Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Moving computer object fails #124

Closed
jengstrom440 opened this issue Jun 11, 2024 · 6 comments · Fixed by #137
Closed

Moving computer object fails #124

jengstrom440 opened this issue Jun 11, 2024 · 6 comments · Fixed by #137

Comments

@jengstrom440
Copy link

SUMMARY

Moving a computer object does not work per documentation, ansible attempts use New-ADComputer instead of Move-ADObject.

ISSUE TYPE

Bug

COMPONENT NAME

microsoft.ad.computer

ANSIBLE VERSION

ansible [core 2.16.3]
config file = None
configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.12.3 (main, Apr 10 2024, 05:33:47) [GCC 13.2.0] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True

COLLECTION VERSION

ansible-galaxy collection list microsoft.ad

/home/ansible/.ansible/collections/ansible_collections
Collection Version
microsoft.ad 1.6.0

/usr/lib/python3/dist-packages/ansible_collections
Collection Version
microsoft.ad 1.4.1

CONFIGURATION

CONFIG_FILE() = None

OS / ENVIRONMENT

Ubuntu 24.04 Server install on VMware ESXi 8

STEPS TO REPRODUCE

I have a simple playbook to move a computer account in AD to a specified OU in the 'path'. Happens each time it is run.

- name: Move server to Domain Servers OU
  microsoft.ad.computer:
    identity: "{{ ansible_hostname }}"
    path: OU=Domain Servers,OU=Site-Location,DC=ad,DC=cityofgotham,DC=com
EXPECTED RESULTS

I expect the existing computer account to be moved and not recreated. Documentation states that:

identity: This must be specified if; name is not set, when trying to rename the object with a new name, or when trying to move the object into a different path.

  • Documentation states then when moving an object to a new path, identity must be specified. I have specified identity and is reporting computer object name correctly in error output.

path: If managing an existing object found by identity, the path of the found object will be moved to the one specified by this option. If no path is specified, the object will not be moved.

  • Documentation states that with identity, identified object will move to specified path. Proper path is visible in output.
ACTUAL RESULTS

Since it is using "New-ADComputer" in the verbose error output instead of "Move-ADObject", this will not achieve desired results. This needs to be adjusted for "Move-ADObject" instead:

1:53:18 PM
The full traceback is:
1:53:18 PM
The specified account already exists
1:53:18 PM
At line:984 char:29
1:53:18 PM
$adObject = & $newCommand @newParams @adParams
1:53:18 PM

1:53:18 PM
CategoryInfo : ResourceExists: (CN=batman,O...ofgotham,DC=com:String) [New-ADComputer]

@david-sieg
Copy link

david-sieg commented Jun 12, 2024

Hi,

we solved it with two tasks:

- name: "Search computer object in ad to fetch guid [ad_manage_computer_add]"
  microsoft.ad.object_info:
    ldap_filter: "(&(objectClass=computer)(cn={{ inventory_hostname_short }}*))"
    properties: '*'
    domain_server: ADCONTROLLER
    domain_username: ADMIN
    domain_password: PASSWORD
  delegate_to: ADCONTROLLER
  register: reg_computer_obj

- name: "Move computer object to the right Active Directory OU [ad_manage_computer_add]"
  microsoft.ad.object:
    identity: "{{ reg_computer_obj.objects.0.ObjectGUID }}"
    name: "{{ inventory_hostname_short }}"
    path: "CN=Computers,DC=domain,DC=com"
    type: computer
    domain_server: ADCONTROLLER
    domain_username: ADMIN
    domain_password: PASSWORD
    state: present
  delegate_to: ADCONTROLLER

Hope that helps...

@jengstrom440
Copy link
Author

Hi,

we solved it with two tasks:

- name: "Search computer object in ad to fetch guid [ad_manage_computer_add]"
  microsoft.ad.object_info:
    ldap_filter: "(&(objectClass=computer)(cn={{ inventory_hostname_short }}*))"
    properties: '*'
    domain_server: ADCONTROLLER
    domain_username: ADMIN
    domain_password: PASSWORD
  delegate_to: ADCONTROLLER
  register: reg_computer_obj

- name: "Move computer object to the right Active Directory OU [ad_manage_computer_add]"
  microsoft.ad.object:
    identity: "{{ reg_computer_obj.objects.0.ObjectGUID }}"
    name: "{{ inventory_hostname_short }}"
    path: "CN=Computers,DC=domain,DC=com"
    type: computer
    domain_server: ADCONTROLLER
    domain_username: ADMIN
    domain_password: PASSWORD
    state: present
  delegate_to: ADCONTROLLER

Hope that helps...

Thank you for posting this. That has got me thinking of a few ideas to test and I believe I have figured it out. Since identity is looking for a matching SamAccountName for the computer object, it must end with a $. I assumed that the code in ansible would append the $ to the end of the entry as every computer object in Active Directory must end in $ for it's SamAccountName. That appears not to be the case. After some trial and error along with the above inspiration, I have tested this solution to work. I also recommend the documentation be appended as well.

  - name: Move server to Servers OU
    microsoft.ad.object:
      identity: "{{ ansible_hostname }}$"
      name: "{{ ansible_hostname }}"
      path: OU=Domain Servers,OU=Site-Location,DC=ad,DC=cityofgotham,DC=com
      type: computer

All of these entries are needed at a minimum to get it to work. Oddly enough sometimes during my testing, it would create completely identical named computer objects that were disabled. That is less than desirable. Hopefully this will help someone.

@jborean93
Copy link
Collaborator

You are correct in that using identity will just use the filter (sAMAccountName=$identity) and not add the $ to the end. I think the logic should be amended so that for resources that are known to end with $ it should automatically added to the filter string so you don't have to.

Thanks for looking into this and providing all that great detail!

@jengstrom440
Copy link
Author

So is the thought to change that so it appends a $ to the identity to see if it finds a match? Also could add the example to the documentation afterwards? Please let me know if I can do anything else to help, thanks!

@jborean93
Copy link
Collaborator

Yea I think it makes sense that when we are dealing with an object type that is known to always end with $ it will automatically append $ if it's not already there when searching by sAMAccountName.

Documentation is also a great idea!

@jborean93
Copy link
Collaborator

I've opened #137 which adds a fallback identity check with $ for microsoft.ad.computer. It also adds the ability to create a computer account without the $ suffix alongside some more tests for these scenarios.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants