search

ansible-collections / community.windows

Windows community collection for Ansible
https://galaxy.ansible.com/community/windows
GNU General Public License v3.0
198 stars 153 forks source link

win_user: seems to be max character length of 20 #475

Closed nicovs closed 1 year ago

nicovs commented 1 year ago
SUMMARY

Creating a Windows user using win_user with a username length > 20 characters fails, although this is perfectly possible to create it manually. According to the docs, max user length should be 256 characters: https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-autologon-username

The issue is probably related to: https://github.com/ansible-collections/community.windows/issues/281

ISSUE TYPE
COMPONENT NAME

ansible.windows.win_user

ANSIBLE VERSION
ansible [core 2.13.4]

(but also other versions)

COLLECTION VERSION
community.windows 1.10.0
OS / ENVIRONMENT

Creating local users on Windows Server 2019 (so not AD users)

STEPS TO REPRODUCE

replace the username with anything longer than 20 characters

  - name: Create user randomusernamelongerthan20chars"
    ansible.windows.win_user:
      name: "randomusernamelongerthan20chars"
      password: "secretpassword"
      password_expired: false
      password_never_expires: true
      account_locked: false
      account_disabled: false
      state: present
      description: "user for randomusernamelongerthan20chars"
      groups:
        - IIS_IUSRS
    register: manage_user
EXPECTED RESULTS

User should be created without a problem.

changed: [localhost -> server] => {
    "account_disabled": false,
    "account_locked": false,
    "changed": true,
    "description": "user for randomusernamelongerthan20chars",
    "fullname": "randomusernamelongerthan20chars",
    "groups": [
        {
            "name": "IIS_IUSRS",
            "path": "WinNT://WORKGROUP/CS-ONE-IIS01/IIS_IUSRS"
        }
    ],
    "name": "randomusernamelongerthan20chars",
    "password_expired": false,
    "password_never_expires": true,
    "path": "WinNT://WORKGROUP/CS-ONE-IIS01/randomusernamelongerthan20chars",
    "sid": "S-1-5-21-...",
    "state": "present",
    "user_cannot_change_password": false
}
ACTUAL RESULTS

The user does not get created, but fails with an error that the username is invalid

TASK [sharediis-vhosts : Create user randomusernamelongerthan20chars] ******************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at <ScriptBlock>, <No file>: line 232
fatal: [localhost -> server]: FAILED! => {
    "changed": false
}

MSG:

Unhandled exception while executing module: Exception calling "SetInfo" with "0" argument(s): "The specified username is invalid.
"
jborean93 commented 1 year ago

Everything I've read online indicates the maximum limit is 20 characters as the local SAM database enforces that. The Win32 C API that can create a user even explicitly calls this out https://learn.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netuseradd?redirectedfrom=MSDN

User account names are limited to 20 characters

If you do find a method that works I'm happy to investigate it further but until then there's nothing I can do.

nicovs commented 1 year ago

hi @jborean93 , you are right, according to https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/net-add-not-support-names-exceeding-20-characters we can use workarounds with vbs or watever... i'll look into it.

nicovs commented 1 year ago

hey @jborean93 , thought i'd share it here to help other people if needed. Fixed this issue using win_dec:

  - name: "Create user {{ username }}"
    ansible.windows.win_dsc:
      resource_name: User
      Ensure: "Present}"
      Disabled: "false"
      UserName: "{{ username }}"
      Description: "user for  {{ username }}"
      Password_password: "{{ userpasswd }}"
      PasswordNeverExpires: true
      DependsOn: "[group]IIS_IUSRS"
jborean93 commented 1 year ago

I could not get this working

Failed to invoke DSC Set method: PowerShell DSC resource MSFT_UserResource failed to execute Set-TargetResource functionality with error message: There could be a possible multiple matches exception while trying to use the System.DirectoryServices API's.Exception calling "Save" with "0" argument(s): "The specified username is invalid.