Windows: Add multi-domain forest Support (#65138)
* Add multi-domain forest Support cloned extra_args so there is no check for credentials needed. Fixed Formatting added missing extra_args to pure state * minor Fixes do not clone $extra_member_args again do not overide $name better description * added Changelog fixed typo in Documentation
This commit is contained in:
parent
a60feeb3c1
commit
cbc38d2e5a
3 changed files with 26 additions and 7 deletions
|
@ -0,0 +1,2 @@
|
||||||
|
minor_changes:
|
||||||
|
- win_group_membership - Add multi-domain forest support - https://github.com/ansible/ansible/issues/59829
|
|
@ -39,6 +39,8 @@ if ($null -ne $domain_server) {
|
||||||
$extra_args.Server = $domain_server
|
$extra_args.Server = $domain_server
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$ADGroup = Get-ADGroup -Identity $name @extra_args
|
||||||
|
|
||||||
$result = @{
|
$result = @{
|
||||||
changed = $false
|
changed = $false
|
||||||
added = [System.Collections.Generic.List`1[String]]@()
|
added = [System.Collections.Generic.List`1[String]]@()
|
||||||
|
@ -48,11 +50,16 @@ if ($diff_mode) {
|
||||||
$result.diff = @{}
|
$result.diff = @{}
|
||||||
}
|
}
|
||||||
|
|
||||||
$members_before = Get-AdGroupMember -Identity $name @extra_args
|
$members_before = Get-AdGroupMember -Identity $ADGroup @extra_args
|
||||||
$pure_members = [System.Collections.Generic.List`1[String]]@()
|
$pure_members = [System.Collections.Generic.List`1[String]]@()
|
||||||
|
|
||||||
foreach ($member in $members) {
|
foreach ($member in $members) {
|
||||||
$group_member = Get-ADObject -Filter "SamAccountName -eq '$member' -and $ad_object_class_filter" -Properties objectSid, sAMAccountName @extra_args
|
$extra_member_args = $extra_args.Clone()
|
||||||
|
if ($member -match "\\"){
|
||||||
|
$extra_member_args.Server = $member.Split("\")[0]
|
||||||
|
$member = $member.Split("\")[1]
|
||||||
|
}
|
||||||
|
$group_member = Get-ADObject -Filter "SamAccountName -eq '$member' -and $ad_object_class_filter" -Properties objectSid, sAMAccountName @extra_member_args
|
||||||
if (!$group_member) {
|
if (!$group_member) {
|
||||||
Fail-Json -obj $result "Could not find domain user, group, service account or computer named $member"
|
Fail-Json -obj $result "Could not find domain user, group, service account or computer named $member"
|
||||||
}
|
}
|
||||||
|
@ -70,11 +77,11 @@ foreach ($member in $members) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($state -in @("present", "pure") -and !$user_in_group) {
|
if ($state -in @("present", "pure") -and !$user_in_group) {
|
||||||
Add-ADGroupMember -Identity $name -Members $group_member -WhatIf:$check_mode @extra_args
|
Add-ADPrincipalGroupMembership -Identity $group_member -MemberOf $ADGroup -WhatIf:$check_mode @extra_member_args
|
||||||
$result.added.Add($group_member.SamAccountName)
|
$result.added.Add($group_member.SamAccountName)
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
} elseif ($state -eq "absent" -and $user_in_group) {
|
} elseif ($state -eq "absent" -and $user_in_group) {
|
||||||
Remove-ADGroupMember -Identity $name -Members $group_member -WhatIf:$check_mode @extra_args -Confirm:$False
|
Remove-ADPrincipalGroupMembership -Identity $group_member -MemberOf $ADGroup -WhatIf:$check_mode -Confirm:$False @extra_member_args
|
||||||
$result.removed.Add($group_member.SamAccountName)
|
$result.removed.Add($group_member.SamAccountName)
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
|
@ -82,7 +89,7 @@ foreach ($member in $members) {
|
||||||
|
|
||||||
if ($state -eq "pure") {
|
if ($state -eq "pure") {
|
||||||
# Perform removals for existing group members not defined in $members
|
# Perform removals for existing group members not defined in $members
|
||||||
$current_members = Get-AdGroupMember -Identity $name @extra_args
|
$current_members = Get-AdGroupMember -Identity $ADGroup @extra_args
|
||||||
|
|
||||||
foreach ($current_member in $current_members) {
|
foreach ($current_member in $current_members) {
|
||||||
$user_to_remove = $true
|
$user_to_remove = $true
|
||||||
|
@ -94,14 +101,14 @@ if ($state -eq "pure") {
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($user_to_remove) {
|
if ($user_to_remove) {
|
||||||
Remove-ADGroupMember -Identity $name -Members $current_member -WhatIf:$check_mode @extra_args -Confirm:$False
|
Remove-ADPrincipalGroupMembership -Identity $current_member -MemberOf $ADGroup -WhatIf:$check_mode -Confirm:$False
|
||||||
$result.removed.Add($current_member.SamAccountName)
|
$result.removed.Add($current_member.SamAccountName)
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$final_members = Get-AdGroupMember -Identity $name @extra_args
|
$final_members = Get-AdGroupMember -Identity $ADGroup @extra_args
|
||||||
|
|
||||||
if ($final_members) {
|
if ($final_members) {
|
||||||
$result.members = [Array]$final_members.SamAccountName
|
$result.members = [Array]$final_members.SamAccountName
|
||||||
|
|
|
@ -27,6 +27,7 @@ options:
|
||||||
- A list of members to ensure are present/absent from the group.
|
- A list of members to ensure are present/absent from the group.
|
||||||
- The given names must be a SamAccountName of a user, group, service account, or computer.
|
- The given names must be a SamAccountName of a user, group, service account, or computer.
|
||||||
- For computers, you must add "$" after the name; for example, to add "Mycomputer" to a group, use "Mycomputer$" as the member.
|
- For computers, you must add "$" after the name; for example, to add "Mycomputer" to a group, use "Mycomputer$" as the member.
|
||||||
|
- If the member object is part of another domain in a multi-domain forest, you must add the domain and "\" in front of the name.
|
||||||
type: list
|
type: list
|
||||||
required: yes
|
required: yes
|
||||||
state:
|
state:
|
||||||
|
@ -91,6 +92,15 @@ EXAMPLES = r'''
|
||||||
members:
|
members:
|
||||||
- DESKTOP$
|
- DESKTOP$
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: Add a domain user/group from another Domain in the multi-domain forest to a domain group
|
||||||
|
win_domain_group_membership:
|
||||||
|
domain_server: DomainAAA.cloud
|
||||||
|
name: GroupinDomainAAA
|
||||||
|
members:
|
||||||
|
- DomainBBB.cloud\UserInDomainBBB
|
||||||
|
state: Present
|
||||||
|
|
||||||
'''
|
'''
|
||||||
|
|
||||||
RETURN = r'''
|
RETURN = r'''
|
||||||
|
|
Loading…
Reference in a new issue