win_domain_group using AD LDS?
17 views
Skip to first unread message
Jesse Lyon
Feb 5, 2020, 9:51:14 AM2/5/20
to Ansible Project
Attempting to implement group creation/management playbooks via a jump box running AD LDS nets us the below error
The play itself isn't overly complicated... yet.
##CREATING RW GROUPS
tasks:
- name: Verify we connect for debug
win_shell: hostname
- name: H - Create the RW DL Group
win_domain_group:
state: present
domain_server: "{{ h_domain_server }}"
domain_username: "{{ h_domain_username }}"
domain_password: "{{ h_domain_password }}"
name: "{{ h_dl_prefix }}{{ dl_name }}{{suffix_RW}}"
scope: domainlocal
path: "{{ h_dl_path }}"
# description: "{{ description_rw }}"
But having ripped apart the .ps1 file and the .py file that support the module, I'm yet to identify where the heck I can list a partition.
fatal: [REDACTED]: FAILED! => {
"changed": false,
"created": false,
"msg": "failed to retrieve initial details for group REDACTED: Parameter: 'Partition' is required for this operation."
To be clear, that is definitely the entire output of errors with -vvvv, everything before the erorr is kinit authenticating.
If AD: LDS isn't applicable, that's fine, the org I'm with is trying to give us the least possible footprint to shoot ourselves in the foot with, before just giving me wide open throttle to a DC itself.
If AD: LDS isn't applicable, that's fine, the org I'm with is trying to give us the least possible footprint to shoot ourselves in the foot with, before just giving me wide open throttle to a DC itself.
halp?
Jesse Lyon
Feb 5, 2020, 11:36:27 AM2/5/20
to Ansible Project
Jesse Lyon
Feb 5, 2020, 12:32:53 PM2/5/20
to Ansible Project
From the box I've got with AD:LDS installed
PS C:\Users\jal011adm> get-adgroup -identity GDAnsible -server localhost
get-adgroup : Parameter: 'Partition' is required for this operation.
At line:1 char:1
+ get-adgroup -identity GDAnsible -server localhost
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (GDAnsible:ADGroup) [Get-ADGroup], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
Digging further into it
For AD LDS environments, the Partition parameter must be specified except in the following two conditions:
-The cmdlet is run from an Active Directory provider drive.
-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.
Source: https://docs.microsoft.com/en-us/powershell/module/activedirectory/add-adprincipalgroupmembership?view=winserver2012-ps
Jordan Borean
Feb 5, 2020, 2:17:58 PM2/5/20
to Ansible Project
It doesn't look like the module supports LDS. You will have to edit it and create a PR that modifies it to specify the Partition value with what is required.
Reply all
Reply to author
Forward
0 new messages