chef 15.11.3-universal-mingw32 → 16.1.16-universal-mingw32

data/lib/chef/resource/windows_service.rb

@@ -36,46 +36,57 @@ class Chef
       provides(:windows_service) { true }
       provides :service, os: "windows"
 
-      description "Use the windows_service resource to create, delete, or manage a service on the Microsoft Windows platform."
+      description "Use the **windows_service** resource to create, delete, or manage a service on the Microsoft Windows platform."
       introduced "12.0"
 
       allowed_actions :configure_startup, :create, :delete, :configure
 
-      # The display name to be used by user interface programs to identify the
-      # service. This string has a maximum length of 256 characters.
+      property :timeout, Integer,
+        description: "The amount of time (in seconds) to wait before timing out.",
+        default: 60,
+        desired_state: false
+
       property :display_name, String, regex: /^.{1,256}$/,
-               validation_message: "The display_name can only be a maximum of 256 characters!",
-               introduced: "14.0"
+        description: "The display name to be used by user interface programs to identify the service. This string has a maximum length of 256 characters.",
+        validation_message: "The display_name can only be a maximum of 256 characters!",
+        introduced: "14.0"
 
       # https://github.com/chef/win32-service/blob/ffi/lib/win32/windows/constants.rb#L19-L29
-      property :desired_access, Integer, default: SERVICE_ALL_ACCESS
+      property :desired_access, Integer,
+        default: SERVICE_ALL_ACCESS,
+        introduced: "14.0"
 
       # https://github.com/chef/win32-service/blob/ffi/lib/win32/windows/constants.rb#L31-L41
-      property :service_type, Integer, default: SERVICE_WIN32_OWN_PROCESS
+      property :service_type, Integer, default: SERVICE_WIN32_OWN_PROCESS,
+      introduced: "14.0"
 
       # Valid options:
       #   - :automatic
       #   - :manual
       #   - :disabled
       # Reference: https://github.com/chef/win32-service/blob/ffi/lib/win32/windows/constants.rb#L49-L54
-      property :startup_type, [Symbol], equal_to: %i{automatic manual disabled}, default: :automatic, coerce: proc { |x|
-        if x.is_a?(Integer)
-          ALLOWED_START_TYPES.invert.fetch(x) do
-            Chef::Log.warn("Unsupported startup_type #{x}, falling back to :automatic")
-            :automatic
+      property :startup_type, [Symbol],
+        equal_to: %i{automatic manual disabled},
+        default: :automatic,
+        description: "Use to specify the startup type of the service.",
+        coerce: proc { |x|
+          if x.is_a?(Integer)
+            ALLOWED_START_TYPES.invert.fetch(x) do
+              Chef::Log.warn("Unsupported startup_type #{x}, falling back to :automatic")
+              :automatic
+            end
+          elsif x.is_a?(String)
+            x.to_sym
+          else
+            x
           end
-        elsif x.is_a?(String)
-          x.to_sym
-        else
-          x
-        end
-      }
-
-      # This only applies if startup_type is :automatic
+        }
+
       # 1 == delayed start is enabled
       # 0 == NO delayed start
       property :delayed_start, [TrueClass, FalseClass],
         introduced: "14.0",
+        description: "Set the startup type to delayed start. This only applies if `startup_type` is `:automatic`",
         default: false, coerce: proc { |x|
           if x.is_a?(Integer)
             x == 0 ? false : true
@@ -85,31 +96,34 @@ class Chef
         }
 
       # https://github.com/chef/win32-service/blob/ffi/lib/win32/windows/constants.rb#L43-L47
-      property :error_control, Integer, default: SERVICE_ERROR_NORMAL
+      property :error_control, Integer,
+        default: SERVICE_ERROR_NORMAL,
+        introduced: "14.0"
 
       property :binary_path_name, String,
         introduced: "14.0",
-        description: "The fully qualified path to the service binary file. The path can also include arguments for an auto-start service. This is required for ':create' and ':configure' actions"
+        description: "The fully qualified path to the service binary file. The path can also include arguments for an auto-start service. This is required for `:create` and `:configure` actions"
 
       property :load_order_group, String,
         introduced: "14.0",
-        description: "The names of the load ordering group of which this service is a member. Don't set this property if the service does not belong to a group."
-
-      # A pointer to a double null-terminated array of null-separated names of
-      # services or load ordering groups that the system must start before this
-      # service. Specify nil or an empty string if the service has no
-      # dependencies. Dependency on a group means that this service can run if
-      # at least one member of the group is running after an attempt to start
-      # all members of the group.
+        description: "The name of the service's load ordering group(s)."
+
       property :dependencies, [String, Array],
+        description: "A pointer to a double null-terminated array of null-separated names of services or load ordering groups that the system must start before this service. Specify `nil` or an empty string if the service has no dependencies. Dependency on a group means that this service can run if at least one member of the group is running after an attempt to start all members of the group.",
         introduced: "14.0"
 
       property :description, String,
         description: "Description of the service.",
         introduced: "14.0"
 
-      property :run_as_user, String, default: "localsystem", coerce: proc { |x| x.downcase }
-      property :run_as_password, String, default: ""
+      property :run_as_user, String,
+        description: "The user under which a Microsoft Windows service runs.",
+        default: "localsystem",
+        coerce: proc { |x| x.downcase }
+
+      property :run_as_password, String,
+        description: "The password for the user specified by `run_as_user`.",
+        default: ""
     end
   end
 end

data/lib/chef/resource/windows_share.rb

@@ -26,10 +26,30 @@ require_relative "../util/path_helper"
 class Chef
   class Resource
     class WindowsShare < Chef::Resource
-      resource_name :windows_share
+      provides :windows_share
 
-      description "Use the windows_share resource to create, modify and remove Windows shares."
+      description "Use the **windows_share** resource to create, modify and remove Windows shares."
       introduced "14.7"
+      examples <<~DOC
+      **Create a share**:
+
+      ```ruby
+      windows_share 'foo' do
+        action :create
+        path 'C:\\foo'
+        full_users ['DOMAIN_A\\some_user', 'DOMAIN_B\\some_other_user']
+        read_users ['DOMAIN_C\\Domain users']
+      end
+      ```
+
+      **Delete a share**:
+
+      ```ruby
+      windows_share 'foo' do
+        action :delete
+      end
+      ```
+      DOC
 
       # Specifies a name for the SMB share. The name may be composed of any valid file name characters, but must be less than 80 characters long. The names pipe and mailslot are reserved for use by the computer.
       property :share_name, String,
@@ -145,10 +165,6 @@ class Chef
         read_users r_users
       end
 
-      def after_created
-        raise "The windows_share resource relies on PowerShell cmdlets not present in Windows releases prior to 8/2012. Cannot continue!" if node["platform_version"].to_f < 6.3
-      end
-
       # given the string output of Get-SmbShareAccess parse out
       # arrays of full access users, change users, and read only users
       def parse_permissions(results_string)

data/lib/chef/resource/windows_shortcut.rb

@@ -21,11 +21,21 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsShortcut < Chef::Resource
-      resource_name :windows_shortcut
       provides(:windows_shortcut) { true }
 
-      description "Use the windows_shortcut resource to create shortcut files on Windows."
+      description "Use the **windows_shortcut** resource to create shortcut files on Windows."
       introduced "14.0"
+      examples <<~DOC
+      **Create a shortcut with a description**:
+
+      ```ruby
+      windows_shortcut 'C:\\shortcut_dir.lnk' do
+        target 'C:\\original_dir'
+        description 'Make a shortcut to C:\\original_dir'
+      end
+      ```
+
+      DOC
 
       property :shortcut_name, String,
         description: "An optional property to set the shortcut name if it differs from the resource block's name.",
@@ -44,7 +54,7 @@ class Chef
         description: "Working directory to use when the target is executed."
 
       property :iconlocation, String,
-        description: "Icon to use for the shortcut. Accepts the format of 'path, index', where index is the icon file to use. See https://msdn.microsoft.com/en-us/library/3s9bx7at.aspx for details"
+        description: "Icon to use for the shortcut. Accepts the format of `path, index`, where index is the icon file to use. See Microsoft's [documentation](https://msdn.microsoft.com/en-us/library/3s9bx7at.aspx) for details"
 
       load_current_value do |desired|
         require "win32ole" if RUBY_PLATFORM =~ /mswin|mingw32|windows/

data/lib/chef/resource/windows_task.rb

@@ -22,17 +22,129 @@ require_relative "../win32/security" if Chef::Platform.windows?
 class Chef
   class Resource
     class WindowsTask < Chef::Resource
-      resource_name :windows_task
       provides(:windows_task) { true }
 
-      description "Use the windows_task resource to create, delete or run a Windows scheduled task. Requires Windows Server 2008 or later due to API usage."
+      description "Use the **windows_task** resource to create, delete or run a Windows scheduled task."
       introduced "13.0"
+      examples <<~DOC
+      **Create a scheduled task to run every 15 minutes as the Administrator user**:
+
+      ```ruby
+      windows_task 'chef-client' do
+        user 'Administrator'
+        password 'password'
+        command 'chef-client'
+        run_level :highest
+        frequency :minute
+        frequency_modifier 15
+      end
+      ```
+
+      **Create a scheduled task to run every 2 days**:
+
+      ``` ruby
+      windows_task 'chef-client' do
+        command 'chef-client'
+        run_level :highest
+        frequency :daily
+        frequency_modifier 2
+      end
+      ```
+
+      **Create a scheduled task to run on specific days of the week**:
+
+      ```ruby
+      windows_task 'chef-client' do
+        command 'chef-client'
+        run_level :highest
+        frequency :weekly
+        day 'Mon, Thu'
+      end
+      ```
+
+      **Create a scheduled task to run only once**:
+
+      ```ruby
+      windows_task 'chef-client' do
+        command 'chef-client'
+        run_level :highest
+        frequency :once
+        start_time "16:10"
+      end
+      ```
+
+      **Create a scheduled task to run on current day every 3 weeks and delay upto 1 min**:
+
+      ```ruby
+      windows_task 'chef-client' do
+        command 'chef-client'
+        run_level :highest
+        frequency :weekly
+        frequency_modifier 3
+        random_delay '60'
+      end
+      ```
+
+      **Create a scheduled task to run weekly starting on Dec 28th 2018**:
+
+      ```ruby
+      windows_task 'chef-client 8' do
+        command 'chef-client'
+        run_level :highest
+        frequency :weekly
+        start_day '12/28/2018'
+      end
+      ```
+
+      **Create a scheduled task to run every Monday, Friday every 2 weeks**:
+
+      ```ruby
+      windows_task 'chef-client' do
+        command 'chef-client'
+        run_level :highest
+        frequency :weekly
+        frequency_modifier 2
+        day 'Mon, Fri'
+      end
+      ```
+
+      **Create a scheduled task to run when computer is idle with idle duration 20 min**:
+      ```ruby
+      windows_task 'chef-client' do
+        command 'chef-client'
+        run_level :highest
+        frequency :on_idle
+        idle_time 20
+      end
+      ```
+
+      **Delete a task named "old task"**:
+      ```ruby
+      windows_task 'old task' do
+        action :delete
+      end
+      ```
+
+      **Enable a task named "chef-client"**:
+      ```ruby
+      windows_task 'chef-client' do
+        action :enable
+      end
+      ```
+
+      **Disable a task named "ProgramDataUpdater" with TaskPath "\\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater"**
+      ```ruby
+      windows_task '\\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater' do
+        action :disable
+      end
+      ```
+      DOC
 
       allowed_actions :create, :delete, :run, :end, :enable, :disable, :change
       default_action :create
 
       property :task_name, String, regex: [%r{\A[^/\:\*\?\<\>\|]+\z}],
-               description: "An optional property to set the task name if it differs from the resource block's name. Example: 'Task Name' or '/Task Name'",
+               description: "An optional property to set the task name if it differs from the resource block's name. Example: `Task Name` or `/Task Name`",
                name_property: true
 
       property :command, String,
@@ -47,10 +159,10 @@ class Chef
         default_description: "The localized SYSTEM user for the node."
 
       property :password, String,
-        description: "The user’s password. The user property must be set if using this property."
+        description: "The user's password. The user property must be set if using this property."
 
