Run powershell command as administrator

Discussion:

Michael Perzel

2014-09-24 14:33:42 UTC

I am working to automate our deployment process with ansible but am running
into a permissions issue. I have a playbook that uses the raw module to
call a deploy.ps1 file that is on a remote windows server. This deploy.ps1
file does some work and then calls an install.ps1 command using the
following syntax "Invoke-Command -ComputerName $server -filepath
$from\install.ps1 -argumentlist $version,$siteName" The problem is
install.ps1 needs to be run as administrator in order to work (it makes
some changes to IIS). I can run deploy.ps1 (and install.ps1) from an
administrator powershell window but they fail when I run them from a
non-admin powershell window.

Is there a way to tell the raw command to run the powershell as admin?

Copied below is the error message.

"stderr": "[localhost] Connecting to remote server localhost failed with
the following \r\nerror message : Access is denied. For more information,
see the \r\nabout_Remote_Troubleshooting Help topic.\r\n + CategoryInfo
: OpenError: (localhost:String) [], PSRemotingTran \r\n
sportException\r\n + FullyQualifiedErrorId :
AccessDenied,PSSessionStateBroken\r\n",
"stdout": "\nDeploying EdgeTestTool version:532 to servers:
localhost\n\tCopying files to localhost\n\nFile copy complete. Starting
install\n\tInstalling on remote server localhost in site Default Web
Site\nC:\\surescripts\\edge\\532\\archive\\EdgeTestTool.Web\\obj\\x64\\Debug\\Package\\PackageTmp,
532, Default Web Site\r\n\nDone Deploying EdgeTestTool version:532 to
servers: localhost\n\n",

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/50ec8962-9196-4fcc-a7f7-7892c3513065%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Michael Perzel

2014-09-24 14:44:08 UTC

Permalink

From here http://technet.microsoft.com/en-us/library/hh849719.aspx

My problem is this requirement

-

On Windows Vista, and later versions of Windows, to use the
*ComputerName* parameter of *Invoke-Command* to run a command on the
local computer, you must open Windows PowerShell with the "Run as
administrator" option.

I am working to automate our deployment process with ansible but am
running into a permissions issue. I have a playbook that uses the raw
module to call a deploy.ps1 file that is on a remote windows server. This
deploy.ps1 file does some work and then calls an install.ps1 command using
the following syntax "Invoke-Command -ComputerName $server -filepath
$from\install.ps1 -argumentlist $version,$siteName" The problem is
install.ps1 needs to be run as administrator in order to work (it makes
some changes to IIS). I can run deploy.ps1 (and install.ps1) from an
administrator powershell window but they fail when I run them from a
non-admin powershell window.
Is there a way to tell the raw command to run the powershell as admin?
Copied below is the error message.
"stderr": "[localhost] Connecting to remote server localhost failed with
the following \r\nerror message : Access is denied. For more information,
see the \r\nabout_Remote_Troubleshooting Help topic.\r\n + CategoryInfo
: OpenError: (localhost:String) [], PSRemotingTran \r\n
AccessDenied,PSSessionStateBroken\r\n",
localhost\n\tCopying files to localhost\n\nFile copy complete. Starting
install\n\tInstalling on remote server localhost in site Default Web
Site\nC:\\surescripts\\edge\\532\\archive\\EdgeTestTool.Web\\obj\\x64\\Debug\\Package\\PackageTmp,
532, Default Web Site\r\n\nDone Deploying EdgeTestTool version:532 to
servers: localhost\n\n",

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/292dd8e7-49e7-4cb4-8826-1df1bd11c245%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Chris Church

2014-09-30 17:59:30 UTC

Permalink

There is not a way to specify a "run as administrator" option to the remote
shell. I don't think it's an Ansible or pywinrm issue; I simply don't see
a way to specify that option when creating a remote shell (
http://msdn.microsoft.com/en-us/library/cc251739.aspx).

Your issue may be related to the "second hop" problem, where it's not
allowing your credentials to be used by Invoke-Command:

http://blogs.technet.com/b/heyscriptingguy/archive/2012/11/14/enable-powershell-quot-second-hop-quot-functionality-with-credssp.aspx

I can reproduce it by running the following as a script:

Invoke-Command -ComputerName . { Write-Host "moo" }

I'm not quite sure what the fix would be at the moment -- suggestions
welcome from any PowerShell experts lurking here.

