how to start / stop windows services as unprivileged user via ansible?
83 views
Skip to first unread message
0asp0
Jul 2, 2021, 8:02:47 AM7/2/21
to Ansible Project
Hi, I need to start / stop services as unprivileged user via ansible on a windows machine. So ansible will login as unprivileged user.
When I connect via RDP i can start / stop services via net start / stop <serviceName>.
To allow the user to start / stop the service, I added following permissions like in the guide here: https://stackoverflow.com/questions/4436558/start-stop-a-windows-service-from-a-non-administrator-user-account
I tried both: the recommended version of win32-openssh linked in ansible documentation and WinRM. I would say I have the same issues on both.
When I connect via RDP i can start / stop services via net start / stop <serviceName>.
To allow the user to start / stop the service, I added following permissions like in the guide here: https://stackoverflow.com/questions/4436558/start-stop-a-windows-service-from-a-non-administrator-user-account
I also tried to give the same permissions as builtin administrators (BA), but no change.
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-881029431-239188376-3696334862-1013)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
When trying to sent net start/stop <serviceName> via ssh or winrm I get following error:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-881029431-239188376-3696334862-1013)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
When trying to sent net start/stop <serviceName> via ssh or winrm I get following error:
Systemfehler 5 aufgetreten.
Zugriff verweigert
When trying the same as administrator it works fine.
When using ansible with module win_service I get following error:
<192.168.3.xxx> ESTABLISH SSH CONNECTION FOR USER: jboss-myEnv01
<192.168.3.xxx> SSH: EXEC sshpass -d8 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="jboss-myEnv01"' -o ConnectTimeout=10 -o ControlPath=/home/aschampe/.ansible/cp/e6487bf836 192.168.3.xxx 'chcp.com 65001 >nul 2>&1 && PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA='
<192.168.3.xxx> (1, '{"exception":"Der Dienststeuerungs-Manager auf dem Computer . kann nicht ge\xc3\xb6ffnet werden. M\xc3\xb6glicherweise verf\xc3\xbcgen Sie nicht \xc3\xbcber die Berechtigung zum Ausf\xc3\xbchren dieses Vorgangs.\\r\\nIn Zeile:416 Zeichen:8\\r\\n+ $svc = Get-Service | Where-Object { $_.Name -eq $name -or $_.DisplayN ...\\r\\n+ ~~~~~~~~~~~\\r\\n + CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException\\r\\n + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand\\r\\n\\r\\nScriptStackTrace:\\r\\nbei \\u003cScriptBlock\\u003e, \\u003cKeine Datei\\u003e: Zeile 416\\r\\n\\r\\nSystem.InvalidOperationException: Der Dienststeuerungs-Manager auf dem Computer . kann nicht ge\xc3\xb6ffnet werden. M\xc3\xb6glicherweise verf\xc3\xbcgen Sie nicht \xc3\xbcber die Berechtigung zum Ausf\xc3\xbchren dieses Vorgangs. ---\\u003e System.ComponentModel.Win32Exception: Zugriff verweigert\\r\\n --- Ende der internen Ausnahmestapel\xc3\xbcberwachung ---\\r\\n bei System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String machineName, Int32 serviceControlManaqerAccess)\\r\\n bei System.ServiceProcess.ServiceController.GetServicesOfType(String machineName, Int32 serviceType)\\r\\n bei System.ServiceProcess.ServiceController.GetServices()\\r\\n bei Microsoft.PowerShell.Commands.MultipleServiceCommandBase.get_AllServices()\\r\\n bei Microsoft.PowerShell.Commands.MultipleServiceCommandBase.MatchingServicesByServiceName()\\r\\n bei Microsoft.PowerShell.Commands.MultipleServiceCommandBase.MatchingServices()\\r\\n bei Microsoft.PowerShell.Commands.GetServiceCommand.ProcessRecord()\\r\\n bei System.Management.Automation.CommandProcessor.ProcessRecord()","msg":"Unhandled exception while executing module: Der Dienststeuerungs-Manager auf dem Computer . kann nicht ge\xc3\xb6ffnet werden. M\xc3\xb6glicherweise verf\xc3\xbcgen Sie nicht \xc3\xbcber die Berechtigung zum Ausf\xc3\xbchren dieses Vorgangs.","failed":true}\r\n', '#< CLIXML\r\n<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Module werden f\xc3\xbcr erstmalige Verwendung vorbereitet.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>')
<192.168.3.xxx> Failed to connect to the host via ssh: #< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Module werden für erstmalige Verwendung vorbereitet.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>
The full traceback is:
Der Dienststeuerungs-Manager auf dem Computer . kann nicht geöffnet werden. Möglicherweise verfügen Sie nicht über die Berechtigung zum Ausführen dieses Vorgangs.
In Zeile:416 Zeichen:8
+ $svc = Get-Service | Where-Object { $_.Name -eq $name -or $_.DisplayN ...
+ ~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
ScriptStackTrace:
bei <ScriptBlock>, <Keine Datei>: Zeile 416
System.InvalidOperationException: Der Dienststeuerungs-Manager auf dem Computer . kann nicht geöffnet werden. Möglicherweise verfügen Sie nicht über die Berechtigung zum Ausführen dieses Vorgangs. ---> System.ComponentModel.Win32Exception: Zugriff verweigert
--- Ende der internen Ausnahmestapelüberwachung ---
bei System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String machineName, Int32 serviceControlManaqerAccess)
bei System.ServiceProcess.ServiceController.GetServicesOfType(String machineName, Int32 serviceType)
bei System.ServiceProcess.ServiceController.GetServices()
bei Microsoft.PowerShell.Commands.MultipleServiceCommandBase.get_AllServices()
bei Microsoft.PowerShell.Commands.MultipleServiceCommandBase.MatchingServicesByServiceName()
bei Microsoft.PowerShell.Commands.MultipleServiceCommandBase.MatchingServices()
bei Microsoft.PowerShell.Commands.GetServiceCommand.ProcessRecord()
bei System.Management.Automation.CommandProcessor.ProcessRecord()
SSW-Win1 | FAILED! => {
"changed": false,
"msg": "Unhandled exception while executing module: Der Dienststeuerungs-Manager auf dem Computer . kann nicht geöffnet werden. Möglicherweise verfügen Sie nicht über die Berechtigung zum Ausführen dieses Vorgangs."
}
I also give this article a chance https://support.microsoft.com/en-us/topic/block-remote-callers-who-are-not-local-administrators-from-starting-stopping-services-c5f77f8e-09e6-57e6-72d1-2c4423627a24 and disabled the check systemwide. No effect.
When trying the same with an administrative account via ssh, it works fine.
Any ideas / hints are welcome.
Thanks in advance, Andreas
Reply all
Reply to author
Forward
0 new messages