community.windows.psexec – Runs commands on a remote Windows host based on the PsExec model
Note
This plugin is part of the community.windows collection (version 1.8.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.windows
.
To use it in a playbook, specify: community.windows.psexec
.
Synopsis
Runs a remote command from a Linux host to a Windows host without WinRM being set up.
Can be run on the Ansible controller to bootstrap Windows hosts to get them ready for WinRM.
Requirements
The below requirements are needed on the host that executes this module.
pypsexec
smbprotocol[kerberos] for optional Kerberos authentication
Parameters
Parameter |
Comments |
---|---|
Any arguments as a single string to use when running the executable. |
|
Will run the command as a detached process and the module returns immediately after starting the process while the process continues to run in the background. The stdout and stderr return values will be null when this is set to The stdin option does not work with this type of process. The rc return value is not set when this is Choices:
|
|
The password for connection_user. Required if the Kerberos requirements are not installed or the username is a local account to the Windows host. Can be omitted to use a Kerberos principal ticket for the principal set by connection_user if the Kerberos library is installed and the ticket has already been retrieved with the |
|
The timeout in seconds to wait when receiving the initial SMB negotiate response from the server. Default: 60 |
|
The username to use when connecting to the remote Windows host. This user must be a member of the Required if the Kerberos requirements are not installed or the username is a local account to the Windows host. Can be omitted to use the default Kerberos principal ticket in the local credential cache if the Kerberos library is installed. If process_username is not specified, then the remote process will run under a Network Logon under this account. |
|
Will use SMB encryption to encrypt the SMB messages sent to and from the host. This requires the SMB 3 protocol which is only supported from Windows Server 2012 or Windows 8, older versions like Windows 7 or Windows Server 2008 (R2) must set this to When setting to Choices:
|
|
The executable to run on the Windows host. |
|
The remote Windows host to connect to, can be either an IP address or a hostname. |
|
The integrity level of the process when process_username is defined and is not equal to When When When Choices:
|
|
Will run the process as an interactive process that shows a process Window of the Windows session specified by interactive_session. The stdout and stderr return values will be null when this is set to The stdin option does not work with this type of process. Choices:
|
|
The Windows session ID to use when displaying the interactive process on the remote Windows host. This is only valid when interactive is The default is Default: 0 |
|
Runs the remote command with the user’s profile loaded. Choices:
|
|
The port that the remote SMB service is listening on. Default: 445 |
|
Set the command’s priority on the Windows host. See https://msdn.microsoft.com/en-us/library/windows/desktop/ms683211.aspx for more details. Choices:
|
|
The password for process_username. Required if process_username is defined and not |
|
The timeout in seconds that is placed upon the running process. A value of Default: 0 |
|
The user to run the process as. This can be set to run the process under an Interactive logon of the specified account which bypasses limitations of a Network logon used when this isn’t specified. If omitted then the process is run under the same account as connection_username with a Network logon. Set to If encrypt is |
|
Shows the process UI on the Winlogon secure desktop when process_username is Choices:
|
|
Data to send on the stdin pipe once the process has started. This option has no effect when interactive or asynchronous is |
|
Changes the working directory set when starting the process. Default: “C:\\Windows\\System32” |
Notes
Note
This module requires the Windows host to have SMB configured and enabled, and port 445 opened on the firewall.
This module will wait until the process is finished unless asynchronous is
yes
, ensure the process is run as a non-interactive command to avoid infinite hangs waiting for input.The connection_username must be a member of the local Administrator group of the Windows host. For non-domain joined hosts, the
LocalAccountTokenFilterPolicy
should be set to1
to ensure this works, see https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows.For more information on this module and the various host requirements, see https://github.com/jborean93/pypsexec.
See Also
See also
- ansible.builtin.raw
The official documentation on the ansible.builtin.raw module.
- ansible.windows.win_command
The official documentation on the ansible.windows.win_command module.
- community.windows.win_psexec
The official documentation on the community.windows.win_psexec module.
- ansible.windows.win_shell
The official documentation on the ansible.windows.win_shell module.
Examples
- name: Run a cmd.exe command
community.windows.psexec:
hostname: server
connection_username: username
connection_password: password
executable: cmd.exe
arguments: /c echo Hello World
- name: Run a PowerShell command
community.windows.psexec:
hostname: server.domain.local
connection_username: [email protected]
connection_password: password
executable: powershell.exe
arguments: Write-Host Hello World
- name: Send data through stdin
community.windows.psexec:
hostname: 192.168.1.2
connection_username: username
connection_password: password
executable: powershell.exe
arguments: '-'
stdin: |
Write-Host Hello World
Write-Error Error Message
exit 0
- name: Run the process as a different user
community.windows.psexec:
hostname: server
connection_user: username
connection_password: password
executable: whoami.exe
arguments: /all
process_username: anotheruser
process_password: anotherpassword
- name: Run the process asynchronously
community.windows.psexec:
hostname: server
connection_username: username
connection_password: password
executable: cmd.exe
arguments: /c rmdir C:\temp
asynchronous: yes
- name: Use Kerberos authentication for the connection (requires smbprotocol[kerberos])
community.windows.psexec:
hostname: host.domain.local
connection_username: [email protected]
executable: C:\some\path\to\executable.exe
arguments: /s
- name: Disable encryption to work with WIndows 7/Server 2008 (R2)
community.windows.psexec:
hostanme: windows-pc
connection_username: Administrator
connection_password: Password01
encrypt: no
integrity_level: elevated
process_username: Administrator
process_password: Password01
executable: powershell.exe
arguments: (New-Object -ComObject Microsoft.Update.Session).CreateUpdateInstaller().IsBusy
- name: Download and run ConfigureRemotingForAnsible.ps1 to setup WinRM
community.windows.psexec:
hostname: '{{ hostvars[inventory_hostname]["ansible_host"] | default(inventory_hostname) }}'
connection_username: '{{ ansible_user }}'
connection_password: '{{ ansible_password }}'
encrypt: yes
executable: powershell.exe
arguments: '-'
stdin: |
$ErrorActionPreference = "Stop"
$sec_protocols = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::SystemDefault
$sec_protocols = $sec_protocols -bor [Net.SecurityProtocolType]::Tls12
[Net.ServicePointManager]::SecurityProtocol = $sec_protocols
$url = "https://github.com/ansible/ansible/raw/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
Invoke-Expression ((New-Object Net.WebClient).DownloadString($url))
exit
delegate_to: localhost
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Any exception details when trying to run the process Returned: module failed Sample: “Received exception from remote PAExec service: Failed to start \”invalid.exe\”. The system cannot find the file specified. [Err=0x2, 2]” |
|
The process ID of the asynchronous process that was created Returned: success and asynchronous is ‘yes’ Sample: 719 |
|
The return code of the remote process Returned: success and asynchronous is ‘no’ Sample: 0 |
|
The stderr from the remote process Returned: success and interactive or asynchronous is ‘no’ Sample: “Error [10] running process” |
|
The stdout from the remote process Returned: success and interactive or asynchronous is ‘no’ Sample: “Hello World” |
Authors
Jordan Borean (@jborean93)