From here http://technet.microsoft.com/en-us/library/hh849719.aspx
My problem is this requirement
-
On Windows Vista, and later versions of Windows, to use the
*ComputerName* parameter of *Invoke-Command* to run a command on the
local computer, you must open Windows PowerShell with the "Run as
administrator" option.

Post by Michael Perzel
I am working to automate our deployment process with ansible but am
running into a permissions issue. I have a playbook that uses the raw
module to call a deploy.ps1 file that is on a remote windows server. This
deploy.ps1 file does some work and then calls an install.ps1 command using
the following syntax "Invoke-Command -ComputerName $server -filepath
$from\install.ps1 -argumentlist $version,$siteName" The problem is
install.ps1 needs to be run as administrator in order to work (it makes
some changes to IIS). I can run deploy.ps1 (and install.ps1) from an
administrator powershell window but they fail when I run them from a
non-admin powershell window.
Is there a way to tell the raw command to run the powershell as admin?
Copied below is the error message.
"stderr": "[localhost] Connecting to remote server localhost failed with
the following \r\nerror message : Access is denied. For more information,
see the \r\nabout_Remote_Troubleshooting Help topic.\r\n +
CategoryInfo : OpenError: (localhost:String) [], PSRemotingTran
\r\n sportException\r\n + FullyQualifiedErrorId : AccessDenied,
PSSessionStateBroken\r\n",
localhost\n\tCopying files to localhost\n\nFile copy complete. Starting
install\n\tInstalling on remote server localhost in site Default Web
Site\nC:\\surescripts\\edge\\532\\archive\\EdgeTestTool.
Web\\obj\\x64\\Debug\\Package\\PackageTmp, 532, Default Web
localhost\n\n",
--

You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/292dd8e7-49e7-4cb4-8826-1df1bd11c245%40googlegroups.com
<https://groups.google.com/d/msgid/ansible-project/292dd8e7-49e7-4cb4-8826-1df1bd11c245%40googlegroups.com?utm_medium=email&utm_source=footer>
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAH%2BKTJ4-5wV2JnhebaJE7R56wapm6k9je1C2mhJeLP4QEo-5nQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

J Hawkesworth

2014-10-02 20:09:41 UTC

Permalink

Not hit this particular problem myself and am not a powershell expert but
I have a couple of suggestions.

Last time I tried the raw module I came to the conclusion it was a running
something close to a DOS command environment, rather than a powershell
environment. So maybe worth trying to turn your 'raw' into a 'script'.

Second (rather vague) suggestion is to make use of groups if possible and
perhaps that way you don't need full administrator permissions, just
logging in as a user who has sufficient group access to do whatever you
need to to IIS might be enough.

Hope that's some help, please let us know how you get on, I know I have IIS
configuration tasks I want to automate in the future.

Jon

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cf3bd734-22c3-4e19-892f-920661ea46f5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Trond Hindenes

2014-10-02 22:50:06 UTC

Permalink

Michael from what I can see you're running a command "through" a (Windows)
Ansible node targeting another node ($server)? Why don't you just run it
against $server directly from ansible?

Instead of
Ansible-->Managed Node-->$Server

Just to
Ansible-->$Server

You could be running into the double-hop issue, or it could be that the
user setup in your ansible_ssh_user variable is a local user and not a
domain one (in which case you can't use it to invoke a command on a remote
computer).

The easiest way to tell what's going on is to check the security log on
your $Server computer.

Not hit this particular problem myself and am not a powershell expert but

I have a couple of suggestions.

Last time I tried the raw module I came to the conclusion it was a running
something close to a DOS command environment, rather than a powershell
environment. So maybe worth trying to turn your 'raw' into a 'script'.
Second (rather vague) suggestion is to make use of groups if possible and
perhaps that way you don't need full administrator permissions, just
logging in as a user who has sufficient group access to do whatever you
need to to IIS might be enough.
Hope that's some help, please let us know how you get on, I know I have
IIS configuration tasks I want to automate in the future.
Jon

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ee5a9be8-2b08-4453-ae71-9e6510bdb926%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Michael Perzel

2014-10-21 18:07:05 UTC

Permalink

Sorry I forgot to get back to this post. I ended up following Trond's
suggestion (I was having a double hop auth issue). I now manage my windows
servers directly (ie Ansible -> $Server no windows server in between).

