You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm encountering an issue when using the microsoft.ad.computer module in Ansible to move computer objects to a desired OU. The same task works without issue when using the community.windows.win_domain_computer module.
- name: Move computer objects to desired OU "{{ ou }}"microsoft.ad.computer:
domain_server: "{{ domain_server }}"domain_username: "{{ domain_server }}\\{{ domain_admin_username }}"domain_password: "{{ domain_admin_password }}"name: "{{ item | strip_fqdn }}"path: "{{ ou }}"enabled: yesstate: presentloop: "{{ groups[domain + '_provision_servers'] }}"register: move_ou
EXPECTED RESULTS
Expecting pre-existing computer object(s) to move OU's to what is defined in path on name: short computer name
ACTUAL RESULTS
Computer MYSERVER pre-exists in CN=MYSERVER,OU=Test,OU=Managed Servers,DC=mydomain,DC=lab,DC=local
Tries to issue New-ADComputer when it should be Move-ADObject, why is the module not aware that the object exists?
I am passing in the Name of the object so MYSERVER
I briefly looked at the source and it seems like it performs a Get-* operation and determines whether it needs to use New-AdComputer vs Move-ADComputer
Does name need to be the Distinguished Name or does the module abstract that for me?
One of the changes from the win_domain_* modules in community.windows is the way that name, identity, and path all interact together. The win_domain_* modules had a mixture of different behaviours based on how it was implemented in the module where some supported renames while others did not.
The new behaviour for all the modules in this collection is that name exclusively refers to the name of the LDAP object in the path specified. It does not lookup the AD object by sAMAccountName (even though they typically are the same). So to move/rename an object you need to specify the identity option so the module knows what to computer account to perform the operation on.
- microsoft.ad.computer:
name: ComputerName # This corresponds to the cn LDAP attributepath: "{{ ou }}"identity: ... # This can be the sAMAccountName, upn, sid, guid
By providing the identity the module knows to perform the operation on that AD object rather than trying to create a new computer account under that path.
I'll keep this issue open as I don't see this in an example for that module which it should probably contain
SUMMARY
I'm encountering an issue when using the
microsoft.ad.computer
module in Ansible to move computer objects to a desired OU. The same task works without issue when using thecommunity.windows.win_domain_computer
module.ISSUE TYPE
COMPONENT NAME
microsoft.ad.computer
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Windows Server 2019+ environment
STEPS TO REPRODUCE
EXPECTED RESULTS
Expecting pre-existing computer object(s) to move OU's to what is defined in
path
onname: short computer name
ACTUAL RESULTS
Computer
MYSERVER
pre-exists inCN=MYSERVER,OU=Test,OU=Managed Servers,DC=mydomain,DC=lab,DC=local
Tries to issue
New-ADComputer
when it should beMove-ADObject
, why is the module not aware that the object exists?I am passing in the Name of the object so
MYSERVER
I briefly looked at the source and it seems like it performs a
Get-*
operation and determines whether it needs to useNew-AdComputer
vsMove-ADComputer
The text was updated successfully, but these errors were encountered: