Moving computer object fails about microsoft.ad HOT 6 CLOSED

Hi,

we solved it with two tasks:

- name: "Search computer object in ad to fetch guid [ad_manage_computer_add]"
  microsoft.ad.object_info:
    ldap_filter: "(&(objectClass=computer)(cn={{ inventory_hostname_short }}*))"
    properties: '*'
    domain_server: ADCONTROLLER
    domain_username: ADMIN
    domain_password: PASSWORD
  delegate_to: ADCONTROLLER
  register: reg_computer_obj

- name: "Move computer object to the right Active Directory OU [ad_manage_computer_add]"
  microsoft.ad.object:
    identity: "{{ reg_computer_obj.objects.0.ObjectGUID }}"
    name: "{{ inventory_hostname_short }}"
    path: "CN=Computers,DC=domain,DC=com"
    type: computer
    domain_server: ADCONTROLLER
    domain_username: ADMIN
    domain_password: PASSWORD
    state: present
  delegate_to: ADCONTROLLER

Hope that helps...

Thank you for posting this. That has got me thinking of a few ideas to test and I believe I have figured it out. Since identity is looking for a matching SamAccountName for the computer object, it must end with a $. I assumed that the code in ansible would append the $ to the end of the entry as every computer object in Active Directory must end in $ for it's SamAccountName. That appears not to be the case. After some trial and error along with the above inspiration, I have tested this solution to work. I also recommend the documentation be appended as well.

  - name: Move server to Servers OU
    microsoft.ad.object:
      identity: "{{ ansible_hostname }}$"
      name: "{{ ansible_hostname }}"
      path: OU=Domain Servers,OU=Site-Location,DC=ad,DC=cityofgotham,DC=com
      type: computer

All of these entries are needed at a minimum to get it to work. Oddly enough sometimes during my testing, it would create completely identical named computer objects that were disabled. That is less than desirable. Hopefully this will help someone.

from microsoft.ad.

Hi,

we solved it with two tasks:

- name: "Search computer object in ad to fetch guid [ad_manage_computer_add]"
  microsoft.ad.object_info:
    ldap_filter: "(&(objectClass=computer)(cn={{ inventory_hostname_short }}*))"
    properties: '*'
    domain_server: ADCONTROLLER
    domain_username: ADMIN
    domain_password: PASSWORD
  delegate_to: ADCONTROLLER
  register: reg_computer_obj

- name: "Move computer object to the right Active Directory OU [ad_manage_computer_add]"
  microsoft.ad.object:
    identity: "{{ reg_computer_obj.objects.0.ObjectGUID }}"
    name: "{{ inventory_hostname_short }}"
    path: "CN=Computers,DC=domain,DC=com"
    type: computer
    domain_server: ADCONTROLLER
    domain_username: ADMIN
    domain_password: PASSWORD
    state: present
  delegate_to: ADCONTROLLER

Hope that helps...

from microsoft.ad.

You are correct in that using identity will just use the filter (sAMAccountName=$identity) and not add the $ to the end. I think the logic should be amended so that for resources that are known to end with $ it should automatically added to the filter string so you don't have to.

Thanks for looking into this and providing all that great detail!

from microsoft.ad.

So is the thought to change that so it appends a $ to the identity to see if it finds a match? Also could add the example to the documentation afterwards? Please let me know if I can do anything else to help, thanks!

from microsoft.ad.

Yea I think it makes sense that when we are dealing with an object type that is known to always end with $ it will automatically append $ if it's not already there when searching by sAMAccountName.

Documentation is also a great idea!

from microsoft.ad.

I've opened #137 which adds a fallback identity check with $ for microsoft.ad.computer. It also adds the ability to create a computer account without the $ suffix alongside some more tests for these scenarios.

from microsoft.ad.