Ansible Windows: Add account to group administrators FR/US

1,137 views
Skip to first unread message

fanchf...@gmail.com

unread,
Jul 10, 2017, 11:46:52 AM7/10/17
to Ansible Project, francois....@soprasteria.com
Hello,

I'm starting with Ansible. I would like to know in a playbook how to test if the windows computer is in version FR or US. Following the test, I would add account users to the local "Administrators" or "Administrateurs" group.

By default:

- name: Add a user
   Hosts: windows_tst
   Gather_facts: false
   tasks:
     - name: Add User
       win_user:
         Name: admintest
         Password: "mypassword"
         State: present
         Groups: Administrators

But if I am on a computer in French, the group administrors does not exist.

How I can solve this problem.

Thank you in advance for your assistance.
Regards

Jordan Borean

unread,
Jul 10, 2017, 4:41:57 PM7/10/17
to Ansible Project, francois....@soprasteria.com
Hey

One thing you can do is use the win_region module https://docs.ansible.com/ansible/win_region_module.html to change the region of your hosts to a common value. If this isn't what you can do, you can also run an adhoc command to determine the group name based on the SID. Give the below tasks a shot and see if it returns what you are looking for.

- name: get group name from sid
  win_command: powershell.exe "((New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-544')).Translate([System.Security.Principal.NTAccount]).Value -split '\\')[1]"
  register: admin_group 
- debug:
    var: admin_group.stdout_lines[0]

It looks up the group name based on the SID 'S-1-5-32-544' which is the default SID for the local administrators group and should be consistent across all Windows OS'.

Thanks

Jordan

fanchf...@gmail.com

unread,
Jul 11, 2017, 10:09:22 AM7/11/17
to Ansible Project, francois....@soprasteria.com
Hello Jordan,

Thank you very mutch. I had the same raissonement with a custom script.
Yesterday, i created a specifical script to ckeck a groups.

function Get-AdministratorsGroupName {

    $LocalGroup = @('Administrators', 'Administrateurs', 'Domain Admins')

    foreach ($Group in $LocalGroup){
        Try{
            if(([adsi]"WinNT://./$Group,group").psbase.Invoke('Members')){
                return $Group
            }
        } catch {}
    }
}

Get-AdministratorsGroupName


Regards
Reply all
Reply to author
Forward
0 new messages