search

ansible-collections / microsoft.ad

Ansible collection for Active Directory management
GNU General Public License v3.0
39 stars 22 forks source link

microsoft.ad.object can't assign attribute PrincipalsAllowedToRetrieveManagedPassword #98

Closed gpa7407 closed 4 months ago

gpa7407 commented 7 months ago
SUMMARY

I have been trying to set the attribute PrincipalsAllowedToRetrieveManagedPassword for a MSA (msDS-GroupManagedServiceAccount) account. Not sure if this is a bug or a feature request.

ISSUE TYPE
COMPONENT NAME

microsoft.ad.object

ANSIBLE VERSION
ansible [core 2.14.1]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/dist-packages/ansible
  ansible collection location = /ansible/collections:/etc/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3.10)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
/ansible/collections/ansible_collections
Collection   Version
------------ -------
microsoft.ad 1.4.1
CONFIGURATION
ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
CALLBACKS_ENABLED(/etc/ansible/ansible.cfg) = ['profile_tasks']
COLLECTIONS_PATHS(/etc/ansible/ansible.cfg) = ['/ansible/collections', '/etc/ansible']
CONFIG_FILE() = /etc/ansible/ansible.cfg
OS / ENVIRONMENT

Windows Server 2022

STEPS TO REPRODUCE
    - name: Get all properties for the specified account using its DistinguishedName
      microsoft.ad.object_info:
        identity: "CN=<**>L,CN=Managed Service Accounts,{{ domain_dn }}"
        properties: "*"

    - name: Create Service Accounts - ansible module
      microsoft.ad.object:
        attributes:
          set:
            PrincipalsAllowedToRetrieveManagedPassword: "<**>"
        name: <**>
        path: "CN=Managed Service Accounts,{{ domain_dn }}"
        protect_from_deletion: true
        state: present
        type: "msDS-GroupManagedServiceAccount"
EXPECTED RESULTS

I expect to set PrincipalsAllowedToRetrieveManagedPassword attribute

ACTUAL RESULTS
TASK [Create Service Accounts - ansible module] ********************************
task path: /ansible/collections/ansible_collections/**/**/playbooks/prep_ad_post.yml:76
Tuesday 20 February 2024  18:48:45 +0000 (0:00:03.119)       0:00:49.050 ****** 
Using module file /ansible/collections/ansible_collections/microsoft/ad/plugins/modules/object.ps1
Pipelining is enabled.
<**IP**> ESTABLISH WINRM CONNECTION FOR USER: <**User**> on PORT <**Port**> TO <**IP**>
EXEC (via pipeline wrapper)
The full traceback is:
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
fatal: [<**Host**>]: FAILED! => {
    "changed": false,
    "msg": "Unhandled exception while executing module: The specified directory service attribute or value does not exist\r\nParameter name: PrincipalsAllowedToRetrieveManagedPassword"
}
jborean93 commented 7 months ago

The PrincipalsAllowedToRetrieveManagedPassword is a special property/parameter on the New-ADServiceAccount cmdlet and not an actual LDAP attribute. The actual attribute is called msDS-GroupMSAMembership.

jborean93 commented 4 months ago

Closing per the above.