       property :run_level, Symbol, equal_to: %i{highest limited},
-               description: "Run with ':limited' or ':highest' privileges.",
+               description: "Run with `:limited` or `:highest` privileges.",
                default: :limited
 
       property :force, [TrueClass, FalseClass],
@@ -87,17 +199,18 @@ class Chef
         description: "The day(s) on which the task runs."
 
       property :months, String,
-        description: "The Months of the year on which the task runs, such as: 'JAN, FEB' or '\*'. Multiple months should be comma delimited. e.g. 'Jan, Feb, Mar, Dec'."
+        description: "The Months of the year on which the task runs, such as: `JAN, FEB` or `*`. Multiple months should be comma delimited. e.g. `Jan, Feb, Mar, Dec`."
 
       property :idle_time, Integer,
-        description: "For :on_idle frequency, the time (in minutes) without user activity that must pass to trigger the task, from 1 - 999."
+        description: "For `:on_idle` frequency, the time (in minutes) without user activity that must pass to trigger the task, from `1` - `999`."
 
       property :random_delay, [String, Integer],
         description: "Delays the task up to a given time (in seconds)."
 
       property :execution_time_limit, [String, Integer],
-        description: "The maximum time (in seconds) the task will run.",
-        default: "PT72H" # 72 hours in ISO8601 duration format
+        description: "The maximum time the task will run. This field accepts either seconds or an ISO8601 duration value.",
+        default: "PT72H",
+        default_description: "PT72H (72 hours in ISO8601 duration format)"
 
       property :minutes_duration, [String, Integer],
         description: ""
@@ -122,7 +235,7 @@ class Chef
         description: "The task description."
 
       property :start_when_available, [TrueClass, FalseClass],
-        introduced: "15.0", default: false,
+        introduced: "14.15", default: false,
         description: "To start the task at any time after its scheduled time has passed."
 
       attr_accessor :exists, :task, :command_arguments
@@ -161,7 +274,7 @@ class Chef
 
       ## Resource is not idempotent when day, start_day is not provided with frequency :weekly
       ## we set start_day when not given by user as current date based on which we set the day property for current current date day is monday ..
-      ## we set the monday as the day so at next run when  new_resource.day is nil and current_resource day is monday due to which udpate gets called
+      ## we set the monday as the day so at next run when  new_resource.day is nil and current_resource day is monday due to which update gets called
       def idempotency_warning_for_frequency_weekly(day, start_day)
         if start_day.nil? && day.nil?
           logger.warn "To maintain idempotency for frequency :weekly provide start_day, start_time and day."
@@ -182,19 +295,19 @@ class Chef
       end
 
       def validate_frequency_monthly(frequency_modifier, months, day)
-        # validates the frequency :monthly and raises error if frequency_modifier is first, second, thrid etc and day is not provided
+        # validates the frequency :monthly and raises error if frequency_modifier is first, second, third etc and day is not provided
         if (frequency_modifier != 1) && (frequency_modifier_includes_days_of_weeks?(frequency_modifier)) && !(day)
-          raise ArgumentError, "Please select day on which you want to run the task e.g. 'Mon, Tue'. Multiple values must be seprated by comma."
+          raise ArgumentError, "Please select day on which you want to run the task e.g. 'Mon, Tue'. Multiple values must be separated by comma."
         end
 
-        # frequency_modifer 2-12 is used to set every (n) months, so using :months propety with frequency_modifer is not valid since they both used to set months.
-        # Not checking value 1 here for frequecy_modifier since we are setting that as default value it won't break anything since preference is given to months property
+        # frequency_modifier 2-12 is used to set every (n) months, so using :months property with frequency_modifier is not valid since they both used to set months.
+        # Not checking value 1 here for frequency_modifier since we are setting that as default value it won't break anything since preference is given to months property
         if (frequency_modifier.to_i.between?(2, 12)) && !(months.nil?)
           raise ArgumentError, "For frequency :monthly either use property months or frequency_modifier to set months."
         end
       end
 
