Troubleshooting another project which uses schedule tasks as a non-Administrator account. Searching shows Windows Server 2016 does not allow non-Administrators to manage schedule tasks.
Since there have been several github issues opened about scheduled tasks and how they are used in Ansible are things that Ansible does going to break in Windows Server 2016.
I really don’t understand the plumbing of Ansible and Windows but sees like a rude surprise awaits in Windows Server 2016?
name: check list of groups user is member of
win_command: whoami.exe /groups
register: groups_output
name: show user’s groups
debug:
var: groups_output.stdout_lines
name: run scheduled task
win_command: schtasks.exe /Run /TN Test
name: get stat of test file to prove task ran
win_stat:
path: C:\temp\test
register: stat
name: file folder stat
debug:
var: stat
Here is the output of the main tasks
This works on all OS’s I’ve tested so far but unfortunately I can replicate the issue with Server 2016 and non admin users. Usually I can add the user account to the XML ACL and then be able to run the task but not on Server 2016 as you have reported. It seems like Microsoft has restricted the permissions that are required to execute a scheduled task that a normal user does not have permission for but I cannot find out what that may be. Because this is an issue with Windows and not Ansible, I would say there is not much we can do about it and the use case is probably quite minimal but I’ve happy to be proven otherwise.
From an Ansible standpoint, yes it would be nice for a non-admin account to run a scheduled task but IMO non-admin users should never be able to modify a task. This opens up a pretty big security hole as a non-admin user would then have the ability to change what is run by the scheduled task and potentially allow a custom script to be executed by a higher account without knowing the password.
This begs the question, what are you trying to do as scheduled tasks can be fragile and annoying to work with and there may be other options available for you in Ansible. Traditionally scheduled tasks are used by tools to bypass WinRM restrictions such as no access to WUA and DPAPI. This is how the Packer elevated shell process works and is pretty much done everywhere that deals with WinRM as it is simple and get’s the job done most of the time. This can still be done in Ansible with an admin account (even on 2016) but using become is a way better option, in 2.5 we even have an example on how to do that http://docs.ansible.com/ansible/devel/windows_usage.html#creating-and-running-a-scheduled-task. Even so, using become is generally recommended as we don’t need to mess around with creating the task and ensuring it starts, cleaning it up afterwards, and somehow getting the stdout/stderr/rc values from the process. Plus with become we can run it with modules whereas scheduled tasks can only be used to run individual commands.