puppet 5.5.6 → 5.5.7

data/lib/puppet/type/user.rb

@@ -392,9 +392,7 @@ module Puppet
         that the user is a part of.
 
         If `inclusive` is specified, Puppet will ensure that the user is a
-        member of **only** specified groups.
-
-        Defaults to `minimum`."
+        member of **only** specified groups."
 
       newvalues(:inclusive, :minimum)
 
@@ -405,13 +403,13 @@ module Puppet
       desc "Whether the user is a system user, according to the OS's criteria;
       on most platforms, a UID less than or equal to 500 indicates a system
       user. This parameter is only used when the resource is created and will
-      not affect the UID when the user is present. Defaults to `false`."
+      not affect the UID when the user is present."
 
       defaultto false
     end
 
     newparam(:allowdupe, :boolean => true, :parent => Puppet::Parameter::Boolean) do
-      desc "Whether to allow duplicate UIDs. Defaults to `false`."
+      desc "Whether to allow duplicate UIDs."
 
       defaultto false
     end
@@ -419,13 +417,16 @@ module Puppet
     newparam(:managehome, :boolean => true, :parent => Puppet::Parameter::Boolean) do
       desc "Whether to manage the home directory when Puppet creates or removes the user.
         This creates the home directory if Puppet also creates the user account, and deletes the
-        home directory if Puppet also removes the user account. Defaults to `false`.
+        home directory if Puppet also removes the user account.
 
         This parameter has no effect unless Puppet is also creating or removing the user in the
         resource at the same time. For instance, Puppet creates a home directory for a managed
         user if `ensure => present` and the user does not exist at the time of the Puppet run.
         If the home directory is then deleted manually, Puppet will not recreate it on the next
-        run."
+        run.
+
+        Note that on Windows, this manages creation/deletion of the user profile instead of the
+        home directory. The user profile is stored in the `C:\Users\<username>` directory."
 
       defaultto false
 
@@ -545,7 +546,7 @@ module Puppet
     newparam(:role_membership) do
       desc "Whether specified roles should be considered the **complete list**
         (`inclusive`) or the **minimum list** (`minimum`) of roles the user
-        has. Defaults to `minimum`."
+        has."
 
       newvalues(:inclusive, :minimum)
 
@@ -571,7 +572,7 @@ module Puppet
     newparam(:auth_membership) do
       desc "Whether specified auths should be considered the **complete list**
         (`inclusive`) or the **minimum list** (`minimum`) of auths the user
-        has. Defaults to `minimum`."
+        has."
 
       newvalues(:inclusive, :minimum)
 
@@ -597,7 +598,7 @@ module Puppet
     newparam(:profile_membership) do
       desc "Whether specified roles should be treated as the **complete list**
         (`inclusive`) or the **minimum list** (`minimum`) of roles
-        of which the user is a member. Defaults to `minimum`."
+        of which the user is a member."
 
       newvalues(:inclusive, :minimum)
 
@@ -610,16 +611,12 @@ module Puppet
       def membership
         :key_membership
       end
-
-      validate do |value|
-        raise ArgumentError, _("Key/value pairs must be separated by an =") unless value.include?("=")
-      end
     end
 
     newparam(:key_membership) do
       desc "Whether specified key/value pairs should be considered the
         **complete list** (`inclusive`) or the **minimum list** (`minimum`) of
-        the user's attributes. Defaults to `minimum`."
+        the user's attributes."
 
       newvalues(:inclusive, :minimum)
 
@@ -637,6 +634,8 @@ module Puppet
     newproperty(:attributes, :parent => Puppet::Property::KeyValue, :required_features => :manages_aix_lam) do
       desc "Specify AIX attributes for the user in an array of attribute = value pairs."
 
