win_domain_group_membership

[Jesse Lyon]

Hey Folks,

I've got a couple of specific questions about win_domain_group_membership.

I can find where support was backported to 2.8, and where its listed as supported in 2.9 (same post: https://github.com/ansible/ansible/issues/59829)

But I can't for the life of me figure out how to convince Ansible do to the thing.

The thing being, take Group A from domain 1 and nest it within Group B from domain 2.

##CROSS DOMAIN BS.
  - name: H - Nest R Global in H univeral RW
    win_domain_group_membership:
      domain_server: "{{ h_domain_server }}"
      domain_username: "{{ h_domain_username }}"
      domain_password: "{{ h_domain_password }}"
      name: "{{ h_u_prefix }}{{ u_name }}{{suffix_RW}}"
      members:
        - "{{ r_g_prefix }}{{ g_name }}{{suffix_RW}}@domain.dev"


  - name: H - Nest R Global in H univeral RO
    win_domain_group_membership:
      domain_server: "{{ h_domain_server }}"
      domain_username: "{{ h_domain_username }}"
      domain_password: "{{ h_domain_password }}"
      name: "{{ h_g_prefix }}{{ g_name }}{{suffix_RO}}"
      members:
        - "{{ r_g_prefix }}{{ g_name }}{{suffix_RO}}@domain.dev"

Note; for members: I've tried numerous ways of indicating that the group its to add is in another domain... domain\\group, group@domain, or just group, and all bomb out stating that it cannot be found

fatal: [ansible01.DOMAIN.DEV]: FAILED! => {
    "added": [],
    "changed": false,
    "msg": "Could not find domain user, group, service account or computer named devdomain\\GGRFStesting123RW",
    "removed": []
}

Is there an obvious mistake I'm making?

I'm using ansible 2.9.2 currently.

[Jordan Borean]

Looks like I jumped the gun with closing that issue, the backported issue referenced is for a separate problem. The actual cross domain support of groups is still not supported in the module. There is a PR which you can try out https://github.com/ansible/ansible/pull/65138 and comment on if it solves your issue.

[Jesse Lyon]

My bad on linking to the wrong issue :)

I've pulled it down and am giving it a shot now, will have results and comment on the PR if successful... so far I'm fighting the woes of a stripped down dev domain.

Thanks again Jordan.

[Jesse Lyon]

The full traceback is:
Could not add member(s) to one or more ADGroup.
At line:82 char:9
+         Add-ADPrincipalGroupMembership -Identity $group_member -Membe ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Microsoft.Activ...ement.ADGroup[]:ADGroup[]) [Add-ADPrincipalGroupMembership], ADException
    + FullyQualifiedErrorId : 1,Microsoft.ActiveDirectory.Management.Commands.AddADPrincipalGroupMembership


ScriptStackTrace:
at <ScriptBlock>, <No file>: line 82


Microsoft.ActiveDirectory.Management.ADException: Could not add member(s) to one or more ADGroup.
   at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
fatal: [ansible01.domain.DEV]: FAILED! => {
    "changed": false,
    "msg": "Unhandled exception while executing module: Could not add member(s) to one or more ADGroup."
}

[Jesse Lyon]

I fixed it from the above error, PEBKAC.
Updated the PR :)