As I mentioned in that issue the processes run from Ansible with the highest privileges available to the user you can verify this by running
- win_command: whoami.exe /all Here is what you should roughly see back (ansible-py37) jborean:~/dev/ansible-tester$ ansible 2019 -m win_command -a 'whoami.exe /all' [WARNING]: You are running the development version of Ansible. You should only run Ansible from "devel" if you are modifying the Ansible engine, or trying out features under development. This is a rapidly changing source of code and can become unstable at any point. 2019 | CHANGED | rc=0 >> USER INFORMATION ---------------- User Name SID ===================== ============================================= domain\vagrant-domain S-1-5-21-2959096244-3298113601-420842770-1104 GROUP INFORMATION ----------------- Group Name Type SID Attributes ============================================= ================ ============================================ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group DOMAIN\Domain Admins Group S-1-5-21- 2959096244-3298113601-420842770-512 Mandatory group, Enabled by default, Enabled group Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group DOMAIN\Denied RODC Password Replication Group Alias S-1-5-21- 2959096244-3298113601-420842770-572 Mandatory group, Enabled by default, Enabled group, Local Group Mandatory Label\High Mandatory Level Label S-1-16-12288 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================= ================================================================== ======= SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeUndockPrivilege Remove computer from docking station Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled . You can see in the output the user has the 'BUILTIN\Administrators' group that is Enabled and also has the 'Mandatory Label\High Mandatory Level' label assigned to it's groups. It also has a whole bunch of privileges assigned to the token which tells us the process is enabled. This should have a fairly similar output to just running that locally with a few slight changes. If you compare that to a limited process I run locally here is what I get C:\Users\vagrant-domain>whoami.exe /all USER INFORMATION ---------------- User Name SID ===================== ============================================= domain\vagrant-domain S-1-5-21-2959096244-3298113601-420842770-1104 GROUP INFORMATION ----------------- Group Name Type SID Attributes ============================================= ================ ============================================ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group DOMAIN\Domain Admins Group S-1-5-21- 2959096244-3298113601-420842770-512 Group used for deny only Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group DOMAIN\Denied RODC Password Replication Group Alias S-1-5-21- 2959096244-3298113601-420842770-572 Mandatory group, Enabled by default, Enabled group, Local Group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled . We can see on a limited process the 'BUILTIN\Administrators' group is only used for deny ACE checks and the label is 'Mandatory Label\Medium Mandatory Level'. Now as to why the script isn't working that I am not sure on as your output does not indicate it had any errors occur. As I was saying above running through WinRM usually means the user runs as the highest privilege available to them. The only scenario I know off where that isn't the case is if the LocalAccountTokenFilterPolicy reg property is not set and WinRM has been explicitly set to grant non-admins access through WinRM. A quick win_command: whoami.exe /all check will help tell you if that is the case. Become usually fixes issue where the script works fine when run locally but not through Ansible but that's typically only in cases where you are talking to external hosts like a file share. If the script isn't doing what you expect but isn't failing then you need to; - Verify the script is actually running on the host you think it is - The paths in the script are where you think they are - Figure out why errors are being silenced, a file doesn't just fail to be written without it erroring somewhere Also on an unrelated note to this issue you can combine the win_copy and win_shell task into just 1 using script like so; - name: Modify WinCollect Config File script: WinCollectConfig.ps1 That will find the 'WinCollectConfig.ps1' in the files directory, copy it to a temp location, execute it, then finally remove that temp file all in 1 step. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/aecdcf92-4cbf-43c8-88c4-9c0043881959%40googlegroups.com.