Salt: [win_lgpo] Internet Communication settings policies

@twangboy can you help with this?

Thanks,
Daniel

@mike2523 You have a couple options here. One is to use set the return_full_policy_names option to False in your get command and use the short name instead. Mine shows the following:

        Microsoft.Policies.InternetCommunicationManagement:
            ----------
            ShellRemoveOrderPrints_1:
                Enabled
            ShellRemoveOrderPrints_2:
                Enabled
            ShellRemovePublishToWeb_1:
                Enabled
            ShellRemovePublishToWeb_2:
                Enabled

I had to enable them in order to get them to show up. This looks weird to me as each setting has 2 actual items that are set. I tried creating a state for this but couldn't figure it out. @lomeroe, do you know how to do it with the short names in this scenario?

The other option is to try to figure out the proper escaping in the .sls file using the long name. This worked for me. Turns out, you don't need the whole path. I was able to set the policy using the following:

internet_communications_settings:
  lgpo.set:
    - computer_policy:
        Turn off the "Order Prints" picture task: Enabled
        Turn off the "Publish to Web" task for files and folders: Enabled

@twangboy - Your suggestion worked! Thank you!

     Changes:
              ----------
              new:
                  ----------
                  Computer Configuration:
                      ----------
                      System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task:
                          Enabled
                      System\Internet Communication Management\Internet Communication settings\Turn off the "Publish to Web" task for files and folders:
                          Enabled
              old:
                  ----------
                  Computer Configuration:
                      ----------

Summary for local
------------
Succeeded: 1 (changed=1)

@mike2523 So can we close this issue?

Closing.

You can use lgpo.get_policy_info to get all the possible names that could be used in an SLS or command (along with elements that need to be set/etc). The key is to match the text you see in the gpedit.msc gui exactly (such as the quotes around "Order Prints" which were missing in your first example). The "full path" style is really only needed when there are multiple policies that use the same base name (like 'Access data sources across domains', which exists in like 10 different paths [if you put that through get_policy_info you'll get back a message that it is used for multiple policies and you need to be more specific]).

PS>salt-call lgpo.get_policy_info ShellRemoveOrderPrints_2 machine
local:
    ----------
    message:
    policy_aliases:
        - Turn off the "Order Prints" picture task
        - ShellRemoveOrderPrints_2
        - System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task
    policy_class:
        machine
    policy_elements:
    policy_found:
        True
    policy_name:
        ShellRemoveOrderPrints_2
    rights_assignment:
        False

Escaping can get tricky in shell/powershell (powershell escaping needed shown here):

PS>salt-call lgpo.get_policy_info "Turn off the `\`"Order Prints`\`" picture task" machine
local:
    ----------
    message:
    policy_aliases:
        - Turn off the "Order Prints" picture task
        - ShellRemoveOrderPrints_2
        - System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task
    policy_class:
        machine
    policy_elements:
    policy_found:
        True
    policy_name:
        Turn off the "Order Prints" picture task
    rights_assignment:
        False

Any of these should be usable then:

internet_communications_settings:
  lgpo.set:
    - computer_policy:
        Turn off the "Order Prints" picture task: Enabled

internet_communications_settings:
  lgpo.set:
    - computer_policy:
        ShellRemoveOrderPrints_2: Enabled

When using the full path, I always use single quotes around the path:

internet_communications_settings:
  lgpo.set:
    - computer_policy:
        'System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task': 'Enabled'

If you struggle to find the policy from get_policy_info using the name as you see in gpedit.msc, the names such as "ShellRemoveOrderPrints_2" come from the admx files. If you know nothing about admx/adml relationships (ADML holds what you see in the GUI, ADMX holds the more technical details), then this may be a little bit too much info, but here is an example with the above policy:

PS>get-childitem -path C:\windows\PolicyDefinitions -recurse -filter *.adml | select-string "Order Prints"

C:\windows\PolicyDefinitions\en-US\ICM.adml:152:      <string id="ShellRemoveOrderPrints">Turn off the "Order Prints" picture task</string>
C:\windows\PolicyDefinitions\en-US\ICM.adml:153:      <string id="ShellRemoveOrderPrints_Help">This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
C:\windows\PolicyDefinitions\en-US\ICM.adml:155:The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.
C:\windows\PolicyDefinitions\en-US\ICM.adml:157:If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.

from this grep, we can see id "ShellRemoveOrderPrints" is the ID of the string used to describe this policy, then we search for it in the ADMX

PS>get-childitem -path C:\windows\PolicyDefinitions -recurse -filter *.admx | select-string "ShellRemoveOrderPrints"

C:\windows\PolicyDefinitions\ICM.admx:661:    <policy name="ShellRemoveOrderPrints_1" class="User" displayName="$(string.ShellRemoveOrderPrints)" explainText="$(string.ShellRemoveOrderPrints_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" valueName="NoOnlinePrintsWizard">

C:\windows\PolicyDefinitions\ICM.admx:671:    <policy name="ShellRemoveOrderPrints_2" class="Machine" displayName="$(string.ShellRemoveOrderPrints)" explainText="$(string.ShellRemoveOrderPrints_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" valueName="NoOnlinePrintsWizard">

Now we have two to pick from and if you notice the 'class="Machine"' and 'class="User"' (which details if it is a computer policy or user policy respectively) the ShellRemoveOrderPrints_2 is the "short name" we could use to pass through get_policy_info to see what the module itself is expecting.

I wish I could bookmark this ^^^^

I already added this to our wiki!
@lomeroe you da real mvp!