win_user_right: "RemovePrivilege with 2 argument(s): The request is not supported" about ansible.windows HOT 4 CLOSED

That's interesting, RemovePrivilege ends up calling LsaRemoveAccountRights. The default values for SeCreateGlobalPrivilege indicate the following 4 accounts are set for this right

• BUILTIN\Administrators
• NT AUTHORITY\Local Service
• NT AUTHORITY\Network Service
• NT AUTHORITY\Service

Based on your example it should be trying to remove Network Service and Service and one of those is failing. Luckily I can replicate this locally so I'll need to play around a bit more and figure out what may be happening here.

from ansible.windows.

After further testing I think this is one of those cases where Windows does not allow you to remove certain accounts from a privilege. I've tried to remove NT AUTHORITY\Network Service from either Create global objects (SeCreateGlobalPrivilege) or Adjust memory quota for a process (SeIncreaseQuotaPrivilege) from the UI with gpedit.msc. While it doesn't actually display any errors and seems like the accounts are removed, as soon as I close and re-open gpedit.msc the account is back there like it was never removed.

Are you also able to validate that's the case on your host by trying to remove Network Service from the privilege you are trying to remove in your task?

It probably would be a good idea to improve the error message to include the privilege(s) it was trying to remove though so I'll keep this issue opened until that is implemented.

from ansible.windows.

@jborean93 you are right, Windows adds Network Service again every time.. so I guess that's the issue. The OS doesn't like PS to remove that privilege. I will make a few more tests, but probably that's what's this is all about..

Thanks for your time.

from ansible.windows.

So while it doesn't fix the issue, which we can do nothing about, #91 has been merged which changes the error message in this scenario to now become

TASK [win_user_right] ********************************************************************************************************
task path: /home/jborean/dev/ansible-tester/main.yml:5
redirecting (type: modules) ansible.builtin.win_user_right to ansible.windows.win_user_right
Using module file /home/jborean/dev/ansible_collections/ansible/windows/plugins/modules/win_user_right.ps1
Pipelining is enabled.
<server2019.domain.local> ESTABLISH PSRP CONNECTION FOR USER: [email protected] ON PORT 5985 TO server2019.domain.local
PSRP: EXEC (via pipeline wrapper)
The full traceback is:
The request is not supported
At line:396 char:13
+             $lsaHelper.RemovePrivilege($sid, $name)
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], Win32Exception
    + FullyQualifiedErrorId : Win32Exception

ScriptStackTrace:
at <ScriptBlock>, <No file>: line 396
fatal: [2019]: FAILED! => changed=false 
  added: []
  diff:
    after: ''
    before:
      SeCreateGlobalPrivilege:
      - NT AUTHORITY\SERVICE
      - BUILTIN\Administrators
      - NT AUTHORITY\NETWORK SERVICE
      - NT AUTHORITY\LOCAL SERVICE
  invocation:
    module_args:
      action: remove
      name: SeCreateGlobalPrivilege
      users:
      - Network Service
  msg: 'Failed to remove account NT AUTHORITY\NETWORK SERVICE from right SeCreateGlobalPrivilege: The request is not supported'
  removed: []

The error message shows the account name that was attempted to be removed and from what right.

from ansible.windows.