jborean93
commented
2 months ago Thanks for the bug report, are you saying it's failing to add a group member where the group is privileged in some way or some other problem. Just trying to figure out the exact scenario that is causing the problem here. Keep in mind setting the membership of a user does require modification of the group object so maybe we need to expand the documentation but I don't think we can do so without the required permissions.
In new user creation attempts this means the account is partially created and then needs to be deleted or edited later to be completed.
While we could potentially try and clean things up this is a tricky thing to ensure as we would need to track the before state and try and revert. Unfortunately I think in this case it's probably not something we will try and implement as there are a few places that do an action. Without an generic rollback mechanism on the AD side the overhead of trying to do so in the module will be very complex. As these modules are meant to be idempotent I don't see this being as much of a problem once the underlying issue is solved.
tarmael
SUMMARY
If the account creating the AD User does not have permissions to modify a specific group during the creation attempt, the microsoft.ad.user module bombs out and throws a PowerShell error message.
This action also fails loudly, as it leaves the user account and does not clean up afterwards. In new user creation attempts this means the account is partially created and then needs to be deleted or edited later to be completed.
ISSUE TYPE
COMPONENT NAME
microsoft.ad.user
ADDITIONAL INFORMATION
This feature could behave similar to
lookup_failure_actionor could be included as part of this parameter.Similar to
lookup_failure_actionit would be best if the paramater outlined what groups it couldn't include in the task.