windows become - info about blank passwords (#34331)
* windows become - info about blank passwords * Edited for clarity
This commit is contained in:
parent
ccbd788f6b
commit
a830cae160
1 changed files with 29 additions and 0 deletions
|
@ -420,6 +420,35 @@ Because local service accounts do not have passwords, the
|
||||||
``ansible_become_password`` parameter is not required and is ignored if
|
``ansible_become_password`` parameter is not required and is ignored if
|
||||||
specified.
|
specified.
|
||||||
|
|
||||||
|
Accounts without a Password
|
||||||
|
---------------------------
|
||||||
|
|
||||||
|
.. Warning:: As a general security best practice, you should avoid allowing accounts without passwords.
|
||||||
|
|
||||||
|
Ansible can be used to become an account that does not have a password (like the
|
||||||
|
``Guest`` account). To become an account without a password, set up the
|
||||||
|
variables like normal but either do not define ``ansible_become_pass`` or set
|
||||||
|
``ansible_become_pass: ''``.
|
||||||
|
|
||||||
|
Before become can work on an account like this, the local policy
|
||||||
|
`Accounts: Limit local account use of blank passwords to console logon only <https://technet.microsoft.com/en-us/library/jj852174.aspx>`_
|
||||||
|
must be disabled. This can either be done through a Group Policy Object (GPO)
|
||||||
|
or with this Ansible task:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
- name: allow blank password on become
|
||||||
|
win_regedit:
|
||||||
|
path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa
|
||||||
|
name: LimitBlankPasswordUse
|
||||||
|
data: 0
|
||||||
|
type: dword
|
||||||
|
state: present
|
||||||
|
|
||||||
|
.. Note:: This is only for accounts that do not have a password. You still need
|
||||||
|
to set the account's password under ``ansible_become_pass`` if the
|
||||||
|
become_user has a password.
|
||||||
|
|
||||||
Limitations
|
Limitations
|
||||||
-----------
|
-----------
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue