win_domain_user: Errors when user already exists

[jimbo8098]

SUMMARY

If the user already exists and you try to create them, the ps1 errors during the New-User call on line 180:

community.windows/plugins/modules/win_domain_user.ps1

Line 180 in 72d3bd0

$user_obj = New-ADUser @create_args -WhatIf:$check_mode -PassThru @extra_args

I suspect that if check_mode was enabled, no error would not occur here.

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.windows.win_domain_user

ANSIBLE VERSION

ansible [core 2.11.5]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/jimspeir/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/dist-packages/ansible
  ansible collection location = /home/jimspeir/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.10 (default, Sep 28 2021, 16:10:42) [GCC 9.3.0
  jinja version = 3.0.2
  libyaml = True

COLLECTION VERSION

# /home/jimspeir/.ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.windows 1.8.0
                                                                                                                                                            
# /usr/local/lib/python3.8/dist-packages/ansible_collections
Collection        Version
----------------- -------
community.windows 1.6.0

CONFIGURATION

INTERPRETER_PYTHON(/etc/ansible/ansible.cfg) = auto

OS / ENVIRONMENT

Target is a Windows 2019 Standard box, source is an Ubuntu 20.04.3 box. These are on the same virutal switch.

STEPS TO REPRODUCE

- host: localhost
  vars:
    ad_service_accounts:
      - name: Redgate SQL Monitor
        username: sql.monitor
        description: Test
        password: testp@55word!
  tasks:
    - name: Create service users
      community.windows.win_domain_user:
        name: "{{ item.name }}"
        description: "{{ item.description }}"
        user_cannot_change_password : yes
        password_never_expires : yes
        password: "{{ item.password }}"
        path: ou=ServiceAccounts,dc=domain,dc=com
      loop: "{{ ad_service_accounts }}"

EXPECTED RESULTS

The win_domain_user task should return with an ok result suggesting that the user account already exists.

ACTUAL RESULTS

TASK [Create service users] **********************************************************************************************************************************
task path: <redacted>                                                             
Using module file /home/jimspeir/.ansible/collections/ansible_collections/community/windows/plugins/modules/win_domain_user.ps1                               
Pipelining is enabled.                                                                                                                                        
<redacted>> ESTABLISH WINRM CONNECTION FOR USER: <redacted> on PORT 5985 TO <redacted>                  
EXEC (via pipeline wrapper)                                                                                                                                   
The full traceback is:                                                                                                                                        
An attempt was made to add an object to the directory with a name that is already in use                                                                      
At line:170 char:21                                                                                                                                           
+ ... $user_obj = New-ADUser @create_args -WhatIf:$check_mode -PassThru @ex ...                                                                               
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                                   
    + CategoryInfo          : NotSpecified: (CN=Redgate SQL ...enant222,dc=com:String) [New-ADUser], ADException                                              
    + FullyQualifiedErrorId : ActiveDirectoryServer:8305,Microsoft.ActiveDirectory.Management.Commands.NewADUser                                              
                                                                                                                                                              
ScriptStackTrace:                                                                                                                                             
at <ScriptBlock>, <No file>: line 170                                                                                                                         
                                                                                                                                                              
Microsoft.ActiveDirectory.Management.ADException: An attempt was made to add an object to the directory with a name that is already in use ---> System.ServiceModel.FaultException: The supplied entry already exists.                                                                                                      
   --- End of inner exception stack trace ---                                                                                                                 
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForExtendedError(String extendedErrorMessage, Exception innerException)               
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException)                                                                                                                                               
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, FaultException faultException)                
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault, FaultException faultException)                                  
   at Microsoft.ActiveDirectory.Management.AdwsConnection.Create(ADAddRequest request)                                                                        
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Add(ADSessionHandle handle, ADAddRequest request)                                                                                                                                                 
   at Microsoft.ActiveDirectory.Management.ADActiveObject.Create()                                                                                            
   at Microsoft.ActiveDirectory.Management.Commands.ADNewCmdletBase`3.ADNewCmdletBaseProcessCSRoutine()                                                       
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()                                                                                  
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()                                                                            
failed: [<redacted>] (item={'name': 'Redgate SQL Monitor', 'username': 'sql.monitor', 'description': 'Test', 'password': 'testp@55word!'}) => {           
    "ansible_loop_var": "item",                                                                                                                               
    "changed": false,                                                                                                                                         
    "item": {                                                                                                                                                 
        "description": "Test",                                                                                                                                
        "name": "Redgate SQL Monitor",                                                                                                                        
        "password": "testp@55word!",                                                                                                                          
        "username": "sql.monitor"                                                                                                                             
    },                                                                                                                                                        
    "msg": "Unhandled exception while executing module: An attempt was made to add an object to the directory with a name that is already in use"             
} 

[jimbo8098]

Actually, I see the problem now. $user_obj is set to either the result of line 154:

community.windows/plugins/modules/win_domain_user.ps1

Line 154 in 72d3bd0

$user_obj = Get-ADUser -Identity $identity -Properties ('*', 'msDS-PrincipalName') @extra_args

Or to $null if this command raises an ADIdentityNotFoundException. The problem, therefore, is that the $identity variable in my case is set to the name parameter, in my case Redgate SQL Monitor, as opposed to the sam_account_name parameter, which should have been sql.monitor but in the playbook I don't pass it in (!).

If I instead set the identity parameter to the sam_account_name property, then the Get-ADUser cmdlet runs as expected and returns the user properly.

Therefore, I think the best method here is to look to amend the default for the identity on line 90:

community.windows/plugins/modules/win_domain_user.ps1

Line 90 in 72d3bd0

$identity = Get-AnsibleParam -obj $params -name "identity" -type "str" -default $name

Such that the default is to preferentially default to sam_account_name and, if it is not defined, use name.