I'm trying to launch some commands in Ansible as Administrator. According to Ansible docs:
You can use become with the same user as ansible_user to bypass these limitations and run commands that are not normally accessible in a WinRM session.
This however does not work for me. Every time I try to run the following playbook:
- hosts: jenkins-win
gather_facts: no
tasks:
- win_whoami:
become: yes
become_user: foo
I get Failed to become user foo: Exception calling \"RunAsUser\" with \"7\" argument(s): \"LogonUser failed (The user name or password is incorrect, Win32ErrorCode 1326)\".
User foo is a member of Administrators group. If I click an icon with RMB and select "Run as Administrator" I get UAC prompt without the need to enter password. If I disable UAC the command just runs as Administrator.
If I set ansible_become_user and ansible_become_password to foo and password respectively everything Just Works. I'd like to avoid setting ansible_become_password as I'm already logged in via WinRM.
I'm using ansible 2.7.6, WinRM with CredSSP and Windows Server 2016.
It seems the question has been answer on ansible mailing list
To answer you question around whether the password is required. The runas become method is Ansible’s implementation of the runas executable https://technet.microsoft.com/en-us/library/bb490994.aspx where a username and password is required. The internal Win32 APIs that are called require both the username and password to be set and we can’t bypass that. In the end you do need to specify a password to use become for a normal account but there is another option if you are on the devel branch. You can become the SYSTEM account by setting SYSTEM as the become_user and this does not require a password. The SYSTEM account is like root on Windows and can do pretty much anything.