win_domain_user: Make Identification of the user to work with more robust (#61594)
* Ensure we work on only one user. After the initial get/create use the GUID of the found/created user to ensure we will not start to work with a different user. If we create a user or modify it's attributes an he is not identified with the name parameter afterwards this module fails in rather unpredictable ways. This addressed #45298 * Use splatting create_args for creating user. This prepars this for adding more optional create arguments without nesting of condictions. * Set the UserPrincipalName and SamAccountName on create. Set the UserPrincipalName and SamAccountName on the create operation if upn is given to ensure the User is created with a contollable SamAccountName. * Rename $username to $name. $username is missleading as its not the SamAccountName. * Add a identity parameter to win_domain_user This gives the user full controll over how the user is identified in the AD. * Add version_added information for new parameter and fix yaml syntax. * Added changelog fragment
This commit is contained in:
parent
fadf7a426f
commit
d2e1aeeb67
3 changed files with 58 additions and 40 deletions
2
changelogs/fragments/win_domain_user-identity.yaml
Normal file
2
changelogs/fragments/win_domain_user-identity.yaml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
minor_changes:
|
||||||
|
- win_domain_user - Added the ``identity`` module option to explicitly set the identity of the user when searching for it - https://github.com/ansible/ansible/issues/45298
|
|
@ -78,7 +78,8 @@ $domain_password = Get-AnsibleParam -obj $params -name "domain_password" -type "
|
||||||
$domain_server = Get-AnsibleParam -obj $params -name "domain_server" -type "str"
|
$domain_server = Get-AnsibleParam -obj $params -name "domain_server" -type "str"
|
||||||
|
|
||||||
# User account parameters
|
# User account parameters
|
||||||
$username = Get-AnsibleParam -obj $params -name "name" -type "str" -failifempty $true
|
$name = Get-AnsibleParam -obj $params -name "name" -type "str" -failifempty $true
|
||||||
|
$identity = Get-AnsibleParam -obj $params -name "identity" -type "str" -default $name
|
||||||
$description = Get-AnsibleParam -obj $params -name "description" -type "str"
|
$description = Get-AnsibleParam -obj $params -name "description" -type "str"
|
||||||
$password = Get-AnsibleParam -obj $params -name "password" -type "str"
|
$password = Get-AnsibleParam -obj $params -name "password" -type "str"
|
||||||
$password_expired = Get-AnsibleParam -obj $params -name "password_expired" -type "bool"
|
$password_expired = Get-AnsibleParam -obj $params -name "password_expired" -type "bool"
|
||||||
|
@ -125,10 +126,12 @@ if ($null -ne $domain_server) {
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $identity -Properties * @extra_args
|
||||||
|
$user_guid = $user_obj.ObjectGUID
|
||||||
}
|
}
|
||||||
catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
|
catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
|
||||||
$user_obj = $null
|
$user_obj = $null
|
||||||
|
$user_guid = $null
|
||||||
}
|
}
|
||||||
|
|
||||||
If ($state -eq 'present') {
|
If ($state -eq 'present') {
|
||||||
|
@ -137,19 +140,24 @@ If ($state -eq 'present') {
|
||||||
|
|
||||||
# If the account does not exist, create it
|
# If the account does not exist, create it
|
||||||
If (-not $user_obj) {
|
If (-not $user_obj) {
|
||||||
|
$create_args = @{}
|
||||||
|
$create_args.Name = $name
|
||||||
If ($null -ne $path){
|
If ($null -ne $path){
|
||||||
New-ADUser -Name $username -Path $path -WhatIf:$check_mode @extra_args
|
$create_args.Path = $path
|
||||||
}
|
}
|
||||||
Else {
|
If ($null -ne $upn){
|
||||||
New-ADUser -Name $username -WhatIf:$check_mode @extra_args
|
$create_args.UserPrincipalName = $upn
|
||||||
|
$create_args.SamAccountName = $upn.Split('@')[0]
|
||||||
}
|
}
|
||||||
|
$user_obj = New-ADUser @create_args -WhatIf:$check_mode -PassThru @extra_args
|
||||||
|
$user_guid = $user_obj.ObjectGUID
|
||||||
$new_user = $true
|
$new_user = $true
|
||||||
$result.created = $true
|
$result.created = $true
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
If ($check_mode) {
|
If ($check_mode) {
|
||||||
Exit-Json $result
|
Exit-Json $result
|
||||||
}
|
}
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
}
|
}
|
||||||
|
|
||||||
If ($password) {
|
If ($password) {
|
||||||
|
@ -166,8 +174,8 @@ If ($state -eq 'present') {
|
||||||
}
|
}
|
||||||
If ($set_new_credentials) {
|
If ($set_new_credentials) {
|
||||||
$secure_password = ConvertTo-SecureString $password -AsPlainText -Force
|
$secure_password = ConvertTo-SecureString $password -AsPlainText -Force
|
||||||
Set-ADAccountPassword -Identity $username -Reset:$true -Confirm:$false -NewPassword $secure_password -WhatIf:$check_mode @extra_args
|
Set-ADAccountPassword -Identity $user_guid -Reset:$true -Confirm:$false -NewPassword $secure_password -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.password_updated = $true
|
$result.password_updated = $true
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
|
@ -175,40 +183,40 @@ If ($state -eq 'present') {
|
||||||
|
|
||||||
# Configure password policies
|
# Configure password policies
|
||||||
If (($null -ne $password_never_expires) -and ($password_never_expires -ne $user_obj.PasswordNeverExpires)) {
|
If (($null -ne $password_never_expires) -and ($password_never_expires -ne $user_obj.PasswordNeverExpires)) {
|
||||||
Set-ADUser -Identity $username -PasswordNeverExpires $password_never_expires -WhatIf:$check_mode @extra_args
|
Set-ADUser -Identity $user_guid -PasswordNeverExpires $password_never_expires -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
If (($null -ne $password_expired) -and ($password_expired -ne $user_obj.PasswordExpired)) {
|
If (($null -ne $password_expired) -and ($password_expired -ne $user_obj.PasswordExpired)) {
|
||||||
Set-ADUser -Identity $username -ChangePasswordAtLogon $password_expired -WhatIf:$check_mode @extra_args
|
Set-ADUser -Identity $user_guid -ChangePasswordAtLogon $password_expired -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
If (($null -ne $user_cannot_change_password) -and ($user_cannot_change_password -ne $user_obj.CannotChangePassword)) {
|
If (($null -ne $user_cannot_change_password) -and ($user_cannot_change_password -ne $user_obj.CannotChangePassword)) {
|
||||||
Set-ADUser -Identity $username -CannotChangePassword $user_cannot_change_password -WhatIf:$check_mode @extra_args
|
Set-ADUser -Identity $user_guid -CannotChangePassword $user_cannot_change_password -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
|
|
||||||
# Assign other account settings
|
# Assign other account settings
|
||||||
If (($null -ne $upn) -and ($upn -ne $user_obj.UserPrincipalName)) {
|
If (($null -ne $upn) -and ($upn -ne $user_obj.UserPrincipalName)) {
|
||||||
Set-ADUser -Identity $username -UserPrincipalName $upn -WhatIf:$check_mode @extra_args
|
Set-ADUser -Identity $user_guid -UserPrincipalName $upn -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
If (($null -ne $description) -and ($description -ne $user_obj.Description)) {
|
If (($null -ne $description) -and ($description -ne $user_obj.Description)) {
|
||||||
Set-ADUser -Identity $username -description $description -WhatIf:$check_mode @extra_args
|
Set-ADUser -Identity $user_guid -description $description -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
If ($enabled -ne $user_obj.Enabled) {
|
If ($enabled -ne $user_obj.Enabled) {
|
||||||
Set-ADUser -Identity $username -Enabled $enabled -WhatIf:$check_mode @extra_args
|
Set-ADUser -Identity $user_guid -Enabled $enabled -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
If ((-not $account_locked) -and ($user_obj.LockedOut -eq $true)) {
|
If ((-not $account_locked) -and ($user_obj.LockedOut -eq $true)) {
|
||||||
Unlock-ADAccount -Identity $username -WhatIf:$check_mode @extra_args
|
Unlock-ADAccount -Identity $user_guid -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -221,9 +229,9 @@ If ($state -eq 'present') {
|
||||||
If ($value -ne $user_obj.$key) {
|
If ($value -ne $user_obj.$key) {
|
||||||
$set_args = $extra_args.Clone()
|
$set_args = $extra_args.Clone()
|
||||||
$set_args.$key = $value
|
$set_args.$key = $value
|
||||||
Set-ADUser -Identity $username -WhatIf:$check_mode @set_args
|
Set-ADUser -Identity $user_guid -WhatIf:$check_mode @set_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -261,7 +269,7 @@ If ($state -eq 'present') {
|
||||||
try {
|
try {
|
||||||
$user_obj = $user_obj | Set-ADUser -WhatIf:$check_mode -PassThru @set_args
|
$user_obj = $user_obj | Set-ADUser -WhatIf:$check_mode -PassThru @set_args
|
||||||
} catch {
|
} catch {
|
||||||
Fail-Json $result "failed to change user $($username): $($_.Exception.Message)"
|
Fail-Json $result "failed to change user $($name): $($_.Exception.Message)"
|
||||||
}
|
}
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
|
@ -277,7 +285,7 @@ If ($state -eq 'present') {
|
||||||
}
|
}
|
||||||
|
|
||||||
$assigned_groups = @()
|
$assigned_groups = @()
|
||||||
Foreach ($group in (Get-ADPrincipalGroupMembership -Identity $username @extra_args)) {
|
