Using ansible on windows with UAC enabled
2,583 views
Skip to first unread message
Marc Farrow
Feb 2, 2016, 8:58:33 AM2/2/16
to Ansible Project
Hi All,
This is a basic question as I'm just getting started with Ansible. I've got this working perfectly on our Linux distributions but not on Windows.
Our environment dictates we need UAC enabled and we cannot use the built in administrator account for day to day activities. With ansible some of the modules work perfectly. However I'm having an issue with the modules such as win_msi that effectively need elevated permissions within UAC to "runas" administrator. If I run win_msi as the actual administrator (edit the ssh_user as the actual local administrator) then it works fine. But switching to either a domain user or a local user that's added to the local administrators group fails with access denied. Running the same command on the server requires me to either run the command in an elevated window or accept the prompts to install as administrator. WinRM is working as expected as I can perform tasks that don't require elevated permissions perfectly with the domain or local user.
Does ansible have any way around this? I see from the notes that at some point "runas" is going to be enabled for windows, I guess this might be when powershell starts to support SSH?
But if anyone has any advice then this would be greatly appreciated.
Thanks
Marc
This is a basic question as I'm just getting started with Ansible. I've got this working perfectly on our Linux distributions but not on Windows.
Our environment dictates we need UAC enabled and we cannot use the built in administrator account for day to day activities. With ansible some of the modules work perfectly. However I'm having an issue with the modules such as win_msi that effectively need elevated permissions within UAC to "runas" administrator. If I run win_msi as the actual administrator (edit the ssh_user as the actual local administrator) then it works fine. But switching to either a domain user or a local user that's added to the local administrators group fails with access denied. Running the same command on the server requires me to either run the command in an elevated window or accept the prompts to install as administrator. WinRM is working as expected as I can perform tasks that don't require elevated permissions perfectly with the domain or local user.
Does ansible have any way around this? I see from the notes that at some point "runas" is going to be enabled for windows, I guess this might be when powershell starts to support SSH?
But if anyone has any advice then this would be greatly appreciated.
Thanks
Marc
J Hawkesworth
Feb 2, 2016, 9:48:16 AM2/2/16
to Ansible Project
Yeah this stuff is frustrating...
You can disable UAC just for Administrators ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000000
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
Regular, non admin users will still get UAC prompts.
Hope this helps
Jon
Marc Farrow
Feb 4, 2016, 6:09:29 AM2/4/16
to Ansible Project
Thanks Jon,
I've got it working now.
I also think I made a silly error in the group_vars in regard to the configured SSH_USER. Changing that has now got this working.
Thanks
Marc
I've got it working now.
I also think I made a silly error in the group_vars in regard to the configured SSH_USER. Changing that has now got this working.
Thanks
Marc
Reply all
Reply to author
Forward
0 new messages