Need win_shell to run with elevated privileges

[Arielle Adams]

Hi,

I'm unable to get win_shell to run with elevated "run as admin" privileges. I have the details posted below in this issue:

https://github.com/ansible/ansible/issues/68086

As stated, I tried to see if it could be a double hop issue by adding the become logic but this did not work. The script runs perfectly locally, just need to automate this using ansible.

If anyone has any idea as to why this isn't working properly I'd greatly appreciate it.

[Jordan Borean]

As I mentioned in that issue the processes run from Ansible with the highest privileges available to the user you can verify this by running

- win_command: whoami.exe /all

Here is what you should roughly see back

(ansible-py37) jborean:~/dev/ansible-tester$ ansible 2019 -m win_command -a 'whoami.exe /all'
[WARNING]: You are running the development version of Ansible. You should only run Ansible from "devel" if you are modifying the Ansible engine, or trying out features under development. This is a rapidly
changing source of code and can become unstable at any point.
2019 | CHANGED | rc=0 >>

USER INFORMATION
----------------

User Name             SID                                          
===================== =============================================
domain\vagrant-domain S-1-5-21-2959096244-3298113601-420842770-1104


GROUP INFORMATION
-----------------

Group Name                                    Type             SID                                          Attributes                                                    
============================================= ================ ============================================ ===============================================================
Everyone                                      Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group            
BUILTIN\Performance Log Users                 Alias            S-1-5-32-559                                 Mandatory group, Enabled by default, Enabled group            
BUILTIN\Users                                 Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group            
BUILTIN\Administrators                        Alias            S-1-5-32-544                                 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK                          Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group            
NT AUTHORITY\Authenticated Users              Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group            
NT AUTHORITY\This Organization                Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group            
DOMAIN\Domain Admins                          Group            S-1-5-21-2959096244-3298113601-420842770-512 Mandatory group, Enabled by default, Enabled group            
Authentication authority asserted identity    Well-known group S-1-18-1                                     Mandatory group, Enabled by default, Enabled group            
DOMAIN\Denied RODC Password Replication Group Alias            S-1-5-21-2959096244-3298113601-420842770-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level          Label            S-1-16-12288                                                                                                


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

You can see in the output the user has the 'BUILTIN\Administrators' group that is Enabled and also has the 'Mandatory Label\High Mandatory Level' label assigned to it's groups. It also has a whole bunch of privileges assigned to the token which tells us the process is enabled. This should have a fairly similar output to just running that locally with a few slight changes. If you compare that to a limited process I run locally here is what I get

C:\Users\vagrant-domain>whoami.exe /all

USER INFORMATION
----------------

User Name             SID
===================== =============================================
domain\vagrant-domain S-1-5-21-2959096244-3298113601-420842770-1104


GROUP INFORMATION
-----------------

Group Name                                    Type             SID                                          Attributes
============================================= ================ ============================================ ===============================================================
Everyone                                      Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users                 Alias            S-1-5-32-559                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                 Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                        Alias            S-1-5-32-544                                 Group used for deny only
NT AUTHORITY\REMOTE INTERACTIVE LOGON         Well-known group S-1-5-14                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                      Well-known group S-1-5-4                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users              Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
LOCAL                                         Well-known group S-1-2-0                                      Mandatory group, Enabled by default, Enabled group
DOMAIN\Domain Admins                          Group            S-1-5-21-2959096244-3298113601-420842770-512 Group used for deny only
Authentication authority asserted identity    Well-known group S-1-18-1                                     Mandatory group, Enabled by default, Enabled group
DOMAIN\Denied RODC Password Replication Group Alias            S-1-5-21-2959096244-3298113601-420842770-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level        Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

We can see on a limited process the 'BUILTIN\Administrators' group is only used for deny ACE checks and the label is 'Mandatory Label\Medium Mandatory Level'.

Now as to why the script isn't working that I am not sure on as your output does not indicate it had any errors occur. As I was saying above running through WinRM usually means the user runs as the highest privilege available to them. The only scenario I know off where that isn't the case is if the LocalAccountTokenFilterPolicy reg property is not set and WinRM has been explicitly set to grant non-admins access through WinRM. A quick win_command: whoami.exe /all check will help tell you if that is the case.

Become usually fixes issue where the script works fine when run locally but not through Ansible but that's typically only in cases where you are talking to external hosts like a file share. If the script isn't doing what you expect but isn't failing then you need to;

• Verify the script is actually running on the host you think it is
• The paths in the script are where you think they are
• Figure out why errors are being silenced, a file doesn't just fail to be written without it erroring somewhere
  

Also on an unrelated note to this issue you can combine the win_copy and win_shell task into just 1 using script like so;

- name: Modify WinCollect Config File
  script: WinCollectConfig.ps1

That will find the 'WinCollectConfig.ps1' in the files directory, copy it to a temp location, execute it, then finally remove that temp file all in 1 step.

Thanks

Jordan