+
+ account_locked
+ boolean
+ |
+no will unlock the user account if locked.
+ Note that there is not a way to lock an account as an administrator.
+ Accounts are locked due to user actions; as an admin, you may only unlock a locked account.
+ If you wish to administratively disable an account, set enabled to no.
+ Choices:
+
+ |
+
+
+ attributes
+ dictionary
+ |
+The attributes to either add, remove, or set on the AD object.
+ The value of each attribute option should be a dictionary where the key is the LDAP attribute, e.g. firstName, comment and the value is the value, or list of values, to set for that attribute.
+ The attribute value(s) can either be the raw string, integer, or bool value to add, remove, or set on the attribute in question.
+ The value can also be a dictionary with the type key set to bytes, date_time, security_descriptor, or raw and the value for this entry under the value key.
+ The bytes type has a value that is a base64 encoded string of the raw bytes to set.
+ The date_time type has a value that is the ISO 8601 DateTime string of the DateTime to set. The DateTime will be set as the Microsoft FILETIME integer value which is the number of 100 nanoseconds since 1601-01-01 in UTC.
+ The security_descriptor type has a value that is the Security Descriptor SDDL string used for the nTSecurityDescriptor attribute.
+ The raw type is the int, string, or boolean value to set.
+ String attribute values are compared using a case sensitive match on the AD object being managed.
+ See LDAP attributes help for more information.
+ Default: {}
+ |
+
+ |
+A dictionary of all the attributes and their value(s) to add to the AD object being managed if they are not already present.
+ This is used for attributes that can contain multiple values, if the attribute only allows a single value, use set instead.
+ Default: {}
+ |
+
+ |
+A dictionary of all the attributes and their value(s) to remove from the AD object being managed if they are present.
+ This is used for attributes that can contain multiple values, if the attribute only allows a single value, use set instead.
+ Default: {}
+ |
+
+ |
+A dictionary of all attributes and their value(s) to set on the AD object being managed.
+ This will replace any existing values if they do not match the ones being requested.
+ The order of attribute values are not checked only, only that the values requested are the only values on the object attribute.
+ Set this to null or an empty list to clear any values for the attribute.
+ Default: {}
+ |
+
+ |
+Configures the user’s city.
+ This is the value set on the l LDAP attribute.
+ |
+
+ |
+Configures the user’s company name.
+ This is the value set on the company LDAP attribute.
+ |
+
+ |
+Configures the user’s country code.
+ Note that this is a two-character ISO 3166 code.
+ This is the value set on the c LDAP attribute.
+ |
+
+
+
+ delegates
+ aliases: principals_allowed_to_delegate
+ dictionary
+ |
+The principal objects that the current AD object can trust for delegation to either add, remove or set.
+ Each subkey value is a list of values in the form of a distinguishedName, objectGUID, objectSid, sAMAccountName, or userPrincipalName string or a dictionary with the name and optional server key.
+ This is the value set on the msDS-AllowedToActOnBehalfOfOtherIdentity LDAP attribute.
+ This is a highly sensitive attribute as it allows the principals specified to impersonate any account when authenticating with the AD computer object being managed.
+ To clear all principals, use set with an empty list.
+ See DN Lookup Attributes for more information on how DN lookups work.
+ See Setting list option values for more information on how to add/remove/set list options.
+ |
+
+
+
+ add
+ list / elements=any
+ |
+Adds the principals specified as principals allowed to delegate to.
+ Any existing principals not specified by add will be untouched unless specified by remove or not in set.
+ |
+
+
+
+ lookup_failure_action
+ string
+ |
+Control the action to take when the lookup fails to find the DN.
+ fail will cause the task to fail.
+ ignore will ignore the value and continue.
+ warn will ignore the value and display a warning.
+ Choices:
+
+"fail" ← (default)
"ignore"
"warn"
+ |
+
+
+
+ remove
+ list / elements=any
+ |
+Removes the principals specified as principals allowed to delegate to.
+ Any existing principals not specified by remove will be untouched unless set is defined.
+ |
+
+
+
+ set
+ list / elements=any
+ |
+Sets the principals specified as principals allowed to delegate to. principals allowed to delegate.
+ This will remove any existing principals if not specified in this list.
+ Specify an empty list to remove all principals allowed to delegate.
+ |
+
+ |
+The description of the AD object to set.
+ This is the value set on the description LDAP attribute.
+ |
+
+ |
+The display name of the AD object to set.
+ This is the value of the displayName LDAP attribute.
