As I mentioned in that issue the processes run from Ansible with the
highest privileges available to the user you can verify this by running
- win_command: whoami.exe /all
Here is what you should roughly see back
(ansible-py37) jborean:~/dev/ansible-tester$ ansible 2019 -m win_command -a
'whoami.exe
/all'
[WARNING]: You are running the development version of Ansible. You should
only run Ansible from "devel" if you are modifying the Ansible engine, or
trying out features under development. This is a rapidly
changing source of code and can become unstable at any point.
2019 | CHANGED | rc=0 >>
USER INFORMATION
----------------
User Name SID
===================== =============================================
domain\vagrant-domain S-1-5-21-2959096244-3298113601-420842770-1104
GROUP INFORMATION
-----------------
Group Name Type SID
Attributes
============================================= ================
============================================
===============================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default,
Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559
Mandatory group, Enabled by default, Enabled
group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled
group
BUILTIN\Administrators Alias S-1-5-32-544
Mandatory group, Enabled by default, Enabled
group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2
Mandatory group, Enabled by default,
Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled
group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled
group
DOMAIN\Domain Admins Group S-1-5-21-
2959096244-3298113601-420842770-512 Mandatory group, Enabled by default,
Enabled group
Authentication authority asserted identity Well-known group S-1-18-1
Mandatory group, Enabled by default, Enabled
group
DOMAIN\Denied RODC Password Replication Group Alias S-1-5-21-
2959096244-3298113601-420842770-572 Mandatory group, Enabled by default,
Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description
State
=========================================
================================================================== =======
SeAssignPrimaryTokenPrivilege Replace a process level token
Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a
process Enabled
SeSecurityPrivilege Manage auditing and security log
Enabled
SeTakeOwnershipPrivilege Take ownership of files or other
objects Enabled
SeLoadDriverPrivilege Load and unload device drivers
Enabled
SeSystemProfilePrivilege Profile system performance
Enabled
SeSystemtimePrivilege Change the system time
Enabled
SeProfileSingleProcessPrivilege Profile single process
Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
Enabled
SeCreatePagefilePrivilege Create a pagefile
Enabled
SeBackupPrivilege Back up files and directories
Enabled
SeRestorePrivilege Restore files and directories
Enabled
SeShutdownPrivilege Shut down the system
Enabled
SeDebugPrivilege Debug programs
Enabled
SeSystemEnvironmentPrivilege Modify firmware environment
values Enabled
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote
system Enabled
SeUndockPrivilege Remove computer from docking
station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks
Enabled
SeImpersonatePrivilege Impersonate a client after
authentication Enabled
SeCreateGlobalPrivilege Create global objects
Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set
Enabled
SeTimeZonePrivilege Change the time zone
Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links
Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for
another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled
.
You can see in the output the user has the 'BUILTIN\Administrators' group
that is Enabled and also has the 'Mandatory Label\High Mandatory Level'
label assigned to it's groups. It also has a whole bunch of privileges
assigned to the token which tells us the process is enabled. This should
have a fairly similar output to just running that locally with a few slight
changes. If you compare that to a limited process I run locally here is
what I get
C:\Users\vagrant-domain>whoami.exe /all
USER INFORMATION
----------------
User Name SID
===================== =============================================
domain\vagrant-domain S-1-5-21-2959096244-3298113601-420842770-1104
GROUP INFORMATION
-----------------
Group Name Type SID
Attributes
============================================= ================
============================================
===============================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default,
Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559
Mandatory group, Enabled by default, Enabled
group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled
group
BUILTIN\Administrators Alias S-1-5-32-544
Group used for deny only
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14
Mandatory group, Enabled by default, Enabled
group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default,
Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled
group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled
group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default,
Enabled group
DOMAIN\Domain Admins Group S-1-5-21-
2959096244-3298113601-420842770-512 Group used for deny only
Authentication authority asserted identity Well-known group S-1-18-1
Mandatory group, Enabled by default, Enabled
group
DOMAIN\Denied RODC Password Replication Group Alias S-1-5-21-
2959096244-3298113601-420842770-572 Mandatory group, Enabled by default,
Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled
.
We can see on a limited process the 'BUILTIN\Administrators' group is only
used for deny ACE checks and the label is 'Mandatory Label\Medium Mandatory
Level'.
Now as to why the script isn't working that I am not sure on as your output
does not indicate it had any errors occur. As I was saying above running
through WinRM usually means the user runs as the highest privilege
available to them. The only scenario I know off where that isn't the case
is if the LocalAccountTokenFilterPolicy reg property is not set and WinRM
has been explicitly set to grant non-admins access through WinRM. A quick
win_command: whoami.exe /all check will help tell you if that is the case.
Become usually fixes issue where the script works fine when run locally but
not through Ansible but that's typically only in cases where you are
talking to external hosts like a file share. If the script isn't doing what
you expect but isn't failing then you need to;
- Verify the script is actually running on the host you think it is
- The paths in the script are where you think they are
- Figure out why errors are being silenced, a file doesn't just fail to
be written without it erroring somewhere
Also on an unrelated note to this issue you can combine the win_copy and
win_shell task into just 1 using script like so;
- name: Modify WinCollect Config File
script: WinCollectConfig.ps1
That will find the 'WinCollectConfig.ps1' in the files directory, copy it
to a temp location, execute it, then finally remove that temp file all in 1
step.
Thanks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/aecdcf92-4cbf-43c8-88c4-9c0043881959%40googlegroups.com.
