Question on ability to use a non-administrative windows account to execute the WinRM calls #194
Comments
|
Unfortunately using a non-admin user isn't a use case we've attempted to support. We've only done testing with admin accounts. When the winrm gem first connects it attempts to query the OS version using WQL. I assume a regular powershell remoting session does not do a WMI query. |
|
Thanks for the quick feedback. Is this something that can possibly be supported in the future? Or conversely, is there a set of privs that I could grant this non-admin user to allow for the connection to succeed? |
|
It certainly seems within the realm of possibilities to support non-admin users. I've never needed it so its not a priority for me. I'm not sure what permissions are needed, so if we figured that out at least we could start by documenting it. One thing you could try is an older pre 1.5 version of the winrm gem. Querying WMI on connect is relatively new. If that works we may want to change the current behavior so that if the WMI query fails it just uses the Windows 2008 defaults. |
|
Thanks for the suggestion. I backed down to winrm-1.3.6 + winrm-fs-0.2.3, but look to be facing the same issue: /usr/local/share/gems/gems/winrm-1.3.6/lib/winrm/http/response_handler.rb:64:in
*** LOCAL GEMS *** bigdecimal (1.2.0) The ruby call I am making is: winrm.cmd('ipconfig /all') do |stdout, stderr| Separately from the above effort, I was hoping I was on to something in changing DCOM security privs, but that changed nothing after I essentially granted this domain user almost everything other than administrative privs. I even disabled UAC which feels very unsecure... https://www.poweradmin.com/help/faqs/how-to-enable-wmi-for-remote-access/ tricky tricky |
|
This is a limitation in the underlying wsman functionality. Non Administrators are denied access to run commands from a wsman endpoint. However, powershell remoting can be configured to allow it and by default, will allow non admin users in the Remote Management Users group access to a remote powershell. You can see this on a windows host by using a non admin user in the Remote Management Users group and running: You would get an access denied, but that same user can run So I think this is an issue that will be resolved with winrm v2 when we introducea PSRP implementation. In fact I just verified that running commands via a powershell shell in that branch works for a non admin user. |
|
Yes I can confirm I have this buttoned up and working for non-admins when using the Windows native WinRM interface. Your verification above is outstanding! Is there any plan/schedule for release of v2? I'm most eager to test this out in my infrastructure as well! Thanks. |
|
There is no schedule, we are just volunteering as we can but I am definitely looking forward to it being available too! You can follow the work in this branch. I suppose we should update the readme in the branch so that folks that do want to try it have some guidance. You could look at the integration tests for now. Be aware it is very alpha right now. Commands like |
|
Just validated that non admin users can execute commands using the PSRP shell in the forthcoming v2. #191 |
I am using a Rundeck winrm plugin that utilizes the winrm-lib to handle the WinRM interactions (https://github.com/NetDocuments/rd-winrm-plugin), and I only seem to gain success when authenticating using a user (domain account) that is in the remote servers local Admin group.
This may be more of a Windows WMI question, but I am hoping for some guidance from anyone that has used this this Ruby library successfully using non- local admin group domain accounts. I've successfully used this Rundeck plugin against a remote Win2K12 R2 server using a Windows Domain user that is part of the Administrators group on that remote server. No problems, all is good.
However, my attempts to successfully execute a Rundeck job that has a single WinRM command with the same user not being in the Administrators group have proved fruitless to date.
Based on scouring the net, I came across a handful of articles that attempt to spell out how to get this working, but I haven't had good luck yet.
To summarize my efforts:
I removed the user from the Administrators group and added to the "WinRMRemoteWMIUsers__" as many articles have suggested.
I then went into "WMI Control" in Computer Management, and added the "WinRMRemoteWMIUsers__" group to Security -> "Root" with Execute Methods, Enable Account, andf Remote Enable privs enabled. Finally restarted the Windows Management Instrumentation service, and all supposedly should have worked. However it didn't.
Reference:
https://social.technet.microsoft.com/Forums/exchange/en-US/b748d1bb-fa97-4c30-a626-145dfbc40873/service-acccount-permission-to-remote-powershell-to-dns-server-on-windows-server-2012?forum=winserverpowershell
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/60de5fcd-33e0-479b-9668-fcf683678a2f/winrm-for-nonadministrative-users?forum=ITCG
Gist of the error Rundeck is trapping is as follows:
/usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/http/response_handler.rb:75:in `raise_if_wmi_error': [WMI ERROR CODE: 2150859012]: 2/p:CIMStatusCode0/p:ErrorSourceFormat0/p:ErrorTypeThe WS-Management service cannot process the request. The WMI service returned an 'access denied' error. /p:MessageHRESULT 0x80338104/p:MessageID0/p:PerceivedSeverity0/p:ProbableCause18/p:error_Category2150859012/p:error_CodeHRESULT/p:error_TypeThe WS-Management service cannot process the request. The WMI service returned an 'access denied' error. /p:error_WindowsErrorMessage/p:MSFT_WmiError (WinRM::WinRMWMIError)
I also reviewed the Windows Event Viewer on the remote server, and see the following:
Id = ; ClientMachine = ; User = MS; ClientProcessId = 916; Component = WMIService; Operation = connect to namespace : root\cimv2; ResultCode = 0x80041003; PossibleCause = the user was not granted appropriate permission on the namespace.
Just doesn't make sense as I granted privs to "Root" and ensured that the privs applied to the Root namespace, and sunnamespaces...
Would also like to note that I have successfully used the Windows native WinRM plugin to establish a remote powershell session with the very same non-admin account, so this looks to be isolated to how the Ruby WinRM plugin is attempting to establish the WinRM session with the non-admin account.
https://technet.microsoft.com/en-us/library/hh847850.aspx
On server that you want to execute remote powershell commands on:
Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI
-- add user/group that you want to execute command as
From Remote Computer:
Invoke-Command -ComputerName server_name -ScriptBlock { dir } -credential MS
Enable-PSRemoting -Force
Test-WsMan server_name
Next, I just created a simple Ruby script to execute the WinRM module on its own. Again, all is well when the domain user is in the target servers local Administrators group, but it is failing if not in the local admin group.
require 'winrm'
endpoint = 'http://server_name:5985/wsman'
myuser = 'MS\user'
mypass = 'pass'
winrm = WinRM::WinRMWebService.new(endpoint, :plaintext, :user => myuser, :pass => mypass, :disable_sspi => true)
winrm.create_executor do |executor|
executor.run_cmd('ipconfig /all') do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
root@server:/root
The text was updated successfully, but these errors were encountered: