Open fiskhest opened 2 years ago
Hi, I'm getting same error message "The specified account already exists" if I execute the playbook multiple times. If I delete the user, it is created successfully.
tasks:
The full traceback is: The specified account already exists At line:252 char:21
+ CategoryInfo : ResourceExists: (CN=SQL POC AGT ...jsathler,DC=lab:String) [New-ADUser], ADIdentityAlreadyExistsException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1316,Microsoft.ActiveDirectory.Management.Commands.NewADUser
ScriptStackTrace:
at
Microsoft.ActiveDirectory.Management.ADIdentityAlreadyExistsException: The specified account already exists ---> System.ServiceModel.FaultException: The supplied entry already exists.
--- End of inner exception stack trace ---
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForExtendedError(String extendedErrorMessage, Exception innerException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, FaultException faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault, FaultException faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.Create(ADAddRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Add(ADSessionHandle handle, ADAddRequest request)
at Microsoft.ActiveDirectory.Management.ADActiveObject.Create()
at Microsoft.ActiveDirectory.Management.Commands.ADNewCmdletBase3.ADNewCmdletBaseProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase
1.ProcessRecord()
fatal: [74.234.93.189]: FAILED! => {
"changed": false,
"msg": "Unhandled exception while executing module: The specified account already exists"
}
SUMMARY
If the user already exists and you try to create them, the ps1 errors out if the
name
attribute is not set to the same as DN, GUID, SID or SAM account name.ISSUE TYPE
COMPONENT NAME
community.windows.win_domain_user
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Controller: Arch Linux (also encountering the same inside a debian buster runner image) Target: Windows Server 2019
STEPS TO REPRODUCE
If an
identity:
is not set and the value supplied to thename:
parameter is not one of distinguished name (DN), GUID, security identifier (SID), or Security Account Manager (SAM) account name, the module crashes with an error:Unhandled exception while executing module: The specified account already exists
when running a second time.EXPECTED RESULTS
When running a second time, the above should result in an "OK" instead of an unhandled exception.
ACTUAL RESULTS
Steps to resolve
I debugged the actual module code and there seems to be a misunderstanding about what can be supplied to the
-identity
-parameter forGet-ADUser
. The module currently takes a name or identity param, and if identity is null it will be set the value of name.Later inside the module that variable is used to find a user object inside AD.
However, the actual documentation for
Get-ADUser
says:If the value supplied to
name:
does not match one of the above, this issue is reproducible 100%.My suggestion is to either update the documentation to reflect that the name should match DN/SAM much like what is already done for the
identity
param:or update the code so that identity defaults to
SamAccountName
or$upn.Split('@')[0]
(though, I notice now that is not a required param).I helped a customer resolve this by asking them to provide the first part of the upn as a name, but only after having to read source code to understand what was wrong.