Our environment is under some pretty strict security requirements and it’s causing lots of issues. First, we don’t have an active directory set up (all local accounts, I know it’s stupid but I’m just the idiot trying to clean it up). Then, we have this LocalAccountTokenFilterPolicy registry setting set to 1 so every time I try to run something I get permission errors as it lowers permissions.
I am allowed to temporarily disable the LocalAccountTokenFilterPolicy to do what I need to do, but need a mechanism to do that. I’m able to use win_command to do switch it from 1 to 0 but can’t switch it from 0 - 1.
Is there any way to get in with WinRM through ansible then run a command as an elevated user?
I’m actually curious how you got LocalAccountTokenFilterPolicy to cause restriction under WinRM- I’ve tried many combos of 2008R2/2012R2/2016 under full UAC prompt requirements, domain-joined/not, various users, etc, to no avail- I can’t get it to restrict the admin group for a local user in a WinRM session. I’m actually running into UAC issues under the become prototypes (since we’re now using interactive logons instead of batch), but I can’t get that particular one to break.
I ended up giving the user explicit access to the registry key and all playbooks begin with flipping the value, doing the work, then flipping it back. We are working on a domain solution so the local accounts won’t be an issue one day…
We’re using a DoD STIG image for our windows servers which has a number of other security settings. I’ve added a screen shot of our registry that you maybe able to mimic to get it to break. We’re on 2012 for this particular server. Path is: HKLM\Software\MIcrosoft\Windows\CurrentVersion\policies\system.
If you’re using AWS I can probably share an AMI that has the issue with your account.
