In my last post, I looked at setting up WinRM to give Ansible remote access in to a Windows computer. Presumably, one would use a regular administrative account to do so. However, there are some reasons a regular user account would be less desirable.
Namely, that in the Ansible hosts file, the password has to be there. Also, if one is using a Microsoft account (as Windows 10 nags about doing) or using a Domain account, the password also provides access to any Microsoft service or (respectively) to computer on the domain (not to mention domain services such as email, file access, etc)—not just the hosts Ansible is trying to connect to.
So, it would be better to have a dedicated account for Ansible’s use only. Ideally, one could push this account to Windows computers: that is, have Ansible create the Windows account (logging in once using existing credentials). Further Ansible processes could use the newly-created account.
I wrote an Ansible playbook to create this account, add it to the Administrators group, and then hide it (using registry settings) from the login screen:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
- hosts: my_desktop tasks: - name: Ensure ansible user is present win_user: name: Ansible password: 5v4m41HM7XLa66srR2JLTCL2TxN1Y0ZleMWdG6jwgmiWBSGv4xjQzBZeP7JYCWF state: present groups: - Administrators - Users - name: Hide ansible user from login screen win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList name: Ansible data: 0 type: dword |
Of course, the password above should be changed (but still set to a really long random character sequence).
One can then edit the host variables in your ansible hosts file to use the above created account.