Issue #11469 has been updated by Josh Cooper. Status changed from Investigating to Needs More Information
Here's Tristan's original report: > Hi, I’ve had a play with the patch and it works for me as long as… > UAC is disabled on the box. > I’ve explicitly run puppet in a cmd.exe of a local account on the machine. > I created a local account as a member of Aministrators on the local machine. > Did a ‘runas /user:puppet “cmd.exe”’, and executed puppet agent -t in the new > cmd. Custom facts have downloaded and executed and all looks well. > >I don’t know much about windows admin, so this may not be a realistic >deployment scenario. I think it also requires UAC to be off, which is default >for servers but not for desktops (so the above process doesn’t work on a >desktop windows 7 box, but is OK on a server built 2008r2). One thing is that runas can't launch elevated processes, even when called from an Administrator's account. From [http://msdn.microsoft.com/en-us/library/bb756922.aspx](http://msdn.microsoft.com/en-us/library/bb756922.aspx): > Be aware that runas does not provide the ability to launch an application > with an elevated access token, regardless of whether it is a standard user > with privileges like a Backup Operator or an administrator. The runas command > grants the user the ability to launch an application with different > credentials. The best method to use to launch an application with a different > account is to perform the action programmatically by using a service and not > rely on the user to run the component as a different user. If your program > programmatically uses the runas command, ensure that it is not intended to > launch an elevated process. Since puppet requires elevated privileges to do anything useful, I recommend either adding a scheduled task to run puppet with the 'Run with highest privileges' option enabled, or installing puppet as a service (using nssm described in the wiki). I'll update the wiki to describe our UAC requirements in more detail, but in the meantime, if you find that puppet still cannot operating correctly when running with elevated privileges, please let me know. Also, can you sign our CLA so that I can re-assign this to you? ---------------------------------------- Bug #11469: Puppet Windows UAC issues https://projects.puppetlabs.com/issues/11469 Author: Josh Cooper Status: Needs More Information Priority: Normal Assignee: Category: windows Target version: Affected Puppet version: 2.7.6 Keywords: Branch: Tristan Colgate-McFarlane reported problems with UAC and puppet. UAC is enabled by default on Windows 7, but not 2008. More research is needed to determine what the exact problem is, and what fixes are required. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
