The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Feature #13249

Windows ACL support

Added by Josh Cooper about 4 years ago. Updated over 2 years ago.

Status:AcceptedStart date:03/20/2012
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Affected Puppet version: Branch:
Keywords:windows acl security

We've Moved!

Ticket tracking is now hosted in JIRA:

This ticket is now tracked at:


Puppet’s current implementation of mapping POSIX modes to Windows ACLs has some limitations.

  • Puppet can only assign permissions to owner and group, but it’s common practice on Windows systems to set full control to Administrators, LocalSystem, and Users, which is more than can be represented in our model, without creating a local group.
  • Puppet doesn’t support deny access control entries

Puppet should support setting multiple access control entries, deny/allow aces, and inheritance. See for common permissions.

Another option would be to express permissions in terms of SDDL, but that is likely overkill.

Related issues

Related to Puppet - Feature #1033: support for file system acls on the file type Closed
Duplicated by Puppet - Bug #22051: Windows mode bits are not handled symmetrically Duplicate


#1 Updated by Anonymous about 4 years ago

It would be ideal to address this in a portable way, which was inclusive of the needs of POSIX ACLs – zfs, Linux, and Solaris !zfs, I think would cover it there. Not necessarily the same code handling it, but any abstraction in our type system defined so that it will support the needs of all the platforms.

#2 Updated by Josh Cooper over 3 years ago

  • Keywords set to windows acl security

#5 Updated by Rob Reynolds over 2 years ago

If you are watching this issue, please feel free to jump in the recent discussion at

#6 Updated by Eric Badger over 2 years ago

Redmine Issue #13249 has been migrated to JIRA:

#7 Updated by Rob Reynolds over 2 years ago

Will link the actual issue link. Prior to the Jira migrator, some tickets were created in both places… PUP-260

Also available in: Atom PDF