+      self.log_only_changed_or_new_keys = true
+
       def membership
         :attribute_membership
       end
@@ -644,16 +643,12 @@ module Puppet
       def delimiter
         " "
       end
-
-      validate do |value|
-        raise ArgumentError, _("Attributes value pairs must be separated by an =") unless value.include?("=")
-      end
     end
 
     newparam(:attribute_membership) do
       desc "Whether specified attribute value pairs should be treated as the
         **complete list** (`inclusive`) or the **minimum list** (`minimum`) of
-        attribute/value pairs for the user. Defaults to `minimum`."
+        attribute/value pairs for the user."
 
       newvalues(:inclusive, :minimum)
 

data/lib/puppet/type/yumrepo.rb

@@ -273,7 +273,7 @@ Puppet::Type.newtype(:yumrepo) do
     desc "Enable bandwidth throttling for downloads. This option
       can be expressed as a absolute data rate in bytes/sec or a
       percentage `60%`. An SI prefix (k, M or G) may be appended
-      to the data rate values.\n#{ABSENT_DOC}"
+      to the data rate values.#{ABSENT_DOC}"
 
     newvalues(/^\d+[kMG%]?$/, :absent)
   end
@@ -283,7 +283,7 @@ Puppet::Type.newtype(:yumrepo) do
       in bytes/second. Used with the `throttle` option. If `throttle`
       is a percentage and `bandwidth` is `0` then bandwidth throttling
       will be disabled. If `throttle` is expressed as a data rate then
-      this option is ignored.\n#{ABSENT_DOC}"
+      this option is ignored.#{ABSENT_DOC}"
 
     newvalues(/^\d+[kMG]?$/, :absent)
   end

data/lib/puppet/type/zone.rb

@@ -262,7 +262,7 @@ end
   # Specify the sysidcfg file.  This is pretty hackish, because it's
   # only used to boot the zone the very first time.
   newparam(:sysidcfg) do
-    desc %{The text to go into the `sysidcfg` file when the zone is first
+    desc "The text to go into the `sysidcfg` file when the zone is first
       booted.  The best way is to use a template:
 
           # $confdir/modules/site/templates/sysidcfg.erb
@@ -290,7 +290,7 @@ end
           }
 
       The `sysidcfg` only matters on the first booting of the zone,
-      so Puppet only checks for it at that time.}
+      so Puppet only checks for it at that time."
   end
 
   newparam(:create_args) do

data/lib/puppet/util.rb

@@ -479,9 +479,13 @@ module Util
 
   def safe_posix_fork(stdin=$stdin, stdout=$stdout, stderr=$stderr, &block)
     child_pid = Kernel.fork do
-      $stdin.reopen(stdin)
-      $stdout.reopen(stdout)
-      $stderr.reopen(stderr)
+      STDIN.reopen(stdin)
+      STDOUT.reopen(stdout)
+      STDERR.reopen(stderr)
+
+      $stdin = STDIN
+      $stdout = STDOUT
+      $stderr = STDERR
 
       begin
         Dir.foreach('/proc/self/fd') do |f|

data/lib/puppet/util/execution.rb

@@ -114,6 +114,9 @@ module Puppet::Util::Execution
   #   an Array the first element should be the executable and the rest of the
   #   elements should be the individual arguments to that executable.
   # @param options [Hash] a Hash of options
+  # @option options [String] :cwd the directory from which to run the command. Raises an error if the directory does not exist.
+  #   This option is only available on the agent. It cannot be used on the master, meaning it cannot be used in, for example,
+  #   regular functions, hiera backends, or report processors.
   # @option options [Boolean]  :failonfail if this value is set to true, then this method will raise an error if the
   #   command is not executed successfully.
   # @option options [Integer, String] :uid (nil) the user id of the user that the process should be run as. Will be ignored if the
@@ -154,6 +157,7 @@ module Puppet::Util::Execution
         :override_locale => true,
         :custom_environment => {},
         :sensitive => false,
+        :suppress_window => false,
     }
 
     options = default_options.merge(options)
@@ -186,6 +190,11 @@ module Puppet::Util::Execution
 
     null_file = Puppet.features.microsoft_windows? ? 'NUL' : '/dev/null'
 
