                )
            )
        else:
            self._testAdmxPolicy(
                r"ActiveHours",
                {"ActiveHoursStartTime": "8 AM", "ActiveHoursEndTime": "7 PM"},
                [
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetActiveHours[\s]*DWORD:1",
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursStart[\s]*DWORD:8",
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursEnd[\s]*DWORD:19",
                ],
            )
            self._testAdmxPolicy(
                r"ActiveHours",
                {"ActiveHoursStartTime": "5 AM", "ActiveHoursEndTime": "10 PM"},
                [
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetActiveHours[\s]*DWORD:1",
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursStart[\s]*DWORD:5",
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursEnd[\s]*DWORD:22",
                ],
            )
            self._testAdmxPolicy(
                "Turn off auto-restart for updates during active hours",
                "Disabled",
                [
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetActiveHours[\s]*DWORD:0",
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursStart[\s]*DELETE",
                    r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursEnd[\s]*DELETE",
                ],
            )
            self._testAdmxPolicy(
                r"Windows Components\Windows Update\Turn off auto-restart for updates during active hours",
                "Not Configured",
                [
                    r"; Source file:  c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
                ],
            )

    @destructiveTest
    def test_set_computer_policy_AllowTelemetry(self):
        """
        Tests that a the AllowTelemetry policy is applied correctly and that it
        doesn't appear in subsequent group policy states as having changed
        """
        valid_osreleases = ["10", "2016Server", "2019Server"]
        if self.osrelease not in valid_osreleases:
            self.skipTest(
                "Allow Telemetry policy is only applicable if the "
                "osrelease grain is {0}".format(" or ".join(valid_osreleases))
            )
        else:
            self._testAdmxPolicy(
                "Allow Telemetry",
                {"AllowTelemetry": "1 - Basic"},
                [
                    r"Software\\Policies\\Microsoft\\Windows\\DataCollection[\s]*AllowTelemetry[\s]*DWORD:1"
                ],
                assert_true=True,
            )
            # This policy does not exist on newer Windows builds
            result = self.run_function(
                "lgpo.get_policy_info",
                ["Disable pre-release features or settings"],
                policy_class="machine",
            )
            if result["policy_found"]:
                result = self.run_function(
                    "state.single",
                    ["lgpo.set"],
                    name="state",
                    computer_policy={
                        "Disable pre-release features or settings": "Disabled"
                    },
                )
                name = "lgpo_|-state_|-state_|-set"
                expected = {
                    "new": {
                        "Computer Configuration": {
                            "Disable pre-release features or settings": "Disabled"
                        }
                    },
                    "old": {
                        "Computer Configuration": {
                            "Disable pre-release features or settings": "Not Configured"
                        }
                    },
                }
                self.assertDictEqual(result[name]["changes"], expected)
            else:
                result = self.run_function(
                    "lgpo.get_policy_info",
                    ["Manage preview builds"],
                    policy_class="machine",
                )
                if result["policy_found"]:
                    result = self.run_function(
                        "state.single",
                        ["lgpo.set"],
                        name="state",
                        computer_policy={"Manage preview builds": "Disabled"},
                    )
                    name = "lgpo_|-state_|-state_|-set"
                    expected = {
                        "new": {
                            "Computer Configuration": {
                                "Manage preview builds": "Disabled"
                            }
                        },
                        "old": {
                            "Computer Configuration": {
                                "Manage preview builds": "Not Configured"
                            }
                        },
                    }
                    self.assertDictEqual(result[name]["changes"], expected)

    def tearDown(self):
        """
        tearDown method, runs after each test
        """
        self.run_state(
            "file.absent",
            name="c:\\windows\\system32\\grouppolicy\\machine\\registry.pol",
        )
        self.run_state(
            "file.absent", name="c:\\windows\\system32\\grouppolicy\\user\\registry.pol"
        )