-      # returns true if frequency_modifer has values First, second, third, fourth, last, lastday
+      # returns true if frequency_modifier has values First, second, third, fourth, last, lastday
       def frequency_modifier_includes_days_of_weeks?(frequency_modifier)
         frequency_modifier = frequency_modifier.to_s.split(",")
         frequency_modifier.map! { |value| value.strip.upcase }

data/lib/chef/resource/windows_uac.rb

@@ -20,11 +20,29 @@ require_relative "../resource"
 class Chef
   class Resource
     class WindowsUac < Chef::Resource
-      resource_name :windows_uac
       provides :windows_uac
 
-      description 'The windows_uac resource configures UAC on Windows hosts by setting registry keys at \'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\''
+      description 'The *windows_uac* resource configures UAC on Windows hosts by setting registry keys at `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`'
       introduced "15.0"
+      examples <<~DOC
+      **Disable UAC prompts for the admin**:
+
+      ``` ruby
+      windows_uac 'Disable UAC prompts for the admin' do
+        enable_uac true
+        prompt_on_secure_desktop false
+        consent_behavior_admins :no_prompt
+      end
+      ```
+
+      **Disable UAC entirely**:
+
+      ``` ruby
+      windows_uac 'Disable UAC entirely' do
+        enable_uac false
+      end
+      ```
+      DOC
 