+    cwd = options[:cwd]
+    if cwd && ! Puppet::FileSystem.directory?(cwd)
+      raise ArgumentError, _("Working directory %{cwd} does not exist!") % { cwd: cwd }
+    end
+
     begin
       stdin = Puppet::FileSystem.open(options[:stdinfile] || null_file, nil, 'r')
       # On Windows, continue to use the file-based approach to avoid breaking people's existing
@@ -320,7 +329,6 @@ module Puppet::Util::Execution
   #
   def self.execute_posix(command, options, stdin, stdout, stderr)
     child_pid = Puppet::Util.safe_posix_fork(stdin, stdout, stderr) do
-
       # We can't just call Array(command), and rely on it returning
       # things like ['foo'], when passed ['foo'], because
       # Array(command) will call command.to_a internally, which when
@@ -329,6 +337,12 @@ module Puppet::Util::Execution
       command = [command].flatten
       Process.setsid
       begin
+        # We need to chdir to our cwd before changing privileges as there's a
+        # chance that the user may not have permissions to access the cwd, which
+        # would cause execute_posix to fail.
+        cwd = options[:cwd]
+        Dir.chdir(cwd) if cwd
+
         Puppet::Util::SUIDManager.change_privileges(options[:uid], options[:gid], true)
 
         # if the caller has requested that we override locale environment variables,

data/lib/puppet/util/posix.rb

@@ -9,7 +9,22 @@ module Puppet::Util::POSIX
   # environment for "exec" runs
   USER_ENV_VARS = ['HOME', 'USER', 'LOGNAME']
 
+  class << self
+    # Returns an array of all the groups that the user's a member of.
+    def groups_of(user)
+      groups = []
+      Puppet::Etc.group do |group|
+        groups << group.name if group.mem.include?(user)
+      end
+  
+      uniq_groups = groups.uniq
+      if uniq_groups != groups
+        Puppet.debug(_('Removing any duplicate group entries'))
+      end
 
+      uniq_groups
+    end
+  end
 
   # Retrieve a field from a POSIX Etc object.  The id can be either an integer
   # or a name.  This only works for users and groups.  It's also broken on

data/lib/puppet/util/storage.rb

@@ -82,6 +82,18 @@ class Puppet::Util::Storage
 
     Puppet.info _("Creating state file %{file}") % { file: Puppet[:statefile] } unless Puppet::FileSystem.exist?(Puppet[:statefile])
 
+    if Puppet[:statettl] == 0 || Puppet[:statettl] == Float::INFINITY
+      Puppet.debug "Not pruning old state cache entries"
+    else
+      Puppet::Util.benchmark(:debug, "Pruned old state cache entries in %{seconds} seconds") do
+        ttl_cutoff = Time.now - Puppet[:statettl]
+
+        @@state.reject! do |k,v|
+          @@state[k][:checked] && @@state[k][:checked] < ttl_cutoff
+        end
+      end
+    end
+
     Puppet::Util.benchmark(:debug, "Stored state in %{seconds} seconds") do
       Puppet::Util::Yaml.dump(@@state, Puppet[:statefile])
     end

data/lib/puppet/util/windows.rb

@@ -1,8 +1,9 @@
 module Puppet::Util::Windows
   module ADSI
-    class User; end
+    class ADSIObject; end
+    class User < ADSIObject; end
     class UserProfile; end
-    class Group; end
+    class Group < ADSIObject; end
   end
   module File; end
   module Registry
@@ -31,5 +32,6 @@ module Puppet::Util::Windows
     require 'puppet/util/windows/adsi'
     require 'puppet/util/windows/registry'
     require 'puppet/util/windows/eventlog'
+    require 'puppet/util/windows/service'
   end
 end

data/lib/puppet/util/windows/adsi.rb

@@ -106,138 +106,201 @@ module Puppet::Util::Windows::ADSI
       [:lpwstr, :lpdword], :win32_bool
   end
 
-  module Shared
-    def localized_domains
-      @localized_domains ||= [
-        # localized version of BUILTIN
-        # for instance VORDEFINIERT on German Windows
-        Puppet::Util::Windows::SID.sid_to_name('S-1-5-32').upcase,
-        # localized version of NT AUTHORITY (can't use S-1-5)
-        # for instance AUTORITE NT on French Windows
-        Puppet::Util::Windows::SID.name_to_principal('SYSTEM').domain.upcase
-      ]
-    end
-
-    def uri(name, host = '.')
-      host = '.' if (localized_domains << Socket.gethostname.upcase).include?(host.upcase)
+  # Common base class shared by the User and Group
+  # classes below.
+  class ADSIObject
+    extend Enumerable
 
-      # group or user
-      account_type = self.name.split('::').last.downcase
+    # Define some useful class-level methods
+    class << self
+      # Is either 'user' or 'group'
+      attr_reader :object_class
+
+      def localized_domains
+        @localized_domains ||= [
+          # localized version of BUILTIN
+          # for instance VORDEFINIERT on German Windows
+          Puppet::Util::Windows::SID.sid_to_name('S-1-5-32').upcase,
+          # localized version of NT AUTHORITY (can't use S-1-5)
+          # for instance AUTORITE NT on French Windows
+          Puppet::Util::Windows::SID.name_to_principal('SYSTEM').domain.upcase
+        ]
+      end
+  
+      def uri(name, host = '.')
+        host = '.' if (localized_domains << Socket.gethostname.upcase).include?(host.upcase)
+        Puppet::Util::Windows::ADSI.uri(name, @object_class, host)
+      end
+  
+      def parse_name(name)
+        if name =~ /\//
+          raise Puppet::Error.new( _("Value must be in DOMAIN\\%{object_class} style syntax") % { object_class: @object_class } )
+        end
+  
+        matches = name.scan(/((.*)\\)?(.*)/)
+        domain = matches[0][1] || '.'
+        account = matches[0][2]
+  
+        return account, domain
+      end
+  
+      # returns Puppet::Util::Windows::SID::Principal[]
+      # may contain objects that represent unresolvable SIDs
+      def get_sids(adsi_child_collection)
+        sids = []
+        adsi_child_collection.each do |m|
+          sids << Puppet::Util::Windows::SID.ads_to_principal(m)
+        end
+  
+        sids
+      end
+  
+      def name_sid_hash(names)
+        return {} if names.nil? || names.empty?
+  
+        sids = names.map do |name|
+          sid = Puppet::Util::Windows::SID.name_to_principal(name)
+          raise Puppet::Error.new( _("Could not resolve name: %{name}") % { name: name } ) if !sid
+          [sid.sid, sid]
+        end
+  
+        Hash[ sids ]
+      end
 
-      Puppet::Util::Windows::ADSI.uri(name, account_type, host)
-    end
 
-    def parse_name(name)
-      if name =~ /\//
-        raise Puppet::Error.new( _("Value must be in DOMAIN\\user style syntax") )
+      def delete(name)
+        Puppet::Util::Windows::ADSI.delete(name, @object_class)
       end
 
-      matches = name.scan(/((.*)\\)?(.*)/)
-      domain = matches[0][1] || '.'
-      account = matches[0][2]
-
-      return account, domain
-    end
+      def exists?(name_or_sid)
+        well_known = false
+        if (sid = Puppet::Util::Windows::SID.name_to_principal(name_or_sid))
+          # Examples of SidType include SidTypeUser, SidTypeGroup
+          return true if sid.account_type == "SidType#{@object_class.capitalize}".to_sym
+  
+          # 'well known group' is special as it can be a group like Everyone OR a user like SYSTEM
+          # so try to resolve it
+          # https://msdn.microsoft.com/en-us/library/cc234477.aspx
+          well_known = sid.account_type == :SidTypeWellKnownGroup
+          return false if sid.account_type != :SidTypeAlias && !well_known
+          name_or_sid = "#{sid.domain}\\#{sid.account}"
+        end
 
-    # returns Puppet::Util::Windows::SID::Principal[]
-    # may contain objects that represent unresolvable SIDs
-    def get_sids(adsi_child_collection)
-      sids = []
-      adsi_child_collection.each do |m|
-        sids << Puppet::Util::Windows::SID.ads_to_principal(m)
+        object = Puppet::Util::Windows::ADSI.connect(uri(*parse_name(name_or_sid)))
+        object.Class.downcase == @object_class
+      rescue
+        # special accounts like SYSTEM or special groups like Authenticated Users cannot
+        # resolve via monikers like WinNT://./SYSTEM,user or WinNT://./Authenticated Users,group
+        # -- they'll fail to connect. thus, given a validly resolved SID, this failure is
+        # ambiguous as it may indicate either a group like Service or an account like SYSTEM
+        well_known
       end
 
-      sids
-    end
+      def list_all
+        raise NotImplementedError, _("Subclass must implement class-level method 'list_all'!")
+      end
 
-    def name_sid_hash(names)
-      return {} if names.nil? || names.empty?
+      def each(&block)
+        objects = []
+        list_all.each do |o|
+          # Setting WIN32OLE.codepage in the microsoft_windows feature ensures
+          # values are returned as UTF-8
+          objects << new(o.name)
+        end
 
-      sids = names.map do |name|
-        sid = Puppet::Util::Windows::SID.name_to_principal(name)
-        raise Puppet::Error.new( _("Could not resolve name: %{name}") % { name: name } ) if !sid
-        [sid.sid, sid]
+        objects.each(&block)
       end
-
-      Hash[ sids ]
     end
-  end
 
-  class User
-    extend Enumerable
-    extend Puppet::Util::Windows::ADSI::Shared
-    extend FFI::Library
-
-    # https://msdn.microsoft.com/en-us/library/aa746340.aspx
-    # IADsUser interface
-
-    require 'puppet/util/windows/sid'
-
-    attr_accessor :native_user
-    attr_reader :name, :sid
-    def initialize(name, native_user = nil)
+    attr_reader :name
+    def initialize(name, native_object = nil)
       @name = name
-      @native_user = native_user
-    end
-
-    def native_user
-      @native_user ||= Puppet::Util::Windows::ADSI.connect(self.class.uri(*self.class.parse_name(@name)))
+      @native_object = native_object
     end
 
-    def sid
-      @sid ||= Puppet::Util::Windows::SID.octet_string_to_principal(native_user.objectSID)
+    def object_class
+      self.class.object_class
     end
 
     def uri
       self.class.uri(sid.account, sid.domain)
     end
 
-    def self.logon(name, password)
-      Puppet::Util::Windows::User.password_is?(name, password)
+    def native_object
+      @native_object ||= Puppet::Util::Windows::ADSI.connect(self.class.uri(*self.class.parse_name(name)))
+    end
+
+    def sid
+      @sid ||= Puppet::Util::Windows::SID.octet_string_to_principal(native_object.objectSID)
     end
 
     def [](attribute)
       # Setting WIN32OLE.codepage in the microsoft_windows feature ensures
       # values are returned as UTF-8
-      native_user.Get(attribute)
+      native_object.Get(attribute)
     end
 
     def []=(attribute, value)
-      native_user.Put(attribute, value)
+      native_object.Put(attribute, value)
     end
 
     def commit
       begin
-        native_user.SetInfo unless native_user.nil?
+        native_object.SetInfo
       rescue WIN32OLERuntimeError => e
         # ERROR_BAD_USERNAME 2202L from winerror.h
         if e.message =~ /8007089A/m
           raise Puppet::Error.new(
-           _("Puppet is not able to create/delete domain users with the user resource."),
-           e
+            _("Puppet is not able to create/delete domain %{object_class} objects with the %{object_class} resource.") % { object_class: object_class },
           )
         end
 
-        raise Puppet::Error.new( _("User update failed: %{e}") % { e: e }, e )
+        raise Puppet::Error.new( _("%{object_class} update failed: %{error}") % { object_class: object_class.capitalize, error: e }, e )
       end
       self
     end
+  end
+
+  class User < ADSIObject
+    extend FFI::Library
+
+    require 'puppet/util/windows/sid'
+
+    # https://msdn.microsoft.com/en-us/library/aa746340.aspx
+    # IADsUser interface
+    @object_class = 'user'
+
+    class << self
+      def list_all
+        Puppet::Util::Windows::ADSI.execquery('select name from win32_useraccount where localaccount = "TRUE"')
+      end
+
+      def logon(name, password)
+        Puppet::Util::Windows::User.password_is?(name, password)
+      end
+
+      def create(name)
+        # Windows error 1379: The specified local group already exists.
+        raise Puppet::Error.new(_("Cannot create user if group '%{name}' exists.") % { name: name }) if Puppet::Util::Windows::ADSI::Group.exists? name
+        new(name, Puppet::Util::Windows::ADSI.create(name, @object_class))
+      end
+    end
 
     def password_is?(password)
       self.class.logon(name, password)
     end
 
     def add_flag(flag_name, value)
-      flag = native_user.Get(flag_name) rescue 0
+      flag = native_object.Get(flag_name) rescue 0
 
