Open tarmael opened 2 months ago
Thanks for the bug report, are you saying it's failing to add a group member where the group is privileged in some way or some other problem. Just trying to figure out the exact scenario that is causing the problem here. Keep in mind setting the membership of a user does require modification of the group object so maybe we need to expand the documentation but I don't think we can do so without the required permissions.
In new user creation attempts this means the account is partially created and then needs to be deleted or edited later to be completed.
While we could potentially try and clean things up this is a tricky thing to ensure as we would need to track the before state and try and revert. Unfortunately I think in this case it's probably not something we will try and implement as there are a few places that do an action. Without an generic rollback mechanism on the AD side the overhead of trying to do so in the module will be very complex. As these modules are meant to be idempotent I don't see this being as much of a problem once the underlying issue is solved.
Sorry for the delay.
it's failing to add a group member where the group is privileged in some way
Yes correct. I'm saying when the account trying to modify the AD Group doesn't have permissions to modify that group, the User Creation in microsoft.ad.user stops and doesn't proceed any further.
I completely understand from both a technical and logical reason why you do not attempt to revert the user in this scenario. AD Objects are complex, and reverting a change may have worse repercussions.
My issue is that when this scenario happens, it fails loudly when a warning message may be better suited
SUMMARY
If the account creating the AD User does not have permissions to modify a specific group during the creation attempt, the microsoft.ad.user module bombs out and throws a PowerShell error message.
This action also fails loudly, as it leaves the user account and does not clean up afterwards. In new user creation attempts this means the account is partially created and then needs to be deleted or edited later to be completed.
ISSUE TYPE
COMPONENT NAME
microsoft.ad.user
ADDITIONAL INFORMATION
This feature could behave similar to
lookup_failure_action
or could be included as part of this parameter.Similar to
lookup_failure_action
it would be best if the paramater outlined what groups it couldn't include in the task.