I am starting to use the ansible to manage server Joined to a domain.
I have started the test using a domain user account members of Domain Users but with the use member of local administrators on target.
When I execute the command: ansible win_pibchs -m win_ping
and the command it’s executed well.
Now I would like to do the same command without take the account member of the local admininstrators group.
When I try the command this terminate with this message:
fcvwsbdt.PIBCHS.ENET | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: Access is denied. (extended fault data: {u’fault_subcode’: ‘w:AccessDenied’, u’fault_code’: ‘s:Sender’, u’wsmanfault_code’: ‘5’, ‘transport_message’: u’Bad HTTP response returned from server. Code 500’, ‘http_status_code’: 500})”,
“unreachable”: true
}
If the user is a member of the Administrators group on the remote host then you shouldn’t have to touch the SDDL of the WinRM listener at all. This is only necessary if the user is a limited user and needs access. Also the Set-PSSessionConfiguration is touching the session configuration for the Microsoft.PowerShell endpoint which is not what Ansible is using. To configure the SDDL for the actual endpoint Ansible uses you can run;
`
winrm configSDDL default
`
Administrators should have Full Control, if you wish to add more users they need to have at least Read and Execute permissions.
The fact that the winrs command is working indicates something else is going on. The winrs command will use the credentials of the currently running user, if you are trying to verify if that account has access it is simpler to test with explicit credentials like;
`
winrs -r:fcvwsbdt.PIBCHS.ENET -u:wuuser@PIBCHS.ENET -p:UnaPassword DIR C:\
`
If that works then something else is at play. Can you share;
The output of `winrm get winrm/config/service’ on your Windows host
The output of ‘pip list’ on your Ansible controller