Guidance on using a non-administrative windows account to execute the WinRM plugin

[fellenberger]

This is likely more of a Windows WMI question, but I'm hoping someone has some guidance here. I've successfully used the plugin against a remote Win2K12 R2 server using a Windows Domain user that is part of the Administrators group on that remote server. No problems, all is good.

However, my attempts to successfully execute a job that has a single WinRM command with the same user not being in the Administrators group have proved fruitless to date.

Based on scouring the net, I came across a handful of articles that attempt to spell out how to get this working, but I haven't had good luck yet.

To summarize my efforts: I removed the user from the Administrators group and added to the "WinRMRemoteWMIUsers__" as many articles have suggested.

I then went into "WMI Control" in Computer Management, and added the "WinRMRemoteWMIUsers__" group to Security -> "Root" with Execute Methods, Enable Account, andf Remote Enable privs enabled. Finally restarted the Windows Management Instrumentation service, and all supposedly should have worked. However it didn't.

Reference: https://social.technet.microsoft.com/Forums/exchange/en-US/b748d1bb-fa97-4c30-a626-145dfbc40873/service-acccount-permission-to-remote-powershell-to-dns-server-on-windows-server-2012?forum=winserverpowershell

https://social.technet.microsoft.com/Forums/scriptcenter/en-US/60de5fcd-33e0-479b-9668-fcf683678a2f/winrm-for-nonadministrative-users?forum=ITCG

Gist of the error Rundeck is trapping is as follows:

/usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/http/response_handler.rb:75:in `raise_if_wmi_error': [WMI ERROR CODE: 2150859012]: 2/p:CIMStatusCode0/p:ErrorSourceFormat0/p:ErrorTypeThe WS-Management service cannot process the request. The WMI service returned an 'access denied' error. /p:MessageHRESULT 0x80338104/p:MessageID0/p:PerceivedSeverity0/p:ProbableCause18/p:error_Category2150859012/p:error_CodeHRESULT/p:error_TypeThe WS-Management service cannot process the request. The WMI service returned an 'access denied' error. /p:error_WindowsErrorMessage/p:MSFT_WmiError (WinRM::WinRMWMIError)

I also reviewed the Windows Event Viewer on the remote server, and see the following: Id = ; ClientMachine = ; User = MS; ClientProcessId = 916; Component = WMIService; Operation = connect to namespace : root\cimv2; ResultCode = 0x80041003; PossibleCause = the user was not granted appropriate permission on the namespace.

Just doesn't make sense as I granted privs to "Root" and ensured that the privs applied to the Root namespace, and sunnamespaces...

Any ideas here? Won't be feasible to run remote commands as a user in the Administrators group!

Thanks!

[fellenberger]

Would also like to note that I have successfully used the Windows native WinRM plugin to establish a remote powershell session with the very same non-admin account, so this looks to be isolated to how the Ruby WinRM plugin is attemtping to establish the WinRM session with the non-admin account.

https://technet.microsoft.com/en-us/library/hh847850.aspx

On server that you want to execute remote powershell commands on: Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI -- add user/group that you want to execute command as

From Remote Computer: Invoke-Command -ComputerName server_name -ScriptBlock { dir } -credential MS

Enable-PSRemoting -Force

Test-WsMan server_name

[fellenberger]

Next, I just created a simple Ruby script to execute the WinRM module on its own. Again, All is well with the Administrative account, but it is failing with the non-admin user.

more winrm_test.rb

require 'winrm' endpoint = 'http://server_name:5985/wsman' myuser = 'MS\user' mypass = 'pass' winrm = WinRM::WinRMWebService.new(endpoint, :plaintext, :user => myuser, :pass => mypass, :disable_sspi => true) winrm.create_executor do |executor| executor.run_cmd('ipconfig /all') do |stdout, stderr| STDOUT.print stdout STDERR.print stderr end end

root@server:/root

ruby winrm_test.rb WARN WinRM::WinRMWebService : [WinRM] connection failed, terminating (#) /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/http/response_handler.rb:57:in **raise_if_auth_error': WinRM::WinRMAuthorizationError (WinRM::WinRMAuthorizationError)** from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/http/response_handler.rb:50:inraise_if_error' from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/http/response_handler.rb:35:in parse_to_xml' from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/http/transport.rb:51:insend_request' from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/winrm_service.rb:484:in send_message' from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/winrm_service.rb:385:inrun_wql' from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/command_executor.rb:171:in os_version' from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/command_executor.rb:130:incode_page' from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/command_executor.rb:72:in block in open' from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/command_executor.rb:203:inretryable' from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/command_executor.rb:71:in open' from /usr/local/share/gems/gems/winrm-1.6.1/lib/winrm/winrm_service.rb:351:increate_executor' from winrm_test.rb:8:in `

'

[fellenberger]

Hello, I'd greatly appreciate some feedback on my prior posts. Feels like I'm "almost there" but need some guidance on "non-administrator group" execution using a domain account. Has anyone tried this? Is this even possible? I've checked out the Overthere-based winrm plugin, but it seems so much more convoluted compared to this plugin. Haven't had much luck even establishing a winrm session with that one yet.

Thanks.

[spuder]

Sorry I can't be much help, we aren't using the plugin with non administrative accounts yet. Maybe try enabling the "login as a service" or "login as batch user" local policies for that user?

@vvchik is the real expert, do you have any ideas on this?

[vvchik]

I didn't tried this yet. Because not using it currently. But if you will find a solution, please contact us, we will update readme for your case. Anyway please check ruby winrm-lib issues list, because it is main lib that used in this plugin.

[spuder]

@fellenberger I want to follow up and see if you had luck getting this working?