-      native_user.Put(flag_name, flag | value)
+      native_object.Put(flag_name, flag | value)
 
       commit
     end
 
     def password=(password)
       if !password.nil?
-        native_user.SetPassword(password)
+        native_object.SetPassword(password)
         commit
       end
 
@@ -251,7 +314,7 @@ module Puppet::Util::Windows::ADSI
       groups = []
       # Setting WIN32OLE.codepage in the microsoft_windows feature ensures
       # values are returned as UTF-8
-      native_user.Groups.each {|g| groups << g.Name} rescue nil
+      native_object.Groups.each {|g| groups << g.Name} rescue nil
       groups
     end
 
@@ -281,9 +344,13 @@ module Puppet::Util::Windows::ADSI
     end
 
     def group_sids
-      self.class.get_sids(native_user.Groups)
+      self.class.get_sids(native_object.Groups)
     end
 
+    # TODO: This code's pretty similar to set_members in the Group class. Would be nice
+    # to refactor them into the ADSIObject class at some point. This was not done originally
+    # because these use different methods to do stuff that are also aliased to other methods,
+    # so the shared code isn't exactly a 1:1 mapping.
     def set_groups(desired_groups, minimum = true)
       return if desired_groups.nil?
 
@@ -311,10 +378,82 @@ module Puppet::Util::Windows::ADSI
       end
     end
 
-    def self.create(name)
-      # Windows error 1379: The specified local group already exists.
-      raise Puppet::Error.new(_("Cannot create user if group '%{name}' exists.") % { name: name }) if Puppet::Util::Windows::ADSI::Group.exists? name
-      new(name, Puppet::Util::Windows::ADSI.create(name, 'user'))
+    # Declare all of the available user flags on the system. Note that
+    # ADS_UF is read as ADS_UserFlag
+    #   https://docs.microsoft.com/en-us/windows/desktop/api/iads/ne-iads-ads_user_flag
+    # and
+    #   https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
+    # for the flag values.
+    ADS_USERFLAGS = {
+      ADS_UF_SCRIPT:                                 0x0001,
+      ADS_UF_ACCOUNTDISABLE:                         0x0002,
+      ADS_UF_HOMEDIR_REQUIRED:                       0x0008,
+      ADS_UF_LOCKOUT:                                0x0010,                          
+      ADS_UF_PASSWD_NOTREQD:                         0x0020,                   
+      ADS_UF_PASSWD_CANT_CHANGE:                     0x0040,               
+      ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED:        0x0080,       
+      ADS_UF_TEMP_DUPLICATE_ACCOUNT:                 0x0100,           
+      ADS_UF_NORMAL_ACCOUNT:                         0x0200,                   
+      ADS_UF_INTERDOMAIN_TRUST_ACCOUNT:              0x0800,        
+      ADS_UF_WORKSTATION_TRUST_ACCOUNT:              0x1000,        
+      ADS_UF_SERVER_TRUST_ACCOUNT:                   0x2000,             
+      ADS_UF_DONT_EXPIRE_PASSWD:                     0x10000,            
+      ADS_UF_MNS_LOGON_ACCOUNT:                      0x20000,               
+      ADS_UF_SMARTCARD_REQUIRED:                     0x40000,              
+      ADS_UF_TRUSTED_FOR_DELEGATION:                 0x80000,          
+      ADS_UF_NOT_DELEGATED:                          0x100000,                  
+      ADS_UF_USE_DES_KEY_ONLY:                       0x200000,               
+      ADS_UF_DONT_REQUIRE_PREAUTH:                   0x400000,               
+      ADS_UF_PASSWORD_EXPIRED:                       0x800000,               
+      ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 0x1000000
+    }
+
+    def userflag_set?(flag)
+      flag_value = ADS_USERFLAGS[flag] || 0
+      ! (self['UserFlags'] & flag_value).zero?
+    end
+
+    # Common helper for set_userflags and unset_userflags.
+    #
+    # @api private
+    def op_userflags(*flags, &block)
+      # Avoid an unnecessary set + commit operation.
+      return if flags.empty?
+
+      unrecognized_flags = flags.reject { |flag| ADS_USERFLAGS.keys.include?(flag) }
+      unless unrecognized_flags.empty?
+        raise ArgumentError, _("Unrecognized ADS UserFlags: %{unrecognized_flags}") % { unrecognized_flags: unrecognized_flags.join(', ') }
+      end
+
+      self['UserFlags'] = flags.inject(self['UserFlags'], &block)
+    end
+
+    def set_userflags(*flags)
+      op_userflags(*flags) { |userflags, flag| userflags | ADS_USERFLAGS[flag] }
+    end
+
+    def unset_userflags(*flags)
+      op_userflags(*flags) { |userflags, flag| userflags & ~ADS_USERFLAGS[flag] }
+    end
+
+    def disabled?
+      userflag_set?(:ADS_UF_ACCOUNTDISABLE)
+    end
+
+    def locked_out?
+      # Note that the LOCKOUT flag is known to be inaccurate when using the
+      # LDAP IADsUser provider, but this class consistently uses the WinNT
+      # provider, which is expected to be accurate.
+      userflag_set?(:ADS_UF_LOCKOUT)
+    end
+
+    def expired?
+      expires = native_object.Get('AccountExpirationDate')
+      expires && expires < Time.now
+    rescue WIN32OLERuntimeError => e
+      # This OLE error code indicates the property can't be found in the cache
+      raise e unless e.message =~ /8000500D/m
+      false
     end
 
