From eaa68489327cfacbf1d29efb363faa3ea11c0315 Mon Sep 17 00:00:00 2001 From: Brian Scholer Date: Tue, 27 Aug 2019 18:44:45 -0400 Subject: [PATCH] Allow password to be null in Scheduled Task for gMSA (#60990) * Allow password to be null in Scheduled Task for gMSA * Remove test for removed password validation, linting fixes --- .../modules/windows/win_scheduled_task.ps1 | 3 --- lib/ansible/modules/windows/win_scheduled_task.py | 15 ++++++++++++--- .../targets/win_scheduled_task/tasks/failures.yml | 8 -------- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/lib/ansible/modules/windows/win_scheduled_task.ps1 b/lib/ansible/modules/windows/win_scheduled_task.ps1 index 48b65350825..ac5938d2667 100644 --- a/lib/ansible/modules/windows/win_scheduled_task.ps1 +++ b/lib/ansible/modules/windows/win_scheduled_task.ps1 @@ -686,9 +686,6 @@ if ($null -ne $username -and $null -ne $group) { Fail-Json -obj $result -message "username and group can not be set at the same time" } if ($null -ne $logon_type) { - if ($logon_type -eq [TASK_LOGON_TYPE]::TASK_LOGON_PASSWORD -and $null -eq $password) { - Fail-Json -obj $result -message "password must be set when logon_type=password" - } if ($logon_type -eq [TASK_LOGON_TYPE]::TASK_LOGON_S4U -and $null -eq $password) { Fail-Json -obj $result -message "password must be set when logon_type=s4u" } diff --git a/lib/ansible/modules/windows/win_scheduled_task.py b/lib/ansible/modules/windows/win_scheduled_task.py index 116343b016a..58ad48ff9f9 100644 --- a/lib/ansible/modules/windows/win_scheduled_task.py +++ b/lib/ansible/modules/windows/win_scheduled_task.py @@ -266,9 +266,9 @@ options: description: - The password for the user account to run the scheduled task as. - This is required when running a task without the user being logged in, - excluding the builtin service accounts. + excluding the builtin service accounts and Group Managed Service Accounts (gMSA). - If set, will always result in a change unless C(update_password) is set - to C(no) and no othr changes are required for the service. + to C(no) and no other changes are required for the service. type: str version_added: '2.4' update_password: @@ -376,7 +376,7 @@ options: priority: description: - The priority level (0-10) of the task. - - When creating a new task the default if C(7). + - When creating a new task the default is C(7). - See U(https://msdn.microsoft.com/en-us/library/windows/desktop/aa383512.aspx) for details on the priority levels. type: int @@ -430,6 +430,9 @@ notes: - The option names and structure for actions and triggers of a service follow the C(RegisteredTask) naming standard and requirements, it would be useful to read up on this guide if coming across any issues U(https://msdn.microsoft.com/en-us/library/windows/desktop/aa382542.aspx). +- A Group Managed Service Account (gMSA) can be used by setting C(logon_type) to C(password) + and omitting the password parameter. For more information on gMSAs, + see U(https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Windows-Server-2012-Group-Managed-Service-Accounts/ba-p/255910) seealso: - module: win_scheduled_task_stat author: @@ -480,6 +483,12 @@ EXAMPLES = r''' username: DOMAIN\User logon_type: s4u +- name: Change above task to use a gMSA, where the password is managed automatically + win_scheduled_task: + name: TaskName2 + username: DOMAIN\gMsaSvcAcct$ + logon_type: password + - name: Create task with multiple triggers win_scheduled_task: name: TriggerTask diff --git a/test/integration/targets/win_scheduled_task/tasks/failures.yml b/test/integration/targets/win_scheduled_task/tasks/failures.yml index 6ddcc8b906f..0642437436b 100644 --- a/test/integration/targets/win_scheduled_task/tasks/failures.yml +++ b/test/integration/targets/win_scheduled_task/tasks/failures.yml @@ -16,14 +16,6 @@ register: fail_username_and_group failed_when: fail_username_and_group.msg != 'username and group can not be set at the same time' -- name: fail logon type password but no password set - win_scheduled_task: - name: '{{test_scheduled_task_name}}' - state: present - logon_type: password - register: fail_lt_password_not_set - failed_when: fail_lt_password_not_set.msg != 'password must be set when logon_type=password' - - name: fail logon type s4u but no password set win_scheduled_task: name: '{{test_scheduled_task_name}}'