       # https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations
       property :enable_uac, [TrueClass, FalseClass],

data/lib/chef/resource/windows_user_privilege.rb

@@ -0,0 +1,199 @@
+#
+# Author:: Jared Kauppila (<jared@kauppi.la>)
+# Author:: Vasundhara Jagdale(<vasundhara.jagdale@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class WindowsUserPrivilege < Chef::Resource
+      privilege_opts = %w{SeTrustedCredManAccessPrivilege
+                          SeNetworkLogonRight
+                          SeTcbPrivilege
+                          SeMachineAccountPrivilege
+                          SeIncreaseQuotaPrivilege
+                          SeInteractiveLogonRight
+                          SeRemoteInteractiveLogonRight
+                          SeBackupPrivilege
+                          SeChangeNotifyPrivilege
+                          SeSystemtimePrivilege
+                          SeTimeZonePrivilege
+                          SeCreatePagefilePrivilege
+                          SeCreateTokenPrivilege
+                          SeCreateGlobalPrivilege
+                          SeCreatePermanentPrivilege
+                          SeCreateSymbolicLinkPrivilege
+                          SeDebugPrivilege
+                          SeDenyNetworkLogonRight
+                          SeDenyBatchLogonRight
+                          SeDenyServiceLogonRight
+                          SeDenyInteractiveLogonRight
+                          SeDenyRemoteInteractiveLogonRight
+                          SeEnableDelegationPrivilege
+                          SeRemoteShutdownPrivilege
+                          SeAuditPrivilege
+                          SeImpersonatePrivilege
+                          SeIncreaseWorkingSetPrivilege
+                          SeIncreaseBasePriorityPrivilege
+                          SeLoadDriverPrivilege
+                          SeLockMemoryPrivilege
+                          SeBatchLogonRight
+                          SeServiceLogonRight
+                          SeSecurityPrivilege
+                          SeRelabelPrivilege
+                          SeSystemEnvironmentPrivilege
+                          SeManageVolumePrivilege
+                          SeProfileSingleProcessPrivilege
+                          SeSystemProfilePrivilege
+                          SeUndockPrivilege
+                          SeAssignPrimaryTokenPrivilege
+                          SeRestorePrivilege
+                          SeShutdownPrivilege
+                          SeSyncAgentPrivilege
+                          SeTakeOwnershipPrivilege
+                        }
+
+      provides :windows_user_privilege
+      description "The windows_user_privilege resource allows to add and set principal (User/Group) to the specified privilege. \n Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment"
+
+      introduced "16.0"
+
+      examples <<~DOC
+      **Set the SeNetworkLogonRight Privilege for the Builtin Administrators Group and Authenticated Users**:
+
+      ```ruby
+      windows_user_privilege 'Network Logon Rights' do
+        privilege      'SeNetworkLogonRight'
+        users          ['BUILTIN\Administrators', 'NT AUTHORITY\Authenticated Users']
+        action         :set
+      end
+      ```
+
+      **Add the SeDenyRemoteInteractiveLogonRight Privilege to the Builtin Guests and Local Accounts User Groups**:
+
+      ```ruby
+      windows_user_privilege 'Remote interactive logon' do
+        privilege      'SeDenyRemoteInteractiveLogonRight'
+        users          ['Builtin\Guests', 'NT AUTHORITY\Local Account']
+        action         :add
+      end
+      ```
+
+      **Provide only the Builtin Guests and Administrator Groups with the SeCreatePageFile Privilege**:
+
+      ```ruby
+      windows_user_privilege 'Create Pagefile' do
+        privilege      'SeCreatePagefilePrivilege'
+        users          ['BUILTIN\Guests', 'BUILTIN\Administrators']
+        action         :set
+      end
+      ```
+
+      **Remove the SeCreatePageFile Privilege from the Builtin Guests Group**:
+
+      ```ruby
+      windows_user_privilege 'Create Pagefile' do
+        privilege      'SeCreatePagefilePrivilege'
+        users          ['BUILTIN\Guests']
+        action         :remove
+      end
+      ```
+      DOC
+
+      property :principal, String,
+        description: "An optional property to add the user to the given privilege. Use only with add and remove action.",
+        name_property: true
+
+      property :users, Array,
+        description: "An optional property to set the privilege for given users. Use only with set action."
+
+      property :privilege, [Array, String],
+        description: "Privilege to set for users.",
+        required: true,
+        coerce: proc { |v| v.is_a?(String) ? Array[v] : v },
+        callbacks: {
+           "Option privilege must include any of the: #{privilege_opts}" => lambda { |v|
+             (privilege_opts & v).size == v.size
+           },
+         }
+
+      load_current_value do |new_resource|
+        unless new_resource.principal.nil?
+          privilege Chef::ReservedNames::Win32::Security.get_account_right(new_resource.principal) unless new_resource.action.include?(:set)
+        end
+      end
+
+      action :add do
+        ([*new_resource.privilege] - [*current_resource.privilege]).each do |user_right|
+          converge_by("adding user '#{new_resource.principal}' privilege #{user_right}") do
+            Chef::ReservedNames::Win32::Security.add_account_right(new_resource.principal, user_right)
+          end
+        end
+      end
+
+      action :set do
+        if new_resource.users.nil? || new_resource.users.empty?
+          raise Chef::Exceptions::ValidationFailed, "Users are required property with set action."
+        end
+
+        users = []
+
+        # Getting users with its domain for comparison
+        new_resource.users.each do |user|
+          user = Chef::ReservedNames::Win32::Security.lookup_account_name(user)
+          users << user[1].account_name if user
+        end
+
+        new_resource.privilege.each do |privilege|
+          accounts = Chef::ReservedNames::Win32::Security.get_account_with_user_rights(privilege)
+
+          # comparing the existing accounts for privilege with users
+          unless users == accounts
+            # Removing only accounts which is not matching with users in new_resource
+            (accounts - users).each do |account|
+              converge_by("removing user '#{account}' from privilege #{privilege}") do
+                Chef::ReservedNames::Win32::Security.remove_account_right(account, privilege)
+              end
+            end
+
+            # Adding only users which is not already exist
+            (users - accounts).each do |user|
+              converge_by("adding user '#{user}' to privilege #{privilege}") do
+                Chef::ReservedNames::Win32::Security.add_account_right(user, privilege)
+              end
+            end
+          end
+        end
+      end
+
+      action :remove do
+        curr_res_privilege = current_resource.privilege
+        missing_res_privileges = (new_resource.privilege - curr_res_privilege)
+
+        if missing_res_privileges
+          Chef::Log.info("User \'#{new_resource.principal}\' for Privilege: #{missing_res_privileges.join(", ")} not found. Nothing to remove.")
+        end
+
+        (new_resource.privilege - missing_res_privileges).each do |user_right|
+          converge_by("removing user #{new_resource.principal} from privilege #{user_right}") do
+            Chef::ReservedNames::Win32::Security.remove_account_right(new_resource.principal, user_right)
+          end
+        end
+      end
+    end
+  end
+end