I ended up giving the user explicit access to the registry key and all playbooks begin with flipping the value, doing the work, then flipping it back. We are working on a domain solution so the local accounts won't be an issue one day...
We're using a DoD STIG image for our windows servers which has a number of other security settings. I've added a screen shot of our registry that you maybe able to mimic to get it to break. We're on 2012 for this particular server. Path is: HKLM\Software\MIcrosoft\Windows\CurrentVersion\policies\system. If you're using AWS I can probably share an AMI that has the issue with your account. <https://lh3.googleusercontent.com/-NF9AULtpLGY/WCnqsVijl6I/AAAAAAAAAAM/v9kQRim14gMsmVjQLnS8fGe9E5EMtDlJQCLcB/s1600/Registry.PNG> On Monday, November 14, 2016 at 11:31:41 AM UTC-5, Matt Davis wrote: > > I'm actually curious how you got LocalAccountTokenFilterPolicy to cause > restriction under WinRM- I've tried many combos of 2008R2/2012R2/2016 under > full UAC prompt requirements, domain-joined/not, various users, etc, to no > avail- I can't get it to restrict the admin group for a local user in a > WinRM session. I'm actually running into UAC issues under the become > prototypes (since we're now using interactive logons instead of batch), but > I can't get that particular one to break. > > On Monday, November 14, 2016 at 2:29:43 AM UTC-8, J Hawkesworth wrote: >> >> I'm guessing that applying the LocalAccountTokenFilterPolicy kicks your >> ansible connection out before it can respond. >> >> Since you are on 2.2 you should be able to use async, which might let you >> switch from from 0 - 1 >> >> There isn't a way to become another user yet on windows but it is slated >> for 2.3 - see >> https://github.com/ansible/ansible/blob/devel/docsite/rst/roadmap/ROADMAP_2_3.rst >> >> Hope this helps, >> >> Jon >> >> On Friday, November 11, 2016 at 4:14:22 PM UTC, [email protected] wrote: >>> >>> Our environment is under some pretty strict security requirements and >>> it's causing lots of issues. First, we don't have an active directory set >>> up (all local accounts, I know it's stupid but I'm just the idiot trying to >>> clean it up). Then, we have this LocalAccountTokenFilterPolicy registry >>> setting set to 1 so every time I try to run something I get permission >>> errors as it lowers permissions. >>> >>> I am allowed to temporarily disable the LocalAccountTokenFilterPolicy to >>> do what I need to do, but need a mechanism to do that. I'm able to use >>> win_command to do switch it from 1 to 0 but can't switch it from 0 - 1. >>> >>> Is there any way to get in with WinRM through ansible then run a command >>> as an elevated user? >>> >>> Thanks! >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9e01e01c-6c0e-4c24-963e-9c2d2999e103%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
