search

ansible-collections / microsoft.ad

Ansible collection for Active Directory management
GNU General Public License v3.0
39 stars 22 forks source link

New-ADObject failed: The security descriptor is invalid #123

Closed david-sieg closed 2 months ago

david-sieg commented 3 months ago
SUMMARY

I want to create an Managed Service Account.

ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
2.16
COLLECTION VERSION
1.6.0
STEPS TO REPRODUCE

- name: Create Managed Service Accounts
  microsoft.ad.object:
    attributes:
      set:
        msDS-GroupMSAMembership: "SQLSERVER01$"
    name: "183_service"
    path: "CN=Managed Service Accounts,DC=local,DC=ad"
    protect_from_deletion: false
    state: "present"
    type: "msDS-GroupManagedServiceAccount"
    description: "Group Managed Service Account for SQL Server"
EXPECTED RESULTS

An created managed service account.

ACTUAL RESULTS
failed: [domain.ad.local] (item={'name': '183_service', 'description': 'Group Managed Service Account for SQL Server ', 'path': 'CN=Managed Service Accounts,DC=local,DC=ad', 'gmsa_members': 'SQLSERVER01$'}) => {
    "ansible_loop_var": "user",
    "changed": false,
    "distinguished_name": null,
    "invocation": {
        "module_args": {
            "attributes": {
                "add": {},
                "remove": {},
                "set": {
                    "msDS-GroupMSAMembership": "SQLSERVER01$"
                }
            },
            "description": "Group Managed Service Account for SQL Server",
            "display_name": null,
            "domain_credentials": [],
            "domain_password": null,
            "domain_server": null,
            "domain_username": null,
            "identity": null,
            "name": "183_service",
            "path": "CN=Managed Service Accounts,DC=local,DC=ad",
            "protect_from_deletion": false,
            "state": "present",
            "type": "msDS-GroupManagedServiceAccount"
        }
    },
    "msg": "New-ADObject failed: The security descriptor is invalid",
    "object_guid": null,
    "user": {
        "description": "Group Managed Service Account for SQL Server)",
        "gmsa_members": "SQLSERVER01$",
        "name": "183_service",
        "path": "CN=Managed Service Accounts,DC=local,DC=ad"
    }
}
jborean93 commented 3 months ago

Potentially there are some extra properties that need to be set for a MSA that New-ADServiceAccount does automatically. The msDS-GroupMSAMembership states that it is an NT-Sec-Desc object which is an SDDL string rather than an identity. While it is possible to build this manually it is very complex and at this point I think we just need to write a module that wraps the *-ADServiceAccount cmdlets that do this all for you automatically.