Using microsoft.ad.group to set members of a group does not work when both groups are in different OUs

[eschek87]

SUMMARY

Using microsoft.ad.group to set members of a group does not work when both groups are in different OUs

ISSUE TYPE

• Bug Report

COMPONENT NAME

microsoft.ad.group

ANSIBLE VERSION

ansible [core 2.16.3]
python version = 3.12.1

COLLECTION VERSION

Collection                    Version
----------------------------- -------
microsoft.ad                  1.4.1

CONFIGURATION

OS / ENVIRONMENT

STEPS TO REPRODUCE

- name: Add TEST-MS-SQL-Server-abc-Administratoren to TEST-MS-SQL-DBE-abc-sysadmin
  microsoft.ad.group:
    identity: TEST-MS-SQL-DBE-abc-sysadmin
    members:
      set:
        - TEST-MS-SQL-Server-abc-Administratoren
  delegate_to: "powershell_host"

EXPECTED RESULTS

Add Group "TEST-MS-SQL-Server-abc-Administratoren" as a member of "TEST-MS-SQL-DBE-abc-sysadmin" OU from "TEST-MS-SQL-Server-abc-Administratoren": "CN=TEST-MS-SQL-DBE-abc-sysadmin,OU=Test-MS-SQL,OU=Test-Anwendungen,OU=Test-AD-Rollengruppe,OU=Test-Group,DC=test,DC=test,DC=de" OU from "TEST-MS-SQL-DBE-abc-sysadmin": "CN=TEST-MS-SQL-DBE-abc-sysadmin,OU=Test-MS-SQL,OU=Test-Anwendungen,OU=Test-AD-Berechtigungsgruppen,OU=Test-Group,DC=test,DC=test,DC=de"

ACTUAL RESULTS

["msg": "Failed to find the following ad objects for group members: 'TEST-MS-SQL-Server-abc-Administratoren'", "object_guid": "f9981696-73a7-4d48-9b71-a99602f6a48e"}](fatal: [ANSIBLE-TESTVM-WINDOWS-W2K22 -> powershell_host]: FAILED! => {"changed": false, "distinguished_name": "CN=TEST-MS-SQL-DBE-abc-sysadmin,OU=Test-MS-SQL,OU=Test-Anwendungen,OU=Test-AD-Berechtigungsgruppen,OU=Test-Group,DC=test,DC=test,DC=de", "msg": "Failed to find the following ad objects for group members: 'TEST-MS-SQL-Server-abc-Administratoren'", "object_guid": "f9981696-73a7-4d48-9b71-a99602f6a48e"})

[jborean93]

Looks like the problem isn't the OU but the length of the group name. The lookup code has a check to see if the input value is between 1-20 characters and if so search by sAMAccountName

https://github.com/ansible-collections/microsoft.ad/blob/55831e644a364a252f9a71a0e314cc2bb795af77/plugins/module_utils/_ADObject.psm1#L562-L564

As TEST-MS-SQL-Server-abc-Administratoren exceeds 20 characters it's just going to try and find it by DistinguishedName which won't work. The following is a quick reproducer:

- hosts: ...
  gather_facts: false

  tasks:
  - block:
    - name: create OU1
      microsoft.ad.ou:
        name: OU1
        state: present
      register: ou1

    - name: create OU2
      microsoft.ad.ou:
        name: OU2
        state: present
      register: ou2

    - name: create Group1
      microsoft.ad.group:
        name: Group1
        path: '{{ ou1.distinguished_name }}'
        scope: domainlocal
      register: group1

    - name: create Group2
      microsoft.ad.group:
        name: Group2-ReallyLongGroupNameHere
        path: '{{ ou2.distinguished_name }}'
        scope: domainlocal

    - name: add Group2 to Group1
      microsoft.ad.group:
        identity: Group1
        members:
          set:
          - Group2-ReallyLongGroupNameHere

    - name: get group membership
      microsoft.ad.object_info:
        identity: '{{ group1.object_guid }}'
        properties: member

    always:
    - name: remove example OUs
      microsoft.ad.ou:
        name: '{{ item }}'
        state: absent
      loop:
      - OU1
      - OU2

When I change the regex from {1,20} to just + then the example above works. This is interesting because the docs for the sAMAccountName attribute states the maximum length is 20 characters but either that's out of date or just wrong. I'll have a play around and see what the next steps forward should be.

As a workaround you can use the distinguishedName, securityIdentifier, objectGuid, or userPrincipalName of the group in the yaml definition.

[jborean93]

This has been fixed with https://github.com/ansible-collections/microsoft.ad/pull/95