Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ansible playbook, what is the proper syntax to run a powershell script with a specific (domain) user, in an elevated mode?

running Ansible 2.4.2 in an offline environment, using kerberos to authenticate,

Via an ansible playbook, what is the proper syntax to run a powershell script with a specific (domain) user: DOMAIN\someuser, in an elevated mode?

By elevated mode I mean that in the Windows interface, I'd run the script by login in as DOMAIN\someuser , then by right clicking a cmd or powershell prompt shortcut, choosing "run as administrator". This of course does not mean I can run the script with the local user: "administrator".

What I want to run is:

powershell.exe -executionpolicy bypass -noninteractive -nologo -file "myscript.ps1" 

What I tried in a become.yml:

- name: sigh
  win_command: powershell.exe -executionpolicy bypass -noninteractive -nologo -file "myscript.ps1" 
  become: yes
  become_user: DOMAIN\someuser
  become_password: someuserpassword
  become_method: runas

The script runs, with errors that relate to it not running in elevation. Tried the same with win_shell and raw. Tried without the become_user and become_password (the yml runs with the [email protected] user and password so I don't really know if it's required for become).

I'm dragging through this and finding no reference to a solution via become: http://docs.ansible.com/ansible/latest/become.html

Any ideas?

like image 753
Nahshon paz Avatar asked Feb 07 '18 10:02

Nahshon paz


2 Answers

I did the following to get it working in my playbook:

- name: Run ps1 script in privileged mode
  hosts: "{{ my_hosts }}"
  become_method: runas

  vars:
    ansible_become_password: mysupersecretpasswrod

  tasks:
    - win_shell: '.\myscript.ps1'
      become: yes
      become_user: Administrator
like image 90
Christina A Avatar answered Sep 22 '22 00:09

Christina A


I've used PsExec before to run tasks as a specific windows domain user for software installs that require the profile to be loaded. You could also use it to impersonate an elevated user on the remote system to run a powershell script.

This is not my first choice but I've also had issues getting become working on windows hosts.

- name: Copy PsExec
  win_copy:
    src: "files/PsExec.exe"
    dest: "c:\\temp\\psexec.exe"
    force: no

- name: Run powershell as a specific domain user
  win_psexec:
    command: "powershell.exe -executionpolicy bypass -noninteractive -nologo -file 'myscript.ps1'"
    executable: C:\temp\psexec.exe
    elevated: yes
    nobanner: yes
    username: "{{ dom_username }}"
    password: "{{ dev_password }}"
    interactive: yes
like image 33
Tj Kellie Avatar answered Sep 18 '22 00:09

Tj Kellie