I'm actually curious how you got LocalAccountTokenFilterPolicy to cause restriction under WinRM- I've tried many combos of 2008R2/2012R2/2016 under full UAC prompt requirements, domain-joined/not, various users, etc, to no avail- I can't get it to restrict the admin group for a local user in a WinRM session. I'm actually running into UAC issues under the become prototypes (since we're now using interactive logons instead of batch), but I can't get that particular one to break.
On Monday, November 14, 2016 at 2:29:43 AM UTC-8, J Hawkesworth wrote: > > I'm guessing that applying the LocalAccountTokenFilterPolicy kicks your > ansible connection out before it can respond. > > Since you are on 2.2 you should be able to use async, which might let you > switch from from 0 - 1 > > There isn't a way to become another user yet on windows but it is slated > for 2.3 - see > https://github.com/ansible/ansible/blob/devel/docsite/rst/roadmap/ROADMAP_2_3.rst > > Hope this helps, > > Jon > > On Friday, November 11, 2016 at 4:14:22 PM UTC, [email protected] wrote: >> >> Our environment is under some pretty strict security requirements and >> it's causing lots of issues. First, we don't have an active directory set >> up (all local accounts, I know it's stupid but I'm just the idiot trying to >> clean it up). Then, we have this LocalAccountTokenFilterPolicy registry >> setting set to 1 so every time I try to run something I get permission >> errors as it lowers permissions. >> >> I am allowed to temporarily disable the LocalAccountTokenFilterPolicy to >> do what I need to do, but need a mechanism to do that. I'm able to use >> win_command to do switch it from 1 to 0 but can't switch it from 0 - 1. >> >> Is there any way to get in with WinRM through ansible then run a command >> as an elevated user? >> >> Thanks! >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/82704bb5-c6f2-456e-9cb5-62f939d310dd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
