Assign "system" rights to domain user id on windows 2016

Umesh Karikempaiah 21 Reputation points
2021-02-17T08:35:26.847+00:00

Hi,

Our automation team runs playbooks in Ansible to generate report on windows 2016 server. However, they are getting the below error. Can you please let me know what settings should be enabled so that domain id will get "system" rights on the server?

"fatal: [server name]: FAILED! => {"changed": false, "msg": "internal error: failed to become user 'system' : Exception calling \"CreateProcessAsUser\" with \"9"\ argument(s): \"Failed to get token for NT AUTHORITY\SYSTEM required for become as a service account or an account without a password\""}

Thanks,

Umesh.S.K

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,084 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AliceYang-MSFT 2,081 Reputation points
    2021-02-18T06:19:03.12+00:00

    Hi,

    NT AUTHORITY\SYSTEM is a powerful account that has most access to local system resources. For more information, please see Query : NT AUTHORITY\SYSTEM. Personally, I don't think it's feasible to assign NT AUTHORITY\SYSTEM's right to domain user.

    Please also post this issue on Ansible Community. Users there are more familiar with this product and have more resources to help us solve this issue.

    Ansible has a large and engaged community of users who can help answer your questions.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Umesh Karikempaiah 21 Reputation points
    2021-03-02T08:30:07.813+00:00

    Hi,

    The issue is still not resolved. I am not sure what and where to look. All we need is, domain account should run playbooks as "SYSTEM" on windows server. How to achieve it?

  3. Vijay Varma 96 Reputation points
    2021-04-16T17:03:02.29+00:00

    I had similar issue and it is with SeDebugPrivilage for the users. It is disabled as new Group policy removed users and groups from Windows settings -- security settings -- local policies -- user rights assignment -- debug programs

    whoami /priv will show the SeDebugPrivilage for user that used to run script and it should be enabled. Please check if it helps

    0 comments