Chef DK on Windows: Administrative Rights Required?

I noticed that after installing the Chef DK on Windows and launching the program via the icon that is provided by the installer, the powershell window that is launched is done so under an Administrative context. If you are not signed on as administrator or do not provide another credential that has administrative access, the windows throws an exception and terminates.

A couple of questions regarding this:

  1. Is administrative access really required to run the Chef DK?
  2. If the answer to the above is ‘yes’, what specifically does the DK do that requires this level of access on the Windows endpoint?
  3. Is there a way around this? (e.g. launch a powershell window and load a chef powershell module)
  4. Is there a feature request currently in the queue to address this in a future Chef DK release?

chefdk is not a binary, it is a package. If a chef client with chefdk installed is going to run chef-client, or chef-zero, it will probably need administrative authority to probe the client and report its state fully, and it will need privileges to install software and manage users and their credentials. So it’s unsurprising if the client software installed with chefdk needs extra privileges.

I’m looking for a little bit more content than that. I get that Chef DK is a suite of tools, but from how I understand it, I don’t see how it needs to run under admin creds by default. From my daily usage of the tool: knife, kitchen, cookstyle, and chefspec, I don’t see how any of these should require local admin rights on the workstation.

Administrative rights on the endpoint is not something that everyone has or should have, particularly in the enterprise. I’m trying to understand what the reasoning behind this is and whether there is a way around this or if any plan to change this in the future.

Yes, the backstory here is that when this shortcut was added to the ChefDK in 2015, there were problems that immediately post-install Windows could not access the modules directory (which was outside the usual system locations) when non-elevated. The second issue was that we cannot bypass the system execution policy on Windows 7 or Windows Server 2008 R2 using -ExecutionPolicy Bypass as a non-elevated user - so the shortcut was created to run as an administrator. See for more detail.

As far as I can tell you will be able to work with all the tools as a non-administrative user by adding the following line(s) to your PowerShell $PROFILE (typically C:\Users\<username>\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1) and use a normal PowerShell session instead of the provided shortcut:

chef shell-init powershell | iex 
import-module chef -DisableNameChecking 

Meanwhile we already have a PR in, and hopefully we will have an update soon that removes the elevation requirement.

1 Like

This is great info. Thanks for this. I’ll keep an eye out for updates in this space and in the meantime, I’ll use the workaround you provided.