Foreach ($group in (Get-ADPrincipalGroupMembership -Identity $user_guid @extra_args)) {
|
||||||
$assigned_groups += $group.DistinguishedName
|
$assigned_groups += $group.DistinguishedName
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -285,8 +293,8 @@ If ($state -eq 'present') {
|
||||||
"add" {
|
"add" {
|
||||||
Foreach ($group in $groups) {
|
Foreach ($group in $groups) {
|
||||||
If (-not ($assigned_groups -Contains $group)) {
|
If (-not ($assigned_groups -Contains $group)) {
|
||||||
Add-ADGroupMember -Identity $group -Members $username -WhatIf:$check_mode @extra_args
|
Add-ADGroupMember -Identity $group -Members $user_guid -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -294,8 +302,8 @@ If ($state -eq 'present') {
|
||||||
"remove" {
|
"remove" {
|
||||||
Foreach ($group in $groups) {
|
Foreach ($group in $groups) {
|
||||||
If ($assigned_groups -Contains $group) {
|
If ($assigned_groups -Contains $group) {
|
||||||
Remove-ADGroupMember -Identity $group -Members $username -Confirm:$false -WhatIf:$check_mode @extra_args
|
Remove-ADGroupMember -Identity $group -Members $user_guid -Confirm:$false -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -303,15 +311,15 @@ If ($state -eq 'present') {
|
||||||
"replace" {
|
"replace" {
|
||||||
Foreach ($group in $assigned_groups) {
|
Foreach ($group in $assigned_groups) {
|
||||||
If (($group -ne $user_obj.PrimaryGroup) -and -not ($groups -Contains $group)) {
|
If (($group -ne $user_obj.PrimaryGroup) -and -not ($groups -Contains $group)) {
|
||||||
Remove-ADGroupMember -Identity $group -Members $username -Confirm:$false -WhatIf:$check_mode @extra_args
|
Remove-ADGroupMember -Identity $group -Members $user_guid -Confirm:$false -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Foreach ($group in $groups) {
|
Foreach ($group in $groups) {
|
||||||
If (-not ($assigned_groups -Contains $group)) {
|
If (-not ($assigned_groups -Contains $group)) {
|
||||||
Add-ADGroupMember -Identity $group -Members $username -WhatIf:$check_mode @extra_args
|
Add-ADGroupMember -Identity $group -Members $user_guid -WhatIf:$check_mode @extra_args
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.changed = $true
|
$result.changed = $true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -331,7 +339,7 @@ If ($state -eq 'present') {
|
||||||
}
|
}
|
||||||
|
|
||||||
If ($user_obj) {
|
If ($user_obj) {
|
||||||
$user_obj = Get-ADUser -Identity $username -Properties * @extra_args
|
$user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
|
||||||
$result.name = $user_obj.Name
|
$result.name = $user_obj.Name
|
||||||
$result.firstname = $user_obj.GivenName
|
$result.firstname = $user_obj.GivenName
|
||||||
$result.surname = $user_obj.Surname
|
$result.surname = $user_obj.Surname
|
||||||
|
@ -352,16 +360,16 @@ If ($user_obj) {
|
||||||
$result.sid = [string]$user_obj.SID
|
$result.sid = [string]$user_obj.SID
|
||||||
$result.upn = $user_obj.UserPrincipalName
|
$result.upn = $user_obj.UserPrincipalName
|
||||||
$user_groups = @()
|
$user_groups = @()
|
||||||
Foreach ($group in (Get-ADPrincipalGroupMembership $username @extra_args)) {
|
Foreach ($group in (Get-ADPrincipalGroupMembership $user_guid @extra_args)) {
|
||||||
$user_groups += $group.name
|
$user_groups += $group.name
|
||||||
}
|
}
|
||||||
$result.groups = $user_groups
|
$result.groups = $user_groups
|
||||||
$result.msg = "User '$username' is present"
|
$result.msg = "User '$name' is present"
|
||||||
$result.state = "present"
|
$result.state = "present"
|
||||||
}
|
}
|
||||||
Else {
|
Else {
|
||||||
$result.name = $username
|
$result.name = $name
|
||||||
$result.msg = "User '$username' is absent"
|
$result.msg = "User '$name' is absent"
|
||||||
$result.state = "absent"
|
$result.state = "absent"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -23,6 +23,14 @@ options:
|
||||||
- Name of the user to create, remove or modify.
|
- Name of the user to create, remove or modify.
|
||||||
type: str
|
type: str
|
||||||
required: true
|
required: true
|
||||||
|
identity:
|
||||||
|
description:
|
||||||
|
- Identity parameter used to find the User in the Active Directory.
|
||||||
|
- This value can be in the forms C(Distinguished Name), C(objectGUID),
|
||||||
|
C(objectSid) or C(sAMAccountName).
|
||||||
|
- Default to C(name) if not set.
|
||||||
|
type: str
|
||||||
|
version_added: '2.10'
|
||||||
state:
|
state:
|
||||||
description:
|
description:
|
||||||
- When C(present), creates or updates the user account.
|
- When C(present), creates or updates the user account.
|
||||||
|
|
Loading…
Reference in a new issue