We have been having a bit of fun and games using the community ‘windows_ad_cookbook’ getting it to create user accounts. The issue seems stems from the requirement of Mixlib::ShellOut.new to require the windows permission “Replace a process level token”
We then found a helpful powershell script (https://pwrshell.net/attribuer-des-privileges-locaux/ ) that even had a comment from Matt Wrock (An amazing chef dude whose windows chef blog posts have saved my bacon many times!)
So we modified our cookbook to set this right for the local admin account that chef is running under using the powershell script from the above link.
The issue that we have is that from a clean converge the first chef run fails. It sets the right but it seems that the process that chef is running under is not able to pick up the change to the rights setting. The 2nd time and all subsequent runs the chef run is successful.
Is it possible to run a script before the chef client run or some other magic we could use to achieve the desired state in a single Chef run?
Thanks in advance