     # UNLEN from lmcons.h - https://stackoverflow.com/a/2155176
@@ -341,47 +480,6 @@ module Puppet::Util::Windows::ADSI
       Puppet::Util::Windows::SID.name_to_principal(current_user_name)
     end
 
-    def self.exists?(name_or_sid)
-      well_known = false
-      if (sid = Puppet::Util::Windows::SID.name_to_principal(name_or_sid))
-        return true if sid.account_type == :SidTypeUser
-
-        # 'well known group' is special as it can be a group like Everyone OR a user like SYSTEM
-        # so try to resolve it
-        # https://msdn.microsoft.com/en-us/library/cc234477.aspx
-        well_known = sid.account_type == :SidTypeWellKnownGroup
-        return false if sid.account_type != :SidTypeAlias && !well_known
-        name_or_sid = "#{sid.domain}\\#{sid.account}"
-      end
-
-      user = Puppet::Util::Windows::ADSI.connect(User.uri(*User.parse_name(name_or_sid)))
-      # otherwise, verify that the account is actually a User account
-      user.Class == 'User'
-    rescue
-      # special accounts like SYSTEM cannot resolve via moniker like WinNT://./SYSTEM,user
-      # and thus fail to connect - so given a validly resolved SID, this failure is ambiguous as it
-      # may indicate either a group like Service or an account like SYSTEM
-      well_known
-    end
-
-
-    def self.delete(name)
-      Puppet::Util::Windows::ADSI.delete(name, 'user')
-    end
-
-    def self.each(&block)
-      wql = Puppet::Util::Windows::ADSI.execquery('select name from win32_useraccount where localaccount = "TRUE"')
-
-      users = []
-      wql.each do |u|
-        # Setting WIN32OLE.codepage in the microsoft_windows feature ensures
-        # values are returned as UTF-8
-        users << new(u.name)
-      end
-
-      users.each(&block)
-    end
-
     ffi_convention :stdcall
 
     # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724432(v=vs.85).aspx
@@ -410,58 +508,33 @@ module Puppet::Util::Windows::ADSI
     end
   end
 
-  class Group
-    extend Enumerable
-    extend Puppet::Util::Windows::ADSI::Shared
+  class Group < ADSIObject
 
     # https://msdn.microsoft.com/en-us/library/aa706021.aspx
     # IADsGroup interface
+    @object_class = 'group'
 
-    attr_accessor :native_group
-    attr_reader :name, :sid
-    def initialize(name, native_group = nil)
-      @name = name
-      @native_group = native_group
-    end
-
-    def uri
-      self.class.uri(sid.account, sid.domain)
-    end
-
-    def native_group
-      @native_group ||= Puppet::Util::Windows::ADSI.connect(self.class.uri(*self.class.parse_name(name)))
-    end
-
-    def sid
-      @sid ||= Puppet::Util::Windows::SID.octet_string_to_principal(native_group.objectSID)
-    end
-
-    def commit
-      begin
-        native_group.SetInfo unless native_group.nil?
-      rescue WIN32OLERuntimeError => e
-        # ERROR_BAD_USERNAME 2202L from winerror.h
-        if e.message =~ /8007089A/m
-          raise Puppet::Error.new(
-            _("Puppet is not able to create/delete domain groups with the group resource."),
-            e
-          )
-        end
+    class << self
+      def list_all
+        Puppet::Util::Windows::ADSI.execquery('select name from win32_group where localaccount = "TRUE"')
+      end
 
