Getting a batch to run as administrator Windows

[lpesc...@google.com]

Hi, 

TL;DR - need the "run as administrator" to be automated.

I have tried and tried to get a bat file to run as administrator on a windows box. 

What it is supposed to do  is chmod a file in cygwin. 

Manually, if i right click and run as administrator, it works fine. 

If I run my play (below), it gives no error, but does not do anything (i run the bat manually, not as admin, and get an error saying permission denied, so it's def a permissions issue that running as admin solves).

I tried win_ps_exec, but I get an error there saying psexec.exe not found. 

What can I do to fix?

- name: copy chmod batch file over

  win_copy:

    src: /ansible/batch/chmod.bat

    dest: C:\TEMP\chmod.bat

- name: copy chmod sh file over

  win_copy:

    src: /ansible/batch/chmod.sh

    dest: C:\TEMP\chmod.sh

- name: Run Batch File

  win_command: C:\TEMP\chmod.bat

Contents of bat:

C:\cygwin\bin\mintty.exe C:\TEMP\chmod.sh

Contents of sh:

chmod 660 /etc/rsyncd.secrets

[Jordan Borean]

I don't think it is an elevation issue but rather a WinRM issue. All commands run in WinRM run under an elevated token, you can test this out by running

ansible -i inventory.ini hosts -m win_command -a "whoami /all"

You would get a similar output to the below

(ansible-py36) jborean:~/dev/module-tester$ ansible -i inventory.ini '2016' -m win_command -a "whoami /all"
SERVER2016.domain.local | SUCCESS | rc=0 >>

USER INFORMATION
----------------

User Name             SID                                          
===================== ==============================================
domain\vagrant-domain S-1-5-21-3242954042-3778974373-1659123385-1104


GROUP INFORMATION
-----------------

Group Name                                    Type             SID                                           Attributes                                                    
============================================= ================ ============================================= ===============================================================
Everyone                                      Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group            
BUILTIN\Users                                 Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group            
BUILTIN\Administrators                        Alias            S-1-5-32-544                                  Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK                          Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group            
NT AUTHORITY\Authenticated Users              Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group            
NT AUTHORITY\This Organization                Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group            
DOMAIN\Domain Admins                          Group            S-1-5-21-3242954042-3778974373-1659123385-512 Mandatory group, Enabled by default, Enabled group            
DOMAIN\Denied RODC Password Replication Group Alias            S-1-5-21-3242954042-3778974373-1659123385-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication              Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group            
Mandatory Label\High Mandatory Level          Label            S-1-16-12288                                                                                                


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

The key info here is the mandatory label that is assigned to the user where Mandatory Label\High Mandatory Level means an administrator token while medium means a normal token.

I would say this issue is because a WinRM process runs under a network logon compared to running it locally which is with interactive logon, there are some differences between the 2 and some programs fail to run on the former. Unfortunately I don't have cygwin installed locally so I can't test it out right now.

What you will need to do is either

* Use become on the win_command task (will only work if you are on 2.5/devel or newer)
* Use win_psexec to run the command as the SYSTEM account

With Ansible 2.5 (devel branch), become will be able to run a process under an "interactive" logon and so you can do the following

- win_command: C:\cygwin\bin\mintty.exe C:\temp\chmod.sh
  become: yes
  become_method: runas
  become_user: SYSTEM

# or this if it needs to run under the same user
- win_command: C:\cygwin\bin\mintty.exe C:\temp\chmod.sh
  become: yes
  become_method: runas
  vars:
    ansible_become_user: '{{ansible_user}}'
    ansible_become_pass: '{{ansible_password}}'

The first one is preferable as you don't need to supply a password to become the SYSTEM account while the 2nd option can be used if you need to run it as the same user.

If you are not on Ansible 2.5 (devel), then win_psexec is probably your next best bet. The executable psexec.exe is not included with Windows and so needs to be installed for it to work, you would need to have

- win_chocolatey:
    name: psexec
    state: present

- win_psexec:
    command: C:\cygwin\bin\mintty.exe C:\temp\chmod.sh
    interactive: yes
    system: yes

Other options would be to use scheduled tasks but honestly you are best of using become if you are on 2.5, otherwise win_psexec is the next best option.

I've tried to explain the concept of elevation and logon session a bit further on a blog post https://www.bloggingforlogging.com/2018/01/24/demystifying-winrm/, feel free to read it if you like.

Thanks

Jordan

[Larry Pescatore]

Looks like the become works!

However, the syntax needs to be in this case:

win_command: 'cmd.exe /c "start C:\cygwin\bin\bash -li /cygdrive/c/TEMP/chmod.sh"'

  become: yes

  become_method: runas

  become_user: SYSTEM

I appreciate your help! I have like 4 or 5 scripts that I need elevation to run. 

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/7inLJoctNLk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d7b0e42a-01b1-45a0-be62-b8116bfa2d96%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Thank you, 

Larry Pescatore

Lab Engineer, ERG Inc. @ Google