New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When running an execute resource as an alternate user in Windows (chef local-mode), the environment isn't updated to reflect the alternate user's profile #7690

shoreadmin opened this Issue Sep 25, 2018 · 0 comments


None yet
2 participants

shoreadmin commented Sep 25, 2018


When running an execute resource as an alternate user the environment (eg. USERNAME, USERPROFILE, USER, APPDATA, etc) remains the same as the user who originally executed the chef-client rather than the user specified in the execute resource. I've assigned the SeAssignPrimaryTokenPrivilege to the user executing the script and this doesn't seem to make a difference.

There's a chance that because I'm running this as part of a domain-joined PC, that there's some other group-policy-related stuff happening here to screw things up...

Chef Version


Platform Version

Windows 7 x64

Replication Case

We output the log to a text file because otherwise the output is hidden (due to resource being sensitive)

# Add 'SeAssignPrimaryTokenPrivilege' for the user
Chef::ReservedNames::Win32::Security.add_account_right(<username>, 'SeAssignPrimaryTokenPrivilege')

hasReplaceTokenRight = Chef::ReservedNames::Win32::Security.get_account_right(<username>).include?('SeAssignPrimaryTokenPrivilege')
log "hasReplaceTokenRight = #{hasReplaceTokenRight}" do
  level :warn

batch "Capture environment running as username" do
  code "set > C:/temp/env.txt"

  user <username>
  password <password>

Client Output

I haven't replicated the file output as part of this step; suffice to say that this output file is pretty much identical to running the same command below directly as the user running the chef-client.

Starting Chef Client, version 14.5.33
resolving cookbooks for run list: ["test"]
Synchronizing Cookbooks:
  - zipfile (0.1.0)
  - test (0.1.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 3 resources
Recipe: test::default
  * chef_gem[rubyzip] action install (up to date)
Recipe: test::install_visual_assist
  * log[hasReplaceTokenRight = true] action write[2018-09-26T08:45:39+10:00] WARN: hasReplaceTokenRight = true
[2018-09-26T08:45:39+10:00] WARN: hasReplaceTokenRight = true

  * batch[Capture environment running as username] action run
    - execute sensitive resource

Running handlers:
Running handlers complete
Chef Client finished, 2/3 resources updated in 11 seconds
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment