Run powershell command as administrator

[Michael Perzel]

I am working to automate our deployment process with ansible but am running into a permissions issue. I have a playbook that uses the raw module to call a deploy.ps1 file that is on a remote windows server. This deploy.ps1 file does some work and then calls an install.ps1 command using the following syntax "Invoke-Command -ComputerName $server -filepath $from\install.ps1 -argumentlist $version,$siteName"  The problem is install.ps1 needs to be run as administrator in order to work (it makes some changes to IIS). I can run deploy.ps1 (and install.ps1) from an administrator powershell window but they fail when I run them from a non-admin powershell window. 

Is there a way to tell the raw command to run the powershell as admin?

Copied below is the error message.

 "stderr": "[localhost] Connecting to remote server localhost failed with the following \r\nerror message : Access is denied. For more information, see the \r\nabout_Remote_Troubleshooting Help topic.\r\n    + CategoryInfo          : OpenError: (localhost:String) [], PSRemotingTran \r\n   sportException\r\n    + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken\r\n",

        "stdout": "\nDeploying EdgeTestTool version:532 to servers: localhost\n\tCopying files to localhost\n\nFile copy complete. Starting install\n\tInstalling on remote server localhost in site Default Web Site\nC:\\surescripts\\edge\\532\\archive\\EdgeTestTool.Web\\obj\\x64\\Debug\\Package\\PackageTmp, 532, Default Web Site\r\n\nDone Deploying EdgeTestTool version:532 to servers: localhost\n\n",

[Michael Perzel]

From here http://technet.microsoft.com/en-us/library/hh849719.aspx

My problem is this requirement

• On Windows Vista, and later versions of Windows, to use the ComputerName parameter of Invoke-Command to run a command on the local computer, you must open Windows PowerShell with the "Run as administrator" option.

[Chris Church]

There is not a way to specify a "run as administrator" option to the remote shell.  I don't think it's an Ansible or pywinrm issue; I simply don't see a way to specify that option when creating a remote shell (http://msdn.microsoft.com/en-us/library/cc251739.aspx).

Your issue may be related to the "second hop" problem, where it's not allowing your credentials to be used by Invoke-Command:

http://blogs.technet.com/b/heyscriptingguy/archive/2012/11/14/enable-powershell-quot-second-hop-quot-functionality-with-credssp.aspx

I can reproduce it by running the following as a script:

Invoke-Command -ComputerName . { Write-Host "moo" }

I'm not quite sure what the fix would be at the moment -- suggestions welcome from any PowerShell experts lurking here. 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/292dd8e7-49e7-4cb4-8826-1df1bd11c245%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[J Hawkesworth]

Not hit this particular problem myself and am not a powershell expert but I have a couple of suggestions.

Last time I tried the raw module I came to the conclusion it was a running something close to a DOS command environment, rather than a powershell environment.   So maybe worth trying to turn your 'raw' into a 'script'.

Second (rather vague) suggestion is to make use of groups if possible and perhaps that way you don't need full administrator permissions, just logging in as a user who has sufficient group access to do whatever you need to to IIS might be enough.

Hope that's some help, please let us know how you get on, I know I have IIS configuration tasks I want to automate in the future.

Jon

 

[Trond Hindenes]

Michael from what I can see you're running a command "through" a (Windows) Ansible node targeting another node ($server)? Why don't you just run it against $server directly from ansible?

Instead of

Ansible-->Managed Node-->$Server

Just to

Ansible-->$Server

You could be running into the double-hop issue, or it could be that the user setup in your ansible_ssh_user variable is a local user and not a domain one (in which case you can't use it to invoke a command on a remote computer).

The easiest way to tell what's going on is to check the security log on your $Server computer.

[Michael Perzel]

Sorry I forgot to get back to this post. I ended up following Trond's suggestion (I was having a double hop auth issue).  I now manage my windows servers directly (ie Ansible -> $Server no windows server in between).

I've also been using the script module instead of raw.

[ale...@pollie.me]

Hi @all,

I have almost identical issue.

I am running powershell script on srv01:

get-childitem \\srv01\share01

get-childitem \\srv02\share02

The first one is executing without issues, but on second one i am receiving Access Denied.

It doesn't look like double hop trouble, but anyway just in case i've enabled PSRemoting and Enable-WsmanCredSSP just in case.

[J Hawkesworth]

If it is working on \\srv01\ but not on \\srv02 then there is a difference between the two machines.

I suggest you check the event log on \\srv02, the configuration of the share02 sharing and the firewall on \\srv02 

If you are not using Active Directory domain user, also check the same username and password is set up on \\svr02 as \\svr01

Hope this helps,

Let us know how you get on.

Jon

[ale...@pollie.me]

Event log is empty, and there is no difference between those 2 servers, firewall is disabled either.

And anyway, the script is executed with domain admin rights.

The weird thing is that i can execute the get-childitem \\srv02\share02 from any machine (including srv01), but not ansible. 

Initially the purpose of the script was to copy a file from \\srv01 to \\srv02, but as i've got Access Denied, i decided to run easier command like gci.

Any help/workaround appreciated.

Thx.

[Trond Hindenes]

So just to sum up:

Ansible-->srv01: You can list stuff in \\srv01\ but not \\srv02

Are you connecting to srv01 from ansible using a domain account or a local account? If local it's pretty logical that you have this issue: The user doesn't have any permissions outside srv01, so that's the only thing you can see.

For cross-machine boundaries you need to connect using a domain account. Or you can write an Ansible module which takes username/password as a parameter and pass that in (look at the PR for win_package in the "ansible-modules-extras" repo on githug, it has the functionality to get files from a unc share using explicitly defined credentials.

[ale...@pollie.me]

Both servers are domain members and i am using domain administrator account.

Following scheme doesn't work neither:

Ansible ---> srv01 ---> srv01   works

                           |

                           ---> srv02  doesn't work

Ansible ---> srv02  ---> srv02  works

                            |

                            ---> srv01  doesn't work

This issue is quite critical for me as i really need to deploy windows machines the same way i do linux.

[J Hawkesworth]

I think what you describe is basically second hop issue then..

I just found this https://msdn.microsoft.com/en-us/library/ee309365(v=vs.85).aspx regarding multi-hop configuration for winrm - I suggest working through it and seeing if it is any help.

Jon 

[easy cure]

HI

Did you manage to fix the problem ? 

Cheers

easycure