Does Chef powershell_script have limited privileges?

Question

I am encountering several situations where, in a Chef recipe with powershell_scipt, a command appears to fail, whereas if I run the same command in powershell outside of Chef, the same command works.

The two in particular are "regedit", which I am trying to use to set a key for app compatibility and the other is "net use z:...." to created a mapped drive. Both of these seem to work fine if I run them in powershell, but if I use them inside a recipe inside powershell_script, they don't appear to do anything.

So I'm wondering is this because Chef runs commands that are inside powershell_script at some lower privilege level?

Also if so, how do I change it so that the regedit and net use would work?

Thanks, Jim

EDIT 1: This seems to work for adding the registry entry I needed:

registry_key "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags" do
  values [{
    :name => "{2b9034f3-b661-4d36-a5ef-60ab5a711ace}",
    :type => :dword,
    :data => 00000004
  }]
  action :create
end

That prevents the compatability popup that I am getting when we run the Sharepoint installer.

EDIT 2: I hope that this is ok, but for the record and more visibility and hope that I remember this, I found this re. mapping drives in Windows and Chef:

Mount windows shares on a windows node with Chef

and:

https://tickets.opscode.com/browse/CHEF-1267

I haven't tried that yet, but that seems like the answer to my drive mapping need.... hopefully..

Answer 1

The chef client service runs as Local System (SYSTEM) by default.

In Windows, that user has full privileges on the local system, like root basically, but on the network it authenticates as the computer object.

So it you are trying to use regedit to change something in for example HKEY_CURRENT_USER then you need to remember that the code will not see the same "current user" as you will when you run it in interactively. Also, regedit is an .exe; you should really do what you need through the PowerShell providers or .Net objects.

For net use you are trying to map a drive. It's likely that the computer account doesn't have the rights to the share that your user has. Again, net.exe is a separate executable. net use maps a drive to a drive letter (usually) and you shouldn't be doing that in a configuration script, in my opinion. You should access the UNC path directly, but either way I still think that you're probably running into a permissions issue here.

You could change the credentials of the service to use a user account that has all the rights you want, but before doing something like that you should consider changing your workflow to not need that.