Seems the Ansible users must belong to the local administrators of the machines it tries to manipulate (on Windows 10 at least, the Remote Management group is not even enough to gather facts).


Do not stop when a task fails

- name: do something
  win_shell: something
  failed_when: False
  changed_when: False

Run a role

- hosts: all
  gather_facts: False
    - include_role:
        name: rolename

Retry an intermittent error

- name: Test failure
  command: "bash -c 'exit $(( $RANDOM % 4 ))'"
  register: result
  retries: 5
  delay: 10
  until: result is not failed
  ignore_errors: True

- debug: var=result


Simple loop

- name: Create a temporary directory
    path: /my/path
    state: directory
  register: tempdir

- name: Download files
    url: "ftp://my.anonymous.server/files/{{ item }}"
    dest: "{{ tempdir.path }}/{{ item }}"
    mode: +x
    - "file01.txt"
    - "file02.txt"
    - "file03.txt"

The mode: +x is only needed there’s an executable that is supposed to be run afterwards.

Advanced loop

- name: DaVinci resolve - Set Firewall rule
    - name: DaVinci Resolve
      path: C:\program files\blackmagic design\davinci resolve\resolve.exe
    - name: FusionScript services for Fusion
      path: C:\program files\blackmagic design\davinci resolve\fuscript.exe
    - name: dpdecoder
      path: C:\program files\blackmagic design\davinci resolve\dpdecoder.exe
    name: '{{ item[0].name }} ({{ item[1] }})'
    group: DaVinci Resolve
    description: '{{ item[0].name }}'
    program: '{{ item[0].path }}'
    profiles: domain
    localport: any
    protocol: '{{ item[1] }}'
  loop: "{{ applications |product(['udp', 'tcp'])|list }}"

Conditional execution

With when

- name: Remove previous splashtop versions
    product_id: '{C8BC0F03-D53F-4f19-B42F-06CB733C09E4}'
    state: absent
  become: yes
  when: software_version.win_file_version.file_version != ""

With block – when

- name: fetch Splashtop Streamer version
  ansible.builtin.command: defaults read "/Applications/Splashtop" CFBundleShortVersionString
  register: app_version

- block:
  - name: Create a temporary directory
      path: /my/path
      state: directory
    register: tempdir
  - name: Use the registered var and the file module to remove the temporary folder
      path: "{{ tempdir.path }}"
      state: absent
    when: tempdir.path is defined
  when: app_version.stdout != ""


Install an ansible galaxy collection

ansible-galaxy collection install


ansible.builtin.command – Execute commands on targets

- name: fetch Splashtop Streamer version
  ansible.builtin.command: defaults read "/Applications/Splashtop" CFBundleShortVersionString
  register: app_version

ansible.builtin.debug – Print statements during execution

Debug message
# Example that prints return information from the previous task
- shell: /usr/bin/uptime
  register: result

- debug:
    var: result
    verbosity: 2
Conditional debug message
- name: fetch Cinema4D R21 version
    path: 'C:\Program Files\Maxon Cinema 4D R21\CINEMA 4D.exe'
  register: C4DR21_version
  failed_when: False
- debug:
    msg: "C4DR21 version: {% if C4DR21_version.win_file_version.file_version is defined %}{{ C4DR21_version.win_file_version.file_version }}{% else %}Not installed{% endif %}"

ansible.builtin.setup – Gathers facts about remote hosts

- name: Collect facts
      - min

gather_subset: Possible values: all, min, hardware, network, virtual, ohai, and facter.

ansible.builtin.slurp – Slurps a file from remote nodes

- name: get content of remote file
    src: "{{remote_path}}"
  register: remote_content_encoded

- name: decode remote content
    remote_content: "{{remote_content_encoded.content | b64decode}}"

- debug:
    msg: "content of remote file {{remote_path}}: {{remote_content}}" – Execute shell commands on target hosts

- name: Uninstall AWS Thinkbox Deadline Client '& "$Env:ProgramFiles\Thinkbox\Deadline10\uninstall.exe" --mode unattended'
  become: yes

So the path to the exe must be in double quotes, the entire command in single quotes and $Env:ProgramFiles is used (instead of %programfiles% which only works with cmd.exe). – Installs/uninstalls an installable package

- name: Install Maxon Cinema4D_S26_26.014
    path: '{{ deployment_folder }}\Maxon\C4Dr26\Cinema4D_S26_26.014_Win.exe'
    arguments: --mode unattended --unattendedmodeui none
    creates_path: 'C:\Program Files\Maxon Cinema 4D R26\Cinema 4D.exe'
    product_id: "Maxon Cinema 4D R26"
    state: present
  become: yes
Uninstall registry path

Doc: – Synchronizes the contents of two directories using Robocopy

If flags is set, purge and recurse will be ignored.

- name: Ensure the Redshift Core folder is copied to C:\ProgramData
  become: yes
    src: '{{ library_folder }}\PLUGINS\C4D_v002\redshift\redshift_v2.6.52_flt\Redshift\'
    dest: C:\ProgramData\Redshift\
    recurse: yes
    purge: yes
    #flags: /v
  register: result

- debug:
    var: result.output – Runs commands on a remote Windows host based on the PsExec model

- name: Test the PsExec connection to the local system (target node) with your user
    command: 'Powershell Add-WindowsCapability -Online -Name "SNMP.Client~~~~"' – Get DLL or EXE file build version

- name: fetch software version
    path: 'C:\Program Files\Maxon Cinema 4D R24\Cinema 4D.exe'
  register: software_version


ansible-playbook – run an ansible playbook

--ask-vault-password, --ask-vault-passask for vault password
--vault-password-file, --vault-pass-filevault password file
-e, --extra-varsset additional variables as key=value or YAML/JSON, if filename prepend with @
-i, --inventory, --inventory-filespecify inventory host path or comma separated host list. –inventory-file is deprecated
-l <SUBSET>, --limit <SUBSET>further limit selected hosts to an additional pattern
-v, --verboseverbose mode (-vvv for more, -vvvv to enable connection debugging)

Add variables in command line

ansible-playbook -i production.yml --vault-password-file ~/vault_password add_new_project.yml --extra-vars "new_project=XXXX_Testpermissions"
ansible-playbook -i production.yml --vault-password-file ~/vault_password add_new_project.yml --extra-vars "client=myclient new_project=myproject"
ansible-playbook -i production.yml play_test.yml --limit rendernodes
ansible-playbook --ask-vault-pass -i production.yml play_test.yml --limit test


Kerberos python plugin needed on Turnkey Ansible:

apt install python3-kerberos krb5-user

edit /etc/krb5.conf (change only realms and domain_realm):

  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

        default_realm = EXAMPLE.COM

        EXAMPLE.COM = {
                kdc =
                kdc =
                default_domain =

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM


test (case is important !):

kinit myuser@EXAMPLE.COM

GPO to allow WinRM for Ansible



Run an arbitrary powershell one liner (the double quotes must be escaped inside)

this seems wrong, there’s a powershell module: “”

- name: Uninstall Office ProPlus
  hosts: all
  gather_facts: no
    - name: removes old shortcuts
      win_command: powershell -command "Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { $profilePath = $_.GetValue('ProfileImagePath') ; Remove-Item -Path \"$profilePath\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\*2010*\" }"

Check C4D version

the right way to go is to use ‘’

- name: fetch Cinema4D r19 version
  hosts: all
  gather_facts: no
    - win_shell: '& "C:\Program Files\MAXON\Cinema 4D R19\Commandline.exe" | Select-String -Pattern "Version / Build"'
      register: C4Dr19_version
    - debug:
        var: C4Dr19_version.stdout_lines[1]