-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
microsoft.ad.object_info cant get user_cannot_change_password and password_never_expires attributes #169
Comments
The As an example
You can see the list of flag values at https://learn.microsoft.com/en-us/windows/win32/api/iads/ne-iads-ads_user_flag_enum with To add that in as a check you could do something like - name: get account information
microsoft.ad.object_info:
...
properties:
- userAccountControl
register: account_info
- name: verify account cannot change password and is set to not expire
assert:
that:
- account_info.objects | length == 1
- '"ADS_UF_PASSWD_CANT_CHANGE" in account_info.objects[0].userAccountControl_AnsibleFlags'
- '"ADS_UF_DONT_EXPIRE_PASSWD" in account_info.objects[0].userAccountControl_AnsibleFlags' In the future we may add a |
Thanks for these useful information ! on our AD server, i able to get |
Sorry I misspoke, the
- ansible.windows.win_powershell:
script: |
[CmdletBinding()]
param($Identity)
$Ansible.Changed = $false
Get-ADUser -Identity $Identity -Properties CannotChangePassword, PasswordNeverExpires
parameters:
Identity: '{{ user.distinguished_name }}'
register: user_info
- debug:
msg: |
CannotChangePassword: {{ user_info.output[0].CannotChangePassword }}
PasswordNeverExpires: {{ user_info.output[0].PasswordNeverExpires }}
The SDDL ACE entry for controlling
So to turn that into a check you can use regex to search for that SDDL entry which looks something like: - microsoft.ad.object_info:
identity: '{{ user.distinguished_name }}'
properties:
- userAccountControl
- ntSecurityDescriptor
register: user_info
- debug:
msg: |
CannotChangePassword: {{ user_info.objects[0].ntSecurityDescriptor is search("\(OD;;(?:CR)?;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS\)") }}
PasswordNeverExpires: {{ "ADS_UF_DONT_EXPIRE_PASSWD" in user_info.objects[0].userAccountControl_AnsibleFlags }} |
SUMMARY
The module
microsoft.ad.user
permit to set these "security" attribut :But it's no way to get/see these informations from
microsoft.ad.object_info
, even withproperties: *
With the previous module (deprecated) it's was possible, as exemple with :
It's important for us as it's permit to make a listing of active account/locked account
ISSUE TYPE
COMPONENT NAME
object_info
ADDITIONAL INFORMATION
It's permit to improve the security of our AD as we can have a listing of enable/disable accounts
The text was updated successfully, but these errors were encountered: