Setting "Replace a process level token" windows permission mid chef run



We have been having a bit of fun and games using the community ‘windows_ad_cookbook’ getting it to create user accounts. The issue seems stems from the requirement of to require the windows permission “Replace a process level token”

We then found a helpful powershell script ( ) that even had a comment from Matt Wrock (An amazing chef dude whose windows chef blog posts have saved my bacon many times!)

So we modified our cookbook to set this right for the local admin account that chef is running under using the powershell script from the above link.

The issue that we have is that from a clean converge the first chef run fails. It sets the right but it seems that the process that chef is running under is not able to pick up the change to the rights setting. The 2nd time and all subsequent runs the chef run is successful.

Is it possible to run a script before the chef client run or some other magic we could use to achieve the desired state in a single Chef run?

Thanks in advance

David McGrath


Daveid, you’re saying that the process token for chef-client needs to have
the privilege in order for the rest of the run after you add it via the
script to succeed?

In that case, I can think of a few ways to resolve this:

  1.   Abort the run after you use the powershell_script to add the

privilege – you should be able to do this by simply raising an exception.
If you’re ok waiting until the next time chef-client automatically runs,
then it should just work on the next run (you’ll need a guard on the
powershell_script to detect if the privilege is already there so you don’t
abort the run again).

  1.   Presumably whatever actions need the privilege could be run

outside of the chef-client process. You could just shell out to do those
specific things after the privilege is added – will Windows update the
token for the new process? If normal shell out doesn’t work, you could
specify the user and password explicitly which will definitely give a new

  1.   A variation of #2: I’m working on a PR for chef-client that would

let you update the current process token (for remote_file use cases, but it
uses a library that provides the low level token functionality) –
essentially gives you #2 without shelling out. A downside is that it
requires the username and password:

If you have a cloud provider, there are various ways to set the privilege
during bootstrap, or you could set the privilege during bootstrap with a
modification to the bootstrap template. Otherwise, the best way to run a
script before chef-client runs… is something like #1, which essentially
runs a script before chef-client runs, it’s just that that script is itself
a fragment of the same recipe you’re trying to run to its completion… J


Hi Adam

Thanks for the detailed reply. I think you have summed up the issue but for clarity let me give a little more detail.

The Windows_ad_cookbook user resource calls dsadd user to create a user using the mixlib::shellout under the hood. With out the token permission set for the local admin it fails.

We are running the powershell script to set the permission for the local admin using the chef powershell resource.

To shell out do you mean that we should run the powershell script using mixlib::shellout ?

We are still in development mode so all this is being done via test kitchen so our answer in production may will be to set the permission during the bootstrap as you suggest.

Thanks again for such a great response