Hi there. I have odd question, but i need to ask it.
I set up Ansible to use windows account with limitied rights.
All I do for this account is to write it’s sid into rootsddl for Wirm.
This user can’t logon via RDP and make Enter-PsSession, but ansible still works? How? I thought that pssession is equal to psremoting.
Enter-PSSession using the PSRP protocol which is based on the WinRM protocol but not the same endpoint as to what Ansible users. If you configure the rootSDDL that will set the permissions for the WinRM endpoint used by Ansible but not the PSRP one. The PSRP endpoint uses the Remote Management Users group to govern the access but you can modify it to work with other groups if you really want to as well.
I’ve tried to explain some more about WinRM here if you are interested in reading it http://www.bloggingforlogging.com/2018/01/24/demystifying-winrm/.
Jordan,thank you for the gread article and explanation.
I still have a couple of questions.
When Ansible connects to WinRM, what endpoint it uses? WinRM itself or some other endpoint that works using WinRM?
And mayby you know, what benefits gives Read permission of WinRM? Now i give only Invoke permissions.
Another one question. How can I connect to WinRM manually to debug some situation?
I don’t know off the top of my head the native ways of configuring the PSRP endpoint but usually the Set-PSSessionConfiguration cmdlet in Powershell (https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/set-pssessionconfiguration?view=powershell-5.1) woud be a good place to start looking.
Ansible uses the native WinRM endpoint so configuration the rootSDDL is what you would do to configure permissions for Ansible. The PSRP side is based on WinRM but you could consider it an extension of WinRM so some of the configuration is separate from the base listener. I could be wrong about Read but it is used to read the configuration for WinRM so it probably isn’t necessary for Ansible but it would be best to try that.
If you want to run the same endpoint that Ansible uses you can use the winrs executable to run the raw WinRM commands not over PSRP. We have some examples of how you can call the winrs executable here http://docs.ansible.com/ansible/devel/user_guide/windows_setup.html#common-winrm-issues. You can also use pywinrm natively without Ansible if you don’t have a WIndows box ready.