Ansible to Windows with SSH, become not working

Hello all,

I am trying to get this to work, with Ansible:

• Login to a Windows server with SSH (this works)
• Do all kind of Windows things there (that works)

But the above only works when I login as the Administrator user.
But I want to do priviledge escalation either from Administrator to another, mortal user, or the other way around.

---
- name: Test runas
  hosts: windows
  gather_facts: false

  tasks:
    - name: Create my_dir directory
      ansible.windows.win_file:
        path: 'c:\temp\my_dir'
        state: directory
      become: true
      become_flags: |
        logon_type=interactive
        logon_flags=with_profile
      become_user: tdactyl

This playbook works, when run as the Administrar, but the created directory is not owned by the tdactyl user.

I have tried this with Kerberos and WinRM and that works, this is also in the Ansible documentation. But the documentation doesn’t mention on how to escalate when using SSH.

Any good ideas?

Thanks,
TonK

Small update:

• Ansible Unable To Run win_powershell with become: yes (Win32ErrorCode 1314) · Issue #77698 · ansible/ansible · GitHub seems to indicate that this is not possible

Keep in mind that the default owner for new objects with admin users is going to be the Administrators SID. You can typically see who the owner is going to be when running whomai /groups and seeing the entry that has the Group owner attribute set.

Also keep in mind that the runas become is not designed to elevate from a non-admin to admin user. Doing that is not really a thing on Windows for non-interactive scenarios as there is no non-interactive way to talk with the UAC prompt. The become mechanism is designed for things like bypassing the credential delegation problem, running a task as another user, specifying custom credentials for outbound authentication.

Yes, I saw that in the GitHub issue.
I’ll just use an Admin for now.

Thanks.