From a2d6f9acd90a55aebeae12312959aa4f4e27f613 Mon Sep 17 00:00:00 2001
From: Jordan Borean <jborean93@gmail.com>
Date: Tue, 23 Jul 2019 08:21:02 +1000
Subject: [PATCH] Win setup fix 2.8 (#59211)

* Wrap Get-MachineSid's body in a try/catch

It's not critical information and there's been a number of issues over
the years with trying to retrieve it. If an exception is thrown just
return null.

Fixes: #47813
(cherry picked from commit b8a41a90b8561033b1ee408184eae41226693d26)

* add changelog


(cherry picked from commit 277690bcc6d63abd0de70f3131ac96d92fbce4e4)
---
 .../fragments/58483-win_setup_resilience.yml  |  2 ++
 lib/ansible/modules/windows/setup.ps1         | 34 +++++++++++--------
 2 files changed, 22 insertions(+), 14 deletions(-)
 create mode 100644 changelogs/fragments/58483-win_setup_resilience.yml

diff --git a/changelogs/fragments/58483-win_setup_resilience.yml b/changelogs/fragments/58483-win_setup_resilience.yml
new file mode 100644
index 00000000000..e3d88db32f5
--- /dev/null
+++ b/changelogs/fragments/58483-win_setup_resilience.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- setup (Windows) - prevent setup module failure if Get-MachineSid fails (https://github.com/ansible/ansible/issues/47813)
diff --git a/lib/ansible/modules/windows/setup.ps1 b/lib/ansible/modules/windows/setup.ps1
index 71f1b49b276..0f05f07406d 100644
--- a/lib/ansible/modules/windows/setup.ps1
+++ b/lib/ansible/modules/windows/setup.ps1
@@ -29,22 +29,28 @@ Function Get-MachineSid {
     # only accessible by the Local System account. This method get's the local
     # admin account (ends with -500) and lops it off to get the machine sid.
 
-    $admins_sid = "S-1-5-32-544"
-    $admin_group = ([Security.Principal.SecurityIdentifier]$admins_sid).Translate([Security.Principal.NTAccount]).Value 
-
-    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
-    $principal_context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
-    $group_principal = New-Object -TypeName System.DirectoryServices.AccountManagement.GroupPrincipal($principal_context, $admin_group)
-    $searcher = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalSearcher($group_principal)
-    $groups = $searcher.FindOne()
-
     $machine_sid = $null
-    foreach ($user in $groups.Members) {
-        $user_sid = $user.Sid
-        if ($user_sid.Value.EndsWith("-500")) {
-            $machine_sid = $user_sid.AccountDomainSid.Value
-            break
+
+    try {
+        $admins_sid = "S-1-5-32-544"
+        $admin_group = ([Security.Principal.SecurityIdentifier]$admins_sid).Translate([Security.Principal.NTAccount]).Value
+
+        Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+        $principal_context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
+        $group_principal = New-Object -TypeName System.DirectoryServices.AccountManagement.GroupPrincipal($principal_context, $admin_group)
+        $searcher = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalSearcher($group_principal)
+        $groups = $searcher.FindOne()
+
+        foreach ($user in $groups.Members) {
+            $user_sid = $user.Sid
+            if ($user_sid.Value.EndsWith("-500")) {
+                $machine_sid = $user_sid.AccountDomainSid.Value
+                break
+            }
         }
+    } catch {
+        #can fail for any number of reasons, if it does just return the original null
+        Add-Warning -obj $result -message "Error during machine sid retrieval: $($_.Exception.Message)"
     }
 
     return $machine_sid