search

ansible-collections / microsoft.ad

Ansible collection for Active Directory management
GNU General Public License v3.0
36 stars 19 forks source link

microsoft.ad.user - Created user not found while deleting by ad-hoc command #110

Open bantify opened 3 months ago

bantify commented 3 months ago

Summary

Two user created successfully. I was able to delete first user by adhoc command. But 2nd user not found while trying to delete by adhoc command. But 2nd user exists in Windows AD. Play book and logs are attached below:

SUMMARY ISSUE TYPE

 Bug Report

COMPONENT NAME

 microsoft.ad.user

Ansible version:

ansible --version
ansible [core 2.15.10]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ericsson_nbanik/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ericsson_nbanik/env/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ericsson_nbanik/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ericsson_nbanik/env/bin/ansible
  python version = 3.9.6 (default, Mar 26 2024, 17:37:43) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] (/home/ericsson_nbanik/env/bin/python3.9)
  jinja version = 3.1.3
  libyaml = True

Galaxy version:

➜  ansible-galaxy collection list | grep microsoft.ad
microsoft.ad                  1.4.1

Here is my var files:

users:
- name: bob
  firstname: Bob
  surname: Smith
  company: Ericsson
  password: tWelvepass!12tWelvepass!12
  email: bob.smith@ericsson.com
- name: magnus
  firstname: Magnus
  surname: Smith
  company: Ericsson
  password: tWelvepass!12tWelvepass!12
  email: magnus.smith@ericsson.com

My playbook:

---
- name: Create windows User
  hosts: win
  vars_files: ad_user.yml
  tasks:
  - name: Create windows user
    microsoft.ad.user:
      name: "{{ item.name }}"
      firstname: "{{ item.firstname }}"
      surname: "{{ item.surname }}"
      company: "{{ item.company }}"
      password: "{{ item.password }}"
      email: "{{ item.email }}"
      state: present
      groups:
        set:
        - BL_DBSS_VPN
        - Domain Admins
    with_items: "{{ users }}"
...

Play book run logs:

➜  ansible-playbook playbook/windows_user.yml -i dc1prod-hosts 

PLAY [Create windows User] ******************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************
ok: [10.74.2.10]

TASK [Create windows user] ******************************************************************************************************************************************************************************************************
changed: [10.74.2.10] => (item={'name': 'bob', 'firstname': 'Bob', 'surname': 'Smith', 'company': 'Ericsson', 'password': 'tWelvepass!12tWelvepass!12', 'email': 'bob.smith@ericsson.com'})
changed: [10.74.2.10] => (item={'name': 'magnus', 'firstname': 'Magnus', 'surname': 'Smith', 'company': 'Ericsson', 'password': 'tWelvepass!12tWelvepass!12', 'email': 'magnus.smith@ericsson.com'})
[WARNING]: Failed to enumerate user groups but continuing on: The operation being requested was not performed because the user has not been authenticated

PLAY RECAP **********************************************************************************************************************************************************************************************************************
10.74.2.10                 : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

bob user delete:

➜  ansible -m ansible.windows.win_user -a 'name=bob state=absent' -i dc1prod-hosts win                           
10.74.2.10 | CHANGED => {
    "changed": true,
    "msg": "User 'bob' deleted successfully",
    "name": "bob",
    "state": "absent"
}

magnus user delete:

➜  ansible -m ansible.windows.win_user -a 'name=magnus state=absent' -i dc1prod-hosts win        
10.74.2.10 | SUCCESS => {
    "changed": false,
    "msg": "User 'magnus' was not found",
    "name": "magnus",
    "state": "absent"
}

Why magnus user not found?

Though in windows AD user exists:

image

Please check why magnus user is not found? If we replace magnus with other name. It works.

jborean93 commented 3 months ago

Where is the user magnus located in the AD site. When you specify name: magnus it will attempt to find the user at CN=magnus,$defaultUserLocation where $defaultUserLocation is the default location that new users are created at. You can get the default path by running

$GUID_USERS_CONTAINER_W = 'A9D1CA15768811D1ADED00C04FD8D5CD'
$defaultNamingContext = (Get-ADRootDSE -Properties defaultNamingContext).defaultNamingContext

Get-ADObject -Identity $defaultNamingContext -Properties wellKnownObjects |
    Select-Object -ExpandProperty wellKnownObjects |
    Where-Object { $_.StartsWith("B:32:$($GUID_USERS_CONTAINER_W):") } |
    ForEach-Object Substring 38

In my domain's case it is CN=Users,DC=domain,DC=test. So if the user magnus is located in another container, for example another OU, then the module will fail to find it.

If you wish to lookup a user by the sAMAccountName then you need to use the identity option. The name option is strictly just for the name/cn of the user in the LDAP sense whereas identity is a way to lookup the user using a it's sAMAccountName, distinguishedName, objectSID, objectGuid.