fix for #316

changelogs/fragments/330_win_domain_user.yml

@@ -0,0 +1,4 @@
+---
+bugfixes:
+  - win_domain_user - Module now reports user created and changed properly - https://github.com/ansible-collections/community.windows/issues/316
+  - win_domain_user - Module now properly captures and reports bad password - https://github.com/ansible-collections/community.windows/issues/316

plugins/modules/win_domain_user.ps1

@@ -38,7 +38,8 @@ Function Test-Credential {
         $failed_codes = @(
             0x0000052E, # ERROR_LOGON_FAILURE
             0x00000532, # ERROR_PASSWORD_EXPIRED
-            0x00000773  # ERROR_PASSWORD_MUST_CHANGE
+            0x00000773, # ERROR_PASSWORD_MUST_CHANGE
+            0x00000533  # ERROR_ACCOUNT_DISABLED
         )
 
         if ($_.Exception.NativeErrorCode -in $failed_codes) {
@@ -210,7 +211,12 @@ If ($state -eq 'present') {
         }
         If ($set_new_credentials) {
             $secure_password = ConvertTo-SecureString $password -AsPlainText -Force
-            Set-ADAccountPassword -Identity $user_guid -Reset:$true -Confirm:$false -NewPassword $secure_password -WhatIf:$check_mode @extra_args
+            try {
+                Set-ADAccountPassword -Identity $user_guid -Reset:$true -Confirm:$false -NewPassword $secure_password -WhatIf:$check_mode @extra_args
+            }
+            catch {
+                Fail-Json $result "Failed to set password on account: $($_.Exception.Message)"
+            }
             $user_obj = Get-ADUser -Identity $user_guid -Properties * @extra_args
             $result.password_updated = $true
             $result.changed = $true

tests/integration/targets/win_domain_user/aliases

@@ -0,0 +1,2 @@
+shippable/windows/group2
+skip/windows/2012

tests/integration/targets/win_domain_user/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - setup_domain_tests

tests/integration/targets/win_domain_user/tasks/check_mode_test.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Create Jane(check_mode)
+  community.windows.win_domain_user:
+    name: Jane
+    password: J@n3P4ssw0rd#
+    state: present
+    update_password: on_create
+    account_locked: false
+    password_never_expires: false
+    enabled: true
+  register: new_user_check_mode
+  failed_when:
+    - not new_user_check_mode.changed
+    - not new_user_check_mode.created
+  check_mode: true
+
+- name: Sanity check on Check Mode
+  win_shell: |
+    Get-AdUser -Identity Jane
+  register: sanity_check
+  failed_when: "'NotFound' not in sanity_check.stderr"
+  changed_when: false

tests/integration/targets/win_domain_user/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Run Tests
+  import_tasks: tests.yml
+
+- name: Run Check Mode Tests
+  import_tasks: check_mode_test.yml

tests/integration/targets/win_domain_user/tasks/tests.yml

@@ -0,0 +1,121 @@
+---
+- name: Create Jane
+  community.windows.win_domain_user:
+    name: Jane
+    password: J@n3P4ssw0rd#
+    state: present
+    update_password: on_create
+    account_locked: false
+    password_never_expires: false
+    enabled: true
+  register: new_user_test
+  failed_when: new_user_test is not success
+
+- name: Create Jane (idempotence check)
+  community.windows.win_domain_user:
+    name: Jane
+    password: J@n3P4ssw0rd#
+    state: present
+    update_password: on_create
+    account_locked: false
+    password_never_expires: false
+    enabled: true
+  register: new_user_test_idempotent
+  failed_when: new_user_test_idempotent is changed
+
+- name: Create Jane update password
+  community.windows.win_domain_user:
+    name: Jane
+    password: J@n3P4ssw0rd#
+    state: present
+    update_password: always
+    account_locked: false
+    password_never_expires: false
+    enabled: true
+  register: password_changed
+  failed_when: not password_changed.changed
+
+- name: Create user with invalid password
+  community.windows.win_domain_user:
+    name: bob
+    upn: [email protected]
+    firstname: Bob
+    surname: Smith
+    company: BobCo
+    password: 123
+    state: present
+    groups:
+      - Domain Admins
+    street: 123 4th St.
+    city: Sometown
+    state_province: IN
+    postal_code: 12345
+    country: US
+    attributes:
+      telephoneNumber: 555-123456
+    update_password: when_changed
+    password_never_expires: true
+  register: bad_password_test
+  failed_when: bad_password_test is success
+
+- name: Create user again with valid password
+  community.windows.win_domain_user:
+    name: bob
+    upn: [email protected]
+    firstname: Bob
+    surname: Smith
+    company: BobCo
+    password: B0bP4ssw0rd
+    state: present
+    groups:
+      - Domain Admins
+    street: 123 4th St.
+    city: Sometown
+    state_province: IN
+    postal_code: 12345
+    country: US
+    attributes:
+      telephoneNumber: 555-123456
+    update_password: when_changed
+    password_never_expires: true
+  register: good_password_test
+  failed_when: good_password_test is not success
+
+- name: Remove bob
+  community.windows.win_domain_user:
+    name: bob
+    state: absent
+  register: user_removed
+  failed_when: not user_removed.changed
+
+- name: Remove bob (idempotence check)
+  community.windows.win_domain_user:
+    name: bob
+    state: absent
+  register: user_removed_idempotent
+  failed_when: user_removed_idempotent.changed
+
+- name: Remove Jane
+  community.windows.win_domain_user:
+    name: Jane
+    state: absent
+
+- name: Assertions
+  assert:
+    that:
+      - new_user_test.changed
+      - new_user_test.created
+      - not new_user_test.password_never_expires
+      - not new_user_test_idempotent.changed
+      - new_user_test_idempotent.distinguished_name == "CN=Jane,CN=Users,DC=ansible,DC=test"
+      - password_changed.changed
+      - password_changed.password_updated
+      - bad_password_test.changed
+      - bad_password_test.created
+      - good_password_test.changed
+      - good_password_test.upn == "[email protected]"
+      - good_password_test.password_never_expires
+      - good_password_test.company == "BobCo"
+      - not good_password_test.created
+      - good_password_test.password_updated
+      - user_removed.state == "absent"