+ |
+
+
+ domain_credentials
+ list / elements=dictionary
+ |
+Specifies the credentials that should be used when using the server specified by name.
+ To specify credentials for the default domain server, use an entry without the name key or use the domain_username and domain_password option.
+ This can be set under the play’s module defaults under the group/microsoft.ad.domain group.
+ See AD authentication in modules for more information.
+ Default: []
+ |
+
+ |
+The name of the server these credentials are for.
+ This value should correspond to the value used in other options that specify a custom server to use, for example an option that references an AD identity located on a different AD server.
+ This key can be omitted in one entry to specify the default credentials to use when a server is not specified instead of using domain_username and domain_password.
+ |
+
+
+ password
+ string / required
+ |
+The password to use when connecting to the server specified by name.
+ |
+
+
+ username
+ string / required
+ |
+The username to use when connecting to the server specified by name.
+ |
+
+
+ domain_password
+ string
+ |
+The password for domain_username.
+ The domain_credentials sub entry without a name key can also be used to specify the credentials for the default domain authentication.
+ This can be set under the play’s module defaults under the group/microsoft.ad.domain group.
+ |
+
+ |
+Specified the Active Directory Domain Services instance to connect to.
+ Can be in the form of an FQDN or NetBIOS name.
+ If not specified then the value is based on the default domain of the computer running PowerShell.
+ Custom credentials can be specified under a domain_credentials entry without a name key or through domain_username and domain_password.
+ This can be set under the play’s module defaults under the group/microsoft.ad.domain group.
+ |
+
+
+ domain_username
+ string
+ |
+The username to use when interacting with AD.
+ If this is not set then the user that is used for authentication will be the connection user.
+ Ansible will be unable to use the connection user unless auth is Kerberos with credential delegation or CredSSP, or become is used on the task.
+ The domain_credentials sub entry without a name key can also be used to specify the credentials for the default domain authentication.
+ This can be set under the play’s module defaults under the group/microsoft.ad.domain group.
+ |
+
+ |
+Configures the user’s email address.
+ This is a record in AD and does not do anything to configure any email servers or systems.
+ This is the value set on the mail LDAP attribute.
+ |
+
+ |
+yes will enable the user account.
+ no will disable the account.
+ The default when creating a new is yes if password is specified. If no password is specified then the user will not be enabled.
+ Choices:
+
+ |
+
+ |
+Configures the user’s first name (given name).
+ This is the value set on the givenName LDAP attribute.
+ |
+
+ |
+Specifies the group membership the user is added, removed, or set to.
+ To clear all group memberships, use set with an empty list.
+ Note that users cannot be removed from their principal group (for example, “Domain Users”). Attempting to do so will display a warning.
+ Adding and removing a user from a group is done on the group AD object. If the group is an object in a different domain, then it may require explicit server and domain_credentials for it to work.
+ Each subkey is set to a list of groups objects to add, remove or set as the membership of this AD user respectively. A group can be in the form of a distinguishedName, objectGUID, objectSid, or sAMAccountName.
+ Each subkey value is a list of group objects in the form of a distinguishedName, objectGUID, objectSid, sAMAccountName, or userPrincipalName string or a dictionary with the name and optional server key.
+ See DN Lookup Attributes for more information on how DN lookups work.
+ See Setting list option values for more information on how to add/remove/set list options.
+ |
+
+
+ add
+ list / elements=any
+ |
+The groups to add the user to.
+ |
+
+
+
+ lookup_failure_action
+ aliases: missing_behaviour
+ string
+ |
+Controls what happens when a group specified by groups is an invalid group name.
+ fail is the default and will return an error any groups do not exist.
+ ignore will ignore any groups that does not exist.
+ warn will display a warning for any groups that do not exist but will continue without failing.
+ Choices:
+
+"fail" ← (default)
"ignore"
"warn"
+ |
+
+
+ remove
+ list / elements=any
+ |
+The groups to remove the user from.
+ |
+
+
+ set
+ list / elements=any
+ |
+The only groups the user is a member of.
+ This will clear out any existing groups if not in the specified list.
+ Set to an empty list to clear all group membership of the user.
+ |
+
+ |
+The identity of the AD object used to find the AD object to manage.
+ This must be specified if; name is not set, when trying to rename the object with a new name, or when trying to move the object into a different path.
+ The identity can be in the form of a GUID representing the objectGUID value, the userPrincipalName, sAMAccountName, objectSid, or distinguishedName.
+ If omitted, the AD object to manage is selected by the distinguishedName using the format CN={{ name }},{{ path }}. If path is not defined, the defaultNamingContext is used instead.
+ |
+
+ |
+The name of the AD object to manage, this is not the sAMAccountName of the object but the LDAP cn or name entry of the object in the path specified. Use identity to select an object to manage by its sAMAccountName.
+ If identity is specified, and the name of the object found by that identity does not match this value, the object will be renamed.
+ This must be specified if identity is not set.
+ |
+
+ |
+Optionally set the user’s password to this (plain text) value.
+ To enable an account - enabled - a password must already be configured on the account, or you must provide a password here.
+ Use the update_password option to control how a password is checked for idempotency.
+ |
+
+
+ password_expired
+ boolean
+ |
+yes will require the user to change their password at next login.
+ no will clear the expired password flag.
+ This is mutually exclusive with password_never_expires.
+ Choices:
+
+ |
+
+
+ password_never_expires
+ boolean
+ |
+yes will set the password to never expire.
+ no will allow the password to expire.
+ This is mutually exclusive with password_expired.
+ Choices:
+
+ |
+
+ |
+The path of the OU or the container where the new object should exist in.
+ If creating a new object, the new object will be created at the path specified. If no path is specified then the defaultNamingContext of the domain will be used as the path for most object types.
+ If managing an existing object found by identity, the path of the found object will be moved to the one specified by this option. If no path is specified, the object will not be moved.
+ The modules microsoft.ad.computer, microsoft.ad.user, and microsoft.ad.group have their own default path that is configured on the Active Directory domain controller.
+ This can be set to the literal value microsoft.ad.default_path which will equal the default value used when creating a new object.
+ |
+
+ |
+Configures the user’s postal code / zip code.
+ This is the value set on the postalcode LDAP attribute.
+ |
+
+
+ protect_from_deletion
+ boolean
+ |
+Marks the object as protected from accidental deletion.
+ This applies a deny access right from deleting the object normally and the protection needs to be removed before the object can be deleted through the GUI or any other tool outside Ansible.
+ Using state=absent will still delete the AD object even if it is marked as protected from deletion.
+ Choices:
+
+ |
+
+
+ sam_account_name
+ string
+ |
+The sAMAccountName value to set for the user.
+ If omitted, the name value is used when creating a new user.
+ |
+
+
+
+ spn
+ aliases: spns
+ dictionary
+ |
+Specifies the service principal name(s) for the account to add, remove or set.
+ This is the value set on the servicePrincipalName LDAP attribute.
+ To clear all service principal names, use set with an empty list.
+ See Setting list option values for more information on how to add/remove/set list options.
+ |
+
+
+
+ add
+ list / elements=string
+ |
+The SPNs to add to servicePrincipalName.
+ |
+
+
+
+ remove
+ list / elements=string
+ |
+The SPNs to remove from servicePrincipalName.
+ |
+
+
+
+ set
+ list / elements=string
+ |
+The SPNs to set as the only values in servicePrincipalName.
+ This will clear out any existing SPNs if not in the specified list.
+ Set to an empty list to clear all SPNs on the AD object.
+ |
+
+ |
+Set to present to ensure the AD object exists.
+ Set to absent to remove the AD object if it exists.
+ The option name must be set when state=present.
+ Using absent will recursively remove the AD object and any child objects if it’s a container. It will also remove the AD object even if the object is marked as protected from accidental deletion.
+ Choices:
+
+"absent"
"present" ← (default)
+ |
+
+
+ state_province
+ string
+ |
+Configures the user’s state.
+ This is the value set on the state LDAP attribute.
+ |
+
+ |
+Configures the user’s street address.
+ This is the value set on the streetaddress LDAP attribute.
+ |
+
+
+
+ surname
+ aliases: lastname
+ string
+ |
+Configures the user’s last name (surname).
+ This is the value set on the sn LDAP attribute.
+ |
+
+
+ update_password
+ string
+ |
+always will always update passwords.
+ on_create will only set the password for newly created users.
+ when_changed will only set the password when changed.
+ Using when_changed will not work if the account is not enabled or is expired.
+ Choices:
+
+"always" ← (default)
"on_create"
"when_changed"
+ |
+
+ |
+Configures the User Principal Name (UPN) for the account.
+ This is not required, but is best practice to configure for modern versions of Active Directory.
+ The format is <username>@<domain>.
+ This is the value set on the userPrincipalName LDAP attribute.
+ |
+
+
+ user_cannot_change_password
+ boolean
+ |
+yes will prevent the user from changing their password.
+ no will allow the user to change their password.
+ Choices:
+
+ |
+
+
+
+ 
+ 
+ 
+ 
+