I've also been using the script module instead of raw.

Post by Trond Hindenes
Michael from what I can see you're running a command "through" a (Windows)
Ansible node targeting another node ($server)? Why don't you just run it
against $server directly from ansible?
Instead of
Ansible-->Managed Node-->$Server
Just to
Ansible-->$Server
You could be running into the double-hop issue, or it could be that the
user setup in your ansible_ssh_user variable is a local user and not a
domain one (in which case you can't use it to invoke a command on a remote
computer).
The easiest way to tell what's going on is to check the security log on
your $Server computer.

Not hit this particular problem myself and am not a powershell expert but

I have a couple of suggestions.

Last time I tried the raw module I came to the conclusion it was a
running something close to a DOS command environment, rather than a
powershell environment. So maybe worth trying to turn your 'raw' into a
'script'.
Second (rather vague) suggestion is to make use of groups if possible and
perhaps that way you don't need full administrator permissions, just
logging in as a user who has sufficient group access to do whatever you
need to to IIS might be enough.
Hope that's some help, please let us know how you get on, I know I have
IIS configuration tasks I want to automate in the future.
Jon

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bb48d741-7842-4502-a132-93bd95c8462e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

a***@pollie.me

2015-06-18 18:21:51 UTC

Permalink

I have almost identical issue.
I am running powershell script on srv01:
get-childitem \\srv01\share01
get-childitem \\srv02\share02
The first one is executing without issues, but on second one i am receiving
Access Denied.
It doesn't look like double hop trouble, but anyway just in case i've
enabled PSRemoting and Enable-WsmanCredSSP just in case.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/869ea957-4ba2-4af6-87b6-5d688f6705c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

J Hawkesworth

2015-06-18 19:54:12 UTC

Permalink

If it is working on \\srv01\ but not on \\srv02 then there is a difference
between the two machines.

I suggest you check the event log on \\srv02, the configuration of the
share02 sharing and the firewall on \\srv02

If you are not using Active Directory domain user, also check the same
username and password is set up on \\svr02 as \\svr01

Hope this helps,

Let us know how you get on.

Jon

Post by a***@pollie.me
I have almost identical issue.
get-childitem \\srv01\share01
get-childitem \\srv02\share02
The first one is executing without issues, but on second one i am
receiving Access Denied.
It doesn't look like double hop trouble, but anyway just in case i've
enabled PSRemoting and Enable-WsmanCredSSP just in case.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7c557439-43e6-4e93-a55f-41245f78d8e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

a***@pollie.me

2015-06-18 20:14:01 UTC

Permalink

Event log is empty, and there is no difference between those 2 servers,
firewall is disabled either.
And anyway, the script is executed with domain admin rights.
The weird thing is that i can execute the get-childitem \\srv02\share02
from any machine (including srv01), but not ansible.

Initially the purpose of the script was to copy a file from \\srv01 to
\\srv02, but as i've got Access Denied, i decided to run easier command
like gci.
Any help/workaround appreciated.
Thx.

Post by J Hawkesworth
If it is working on \\srv01\ but not on \\srv02 then there is a difference
between the two machines.
I suggest you check the event log on \\srv02, the configuration of the
share02 sharing and the firewall on \\srv02
If you are not using Active Directory domain user, also check the same
username and password is set up on \\svr02 as \\svr01
Hope this helps,
Let us know how you get on.
Jon

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/422074d7-dd26-42a8-83fc-d83cc1c31962%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Trond Hindenes

2015-06-19 00:13:18 UTC

Permalink

So just to sum up:
Ansible-->srv01: You can list stuff in \\srv01\ but not \\srv02

Are you connecting to srv01 from ansible using a domain account or a local
account? If local it's pretty logical that you have this issue: The user
doesn't have any permissions outside srv01, so that's the only thing you
can see.

