Tag: ansible

Posted on by Leave a comment

Ansible Privilege Escalation win_command – refresh Windows Update Service

When you have ansible deployed it is easy to perform massively actions on your inventory hosts. On a previous article I have explained in detail how you can easily manage Windows machines with Ansible.

In order to refresh Windows update service and make it connect to WSUS reporting console one should execute the below commands on a range of machines. 

wuauclt /resetauthorization
wuauclt /reportnow
wuauclt /detectnow

In order to perform this task automated and avoid logging in on each machine, you can execute the below playbook.

---
- name: deploy commands on servers
 hosts: test
 become: true
 tasks:
 name: win_command resetauth
 win_command: wuauclt /resetauthorization
 name: win_command report
 win_command: wuauclt /reportnow
 name: win_command detect
 win_command: wuauclt /detectnow

If you run this playbook without elevated privileges, it will fail. The necessary variables that must be included in your inventory or another appropriate location are listed below (folder variables, etc). The become keyword is a must but the escalation method must be changed instead of sudo as we handle windows machines.

 [all:vars]
 ansible_connection = winrm
 ansible_user = administrator
 ansible_become_user=administrator
 ansible_become_method=runas
Posted on by 2 Comments

Manage Windows machines with Ansible (winrm)

Ansible is a very powerful automation tool that is developed from RedHat. Many large organizations rely on Ansible to automate tasks and procedures. In this article I will explain how one can use ansible to manage windows clients and servers.

In order to manage windows hosts ansible winrm plugin should be used to communicate with the client/server machine.

The first step is to verify that ansible is installed.

Alongside with ansible, on the control node the pywinrm module should be also installed. By default this one is not installed and one should do it manually.

The managed Windows client/server machines should be configured to allow remote connections. A very useful power shell script is already developed from other users and it needs only to be executed on the managed host.

If your execution policy is prohibiting this script to be executed, you should set-execution policy to RemoteSigned as shown below and then execute the powershell.

Control node should have network connectivity with the managed hosts.

Some environmental variables should be used, so that ansible knows how the connection will be performed (winrm). I included those variables in my inventory file as I created this lab just for demonstration. My inventory file looks like below:

[test_servers_group]
192.168.12.130

[all]
localhost
192.168.12.130

[all:vars]
ansible_winrm_server_cert_validation = ignore
ansible_connection = winrm
ansible_user = ansible
ansible_password =

Lastly make sure that the user that is used for the connection has administrative rights on the managed windows hosts. Otherwise some error codes will be returned.

Lastly confirm ansible on managed host is working by using win_ping module.

Documentation:

https://www.ansible.com/blog/connecting-to-a-windows-host