Akom's Tech Ruminations

Various tech outbursts - code and solutions to practical problems

Disabling Windows Recycle Bin with Puppet on all versions of Windows

Posted by Admin • Thursday, March 22. 2018 • Category: DevOps

And when I say "All versions of Windows" I mean that I tested it on Server 2008, 2012 and 2016.



This was oddly hard to figure out, and most tutorials either apply to only one version of windows or to outdated tools. The best way to do this that I found was using Local Group Policy. Now, how to automate this? The puppet localgrouppolicy module didn't work at all when I tried it (and has not been updated since 2014). The proper way to do this is of course with a Domain-based Group Policy, but my machines are not members of a domain.



Fortunately, there is a new Microsoft tool called LGPO that allows for some degree of command-line control of the Local Group Policy. Download "LGPO.exe" here.

First, let's make a reusable policy text file that we can import on all machines:

  1. take a vanilla Windows machine that hasn't had any Group Policy customization, and use lgpo.exe to export the policy: "lgpo.exe /v /parse /u c:\windows\system32\GroupPolicy\User\Registry.pol" (at least that was appropriate in my case). You should get more or less empty output.
  2. Then use the Local Group Policy Editor to change "Do not move deleted files to the Recycle bin" (under User Configuration -> Administrative Tools -> All Settings) to "Enabled"
  3. Repeat step 1. You should see this one setting that you changed in the output. Redirect output to a file, this will be our text file
  4. You can test that importing this file will change the setting: "lgpo /r myfile.txt". (Change the setting back first, run this, then re-open the Local Group Policy Editor to see the change)

Now, we can set up puppet:


  1. Add this file to your puppet module's files/ subdirectory
  2. Add lgpo.exe as well unless you plan to distribute it to your windows machines some other way
  3. Let's make a class to apply it (below)

class recyclebin_config {

  $lgpo_path = "c:\\windows\\system32\\LGPO.exe"

  # install lgpo for local group policy command-line management
  file{$lgpo_path:
    source => "puppet:///modules/${module_name}/LGPO.exe",
  }

  #relies on this text files being in recyclebin_config/files/
  file{"c:\\temp\\disable-recyclebin.txt":
    source => "puppet:///modules/${module_name}/disable-recyclebin.txt",
    notify => Exec['Import disable recycle bin file'],
  }

  exec{'Import disable recycle bin file':
    command => "${lgpo_path} /t c:\\temp\\disable-recyclebin.txt",
    refreshonly => true, # only run if the text file changes
  }

}
 

For the record, here is the text file I got out of lgpo:


; ----------------------------------------------------------------------

; PARSING User POLICY
; Source file:  c:\Windows\System32\GroupPolicy\User\Registry.pol

User
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecycleFiles
DWORD:1
 

0 Trackbacks

  1. No Trackbacks

0 Comments

Display comments as (Linear | Threaded)
  1. No comments

Add Comment


You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
Markdown format allowed


Submitted comments will be subject to moderation before being displayed.