Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

win_user groups list should accept SIDs #153

Closed
jantari opened this issue Dec 9, 2020 · 1 comment · Fixed by #191
Closed

win_user groups list should accept SIDs #153

jantari opened this issue Dec 9, 2020 · 1 comment · Fixed by #191

Comments

@jantari
Copy link

jantari commented Dec 9, 2020
edited
Loading

SUMMARY

When running a win_user task and specifying groups, it is currently very cumbersome to deal with Windows' internationalized group names because groups does not accept SIDs (or well, treats them as group names and fails to match them)

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

ansible.windows.win_user

ADDITIONAL INFORMATION
  • How the feature will be solved: I will submit a PR with a proposed solution for discussion
  • Why it is needed: So the win_user module can reliably create users with group assignments on Windows systems
  • What would it solve: It would solve the problem that currently any and all playbooks or roles utilizing win_user with groups are either only compatible with one OS language or use lengthy win_shell tasks with register each time to determine the proper localized group name from an SID first

What you have to do now:

- name: Get name of S-1-5-32-545 group
  win_shell: |
    $sid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList 'S-1-5-32-545'
    $GroupSIDBinary = New-Object byte[] -ArgumentList $sid.BinaryLength
    $sid.GetBinaryForm($GroupSIDBinary, 0)

    $ADSI = [ADSI]"WinNT://$env:COMPUTERNAME"
    $ADSI.Children |
      Where SchemaClassName -eq 'Group' |
      Where { ($_.objectSid | Foreach-Object { [System.Linq.Enumerable]::SequenceEqual([byte[]]$GroupSIDBinary, [byte[]]$_) }) -contains $true } |
      Select -ExpandProperty Name
  register: usersgroup
  changed_when: false

- debug:
    var: usersgroup

- name: Create test user
  win_user:
    name: testy
    fullname: testy
    description: testy
    password_expired: no
    password_never_expires: yes
    user_cannot_change_password: yes
    state: present
    groups:
      - "{{ usersgroup.stdout }}"

What I would like to be able to do instead:

- name: Create test user
  win_user:
    name: testy
    fullname: testy
    description: testy
    password_expired: no
    password_never_expires: yes
    user_cannot_change_password: yes
    state: present
    groups:
      - S-1-5-32-545

PR with proposed fix: #154
jantari added a commit to jantari/ansible.windows that referenced this issue Dec 9, 2020
@jantari
Get-AnsibleLocalGroup can take SIDs (Fix ansible-collections#153)
642e31c 
First implementation: intent was to be fully backwards compatible with the previous behavior - but some may consider it a bit ugly
@jantari jantari mentioned this issue Dec 9, 2020
Closed
@darthwalsh darthwalsh mentioned this issue Jan 5, 2021
Closed
@panki27
Copy link

panki27 commented Feb 4, 2021

Great workaround resolving the SID to a groupname - can't wait for this to be implemented. Thanks!

@jborean93 jborean93 mentioned this issue Mar 8, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@panki27 @jantari