Hey I haven't tested it when running on a non DA account (my test environments are very basic) but have tested running it on a non DC host with a DA account. I would assume it would be possible to run this on a non DC and non DA account if that is what you wish but believe you would need to satisfy the following requirements
* The Windows feature 'RSAT-AD-PowerShell' is installed on the server * You are using an account that has permission to edit the AD objects * You are using a transport that support credential delegation (CredSSP or Kerberos with ansible_winrm_kerberos_delegation=true) * Account must be Administrator of remote server (not DC) or configured to allow non Administrators to connect The 1st 3 are easy to achieve but the last I've never really investigated myself so cannot give you an in depth guide but that page you linked seemed to be along the lines of what I remembered was the case. I do know others have gotten it to work and the content on that guide seems a bit old/off but some of these pages might help. https://serverfault.com/questions/590515/how-to-allow-access-to-winrs-for-non-admin-user https://github.com/ansible/ansible/issues/16478 - this seems to be promising and looks quite easy to change I would probably try and test it out with the following scenarios to try and narrow down your options and seeing what works and go from there, each of the options will rule out issues with a particular scenario and the further down means more configuration away from the default * Run module with domain admin account on DC * Run module with domain admin account on non DC * Run module with non domain admin account on DC * Run module with non domain admin account on non DC Keep in mind Enter-PSSession uses the Powershell Remoting Protocol while Ansible just uses WSMan/WSMV/insert other name here, so they have different permissions and end points you need to change the SDDL for. You can test the account by running the following command on one of your Windows hosts winrs -r:http://192.168.1.1:5986/wsman -u:nonAdmin -p:password ipconfig This will run with winrs instead of PSRP and if you get this to work with your non admin account it should work with Ansible. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/abb92cd3-21e4-4055-91a2-70047392651d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