-        raise Puppet::Error.new( _("Group update failed: %{error}") % { error: e }, e )
+      def create(name)
+        # Windows error 2224: The account already exists.
+        raise Puppet::Error.new( _("Cannot create group if user '%{name}' exists.") % { name: name } ) if Puppet::Util::Windows::ADSI::User.exists?(name)
+        new(name, Puppet::Util::Windows::ADSI.create(name, @object_class))
       end
-      self
     end
 
     def add_member_sids(*sids)
       sids.each do |sid|
-        native_group.Add(Puppet::Util::Windows::ADSI.sid_uri(sid))
+        native_object.Add(Puppet::Util::Windows::ADSI.sid_uri(sid))
       end
     end
 
     def remove_member_sids(*sids)
       sids.each do |sid|
-        native_group.Remove(Puppet::Util::Windows::ADSI.sid_uri(sid))
+        native_object.Remove(Puppet::Util::Windows::ADSI.sid_uri(sid))
       end
     end
 
@@ -469,13 +542,15 @@ module Puppet::Util::Windows::ADSI
     # may contain objects that represent unresolvable SIDs
     # qualified account names are returned by calling #domain_account
     def members
-      self.class.get_sids(native_group.Members)
+      self.class.get_sids(native_object.Members)
     end
     alias member_sids members
 
     def set_members(desired_members, inclusive = true)
       return if desired_members.nil?
 
+      desired_members = desired_members.split(',').map(&:strip)
+
       current_hash = Hash[ self.member_sids.map { |sid| [sid.sid, sid] } ]
       desired_hash = self.class.name_sid_hash(desired_members)
 
@@ -496,50 +571,5 @@ module Puppet::Util::Windows::ADSI
         remove_member_sids(*members_to_remove)
       end
     end
-
-    def self.create(name)
-      # Windows error 2224: The account already exists.
-      raise Puppet::Error.new( _("Cannot create group if user '%{name}' exists.") % { name: name } ) if Puppet::Util::Windows::ADSI::User.exists? name
-      new(name, Puppet::Util::Windows::ADSI.create(name, 'group'))
-    end
-
-    def self.exists?(name_or_sid)
-      well_known = false
-      if (sid = Puppet::Util::Windows::SID.name_to_principal(name_or_sid))
-        return true if sid.account_type == :SidTypeGroup
-
-        # 'well known group' is special as it can be a group like Everyone OR a user like SYSTEM
-        # so try to resolve it
-        # https://msdn.microsoft.com/en-us/library/cc234477.aspx
-        well_known = sid.account_type == :SidTypeWellKnownGroup
-        return false if sid.account_type != :SidTypeAlias && !well_known
-        name_or_sid = "#{sid.domain}\\#{sid.account}"
-      end
-
-      user = Puppet::Util::Windows::ADSI.connect(Group.uri(*Group.parse_name(name_or_sid)))
-      user.Class == 'Group'
-    rescue
-      # special groups like Authenticated Users cannot resolve via moniker like WinNT://./Authenticated Users,group
-      # and thus fail to connect - so given a validly resolved SID, this failure is ambiguous as it
-      # may indicate either a group like Service or an account like SYSTEM
-      well_known
-    end
-
-    def self.delete(name)
-      Puppet::Util::Windows::ADSI.delete(name, 'group')
-    end
-
-    def self.each(&block)
-      wql = Puppet::Util::Windows::ADSI.execquery('select name from win32_group where localaccount = "TRUE"')
-
-      groups = []
-      wql.each do |g|
-        # Setting WIN32OLE.codepage in the microsoft_windows feature ensures
-        # values are returned as UTF-8
-        groups << new(g.name)
-      end
-
-      groups.each(&block)
-    end
   end
 end