This is working as designed, the runas become method is used to run a process under a different logon type rather than escalating privileges. There is no need to escalate privileges within WinRM as each process is run like it would when right clicking on an exe and saying run as administrator.
The reason why you might still be getting an access is denied error is that a WinRM process is run within a network logon session compared to an interactive session when it is run locally. Windows restricts what a network logon session can do within Windows and one of the most common restrictions people come across is not being able to acces WUA (Windows Update API). So what Ansible does with the runas implementation is to create a new logon session with the credentials provided as an interactive session and then run the process on that new session. This means that any restrictions that are in place under the WinRM session is removed and the process will run exactly like it would when doing it locally. Unfortunately the runas implementation is set as experimental before 2.5 (current devel branch) where you can run under and interactive session but it won’t have administrative privileges. This can be bypassed but it requires some security settings to be bypassed which is not fully recommended. If you are running devel or plan to use 2.5 when it is released you should have any issues. To answer you question around whether the password is required. The runas become method is Ansible’s implementation of the runas executable https://technet.microsoft.com/en-us/library/bb490994.aspx where a username and password is required. The internal Win32 APIs that are called require both the username and password to be set and we can’t bypass that. In the end you do need to specify a password to use become for a normal account but there is another option if you are on the devel branch. You can become the SYSTEM account by setting SYSTEM as the become_user and this does not require a password. The SYSTEM account is like root on Windows and can do pretty much anything. In the end, become runas is experimental in 2.3 and 2.4 and if you are on these versions I would recommend you use a scheduled task or psexec to bypass these issues for now. If you are using the devel branch branch then I would highly recommend you use become as either the SYSTEM account which doesn’t require a password or the same account and set the password. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e238aa7b-1137-44a5-8b7e-99ef261247b1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