For cross-machine boundaries you need to connect using a domain account. Or
you can write an Ansible module which takes username/password as a
parameter and pass that in (look at the PR for win_package in the
"ansible-modules-extras" repo on githug, it has the functionality to get
files from a unc share using explicitly defined credentials.

Post by a***@pollie.me
Event log is empty, and there is no difference between those 2 servers,
firewall is disabled either.
And anyway, the script is executed with domain admin rights.
The weird thing is that i can execute the get-childitem \\srv02\share02
from any machine (including srv01), but not ansible.
Initially the purpose of the script was to copy a file from \\srv01 to
\\srv02, but as i've got Access Denied, i decided to run easier command
like gci.
Any help/workaround appreciated.
Thx.

Post by J Hawkesworth
If it is working on \\srv01\ but not on \\srv02 then there is a
difference between the two machines.
I suggest you check the event log on \\srv02, the configuration of the
share02 sharing and the firewall on \\srv02
If you are not using Active Directory domain user, also check the same
username and password is set up on \\svr02 as \\svr01
Hope this helps,
Let us know how you get on.
Jon

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1fbe04cd-38e7-4d77-b7b1-3dfe35d028ad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

a***@pollie.me

2015-06-19 07:16:23 UTC

Permalink

Both servers are domain members and i am using domain administrator account.
Following scheme doesn't work neither:

Ansible ---> srv01 ---> srv01 works
|
---> srv02 doesn't work

Ansible ---> srv02 ---> srv02 works
|
---> srv01 doesn't work

This issue is quite critical for me as i really need to deploy windows
machines the same way i do linux.

Post by Trond Hindenes
Ansible-->srv01: You can list stuff in \\srv01\ but not \\srv02
Are you connecting to srv01 from ansible using a domain account or a local
account? If local it's pretty logical that you have this issue: The user
doesn't have any permissions outside srv01, so that's the only thing you
can see.
For cross-machine boundaries you need to connect using a domain account.
Or you can write an Ansible module which takes username/password as a
parameter and pass that in (look at the PR for win_package in the
"ansible-modules-extras" repo on githug, it has the functionality to get
files from a unc share using explicitly defined credentials.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/410cfff1-5db2-4db4-9a61-186311712c82%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

J Hawkesworth

2015-06-19 13:31:41 UTC

Permalink

I think what you describe is basically second hop issue then..

I just found
this https://msdn.microsoft.com/en-us/library/ee309365(v=vs.85).aspx
regarding multi-hop configuration for winrm - I suggest working through it
and seeing if it is any help.

Jon

Post by a***@pollie.me
Both servers are domain members and i am using domain administrator account.
Ansible ---> srv01 ---> srv01 works
|
---> srv02 doesn't work
Ansible ---> srv02 ---> srv02 works
|
---> srv01 doesn't work
This issue is quite critical for me as i really need to deploy windows
machines the same way i do linux.

Post by Trond Hindenes
Ansible-->srv01: You can list stuff in \\srv01\ but not \\srv02
Are you connecting to srv01 from ansible using a domain account or a
local account? If local it's pretty logical that you have this issue: The
user doesn't have any permissions outside srv01, so that's the only thing
you can see.
For cross-machine boundaries you need to connect using a domain account.
Or you can write an Ansible module which takes username/password as a
parameter and pass that in (look at the PR for win_package in the
"ansible-modules-extras" repo on githug, it has the functionality to get
files from a unc share using explicitly defined credentials.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e4e6b42e-a6ea-402e-83e1-0c03fc197b2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

easy cure

2015-07-24 08:34:59 UTC

Permalink

HI

Did you manage to fix the problem ?

Cheers
easycure

Post by Trond Hindenes
Ansible-->srv01: You can list stuff in \\srv01\ but not \\srv02
Are you connecting to srv01 from ansible using a domain account or a
local account? If local it's pretty logical that you have this issue: The
user doesn't have any permissions outside srv01, so that's the only thing
you can see.
For cross-machine boundaries you need to connect using a domain account.
Or you can write an Ansible module which takes username/password as a
parameter and pass that in (look at the PR for win_package in the
"ansible-modules-extras" repo on githug, it has the functionality to get
files from a unc share using explicitly defined credentials.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/dbfd8a38-c31d-47b6-b39b-3fd0f3029518%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.