New module: Add module or managing Windows Active Directory users (windows/win_domain_user)

[nwchandler]

SUMMARY

This PR adds support for managing Windows Active Directory users with Ansible. The existing win_user module is designed to support management of local users. There are enough differences between local user management and domain user management that a separate module seemed to make sense. See discussion on Issue #20428.

ISSUE TYPE

• New Module Pull Request

COMPONENT NAME

windows/win_domain_user.ps1

ANSIBLE VERSION

ansible 2.3.0.0
  config file =
  configured module search path = Default w/o overrides
  python version = 2.7.12 (default, Jun 29 2016, 14:05:02) [GCC 4.2.1 Compatible Apple LLVM 7.3.0 (clang-703.0.31)]

ADDITIONAL INFORMATION

[ansibot]

The test ansible-test sanity --test validate-modules failed with the following error:

lib/ansible/modules/windows/win_domain_user.py:0:0: E312 No RETURN documentation provided

click here for bot help

[jhawkesworth]

I think this line will fail if run against a non-active directory server. Consider a try catch and fail-json if the ActiveDirectory module is not available.

[nwchandler]

Thanks, for the review! Good idea. I will make the update.

[jborean93]

Looks like a great module to have, just a few questions and queries.

[jborean93]

My brain isn't working right now are you able to explain this logic? To me it seems like it will fail if $account_locked is set to true if it has been set? Why can't we create a locked account?

[nwchandler]

I followed Microsoft's lead on this one. There is an Unlock-ADAccount cmdlet, but no corresponding Lock-ADAccount. The thinking is that an account would be locked because a user tried to login too many times with incorrect credentials, so an admin would unlock an account, but not lock it. If an account needed to be "locked" by an admin, he/she would just disable the account by setting "enabled" to false.

[jborean93]

No worries that makes sense, I can see the same functionality in the win_user module this was just me being ignorant :)

[jborean93]

Should we just run this once after creating the user to save getting these details everytime we want to make a change?

[nwchandler]

That's what I did initially, but I found problems in testing. As accounts were updated, I ran into problems where later logic would fail. I ended up deciding it was better to refresh the state of the user object after every update.
(Sorry, I know that's vague; I don't recall the specific issues I ran into off-hand.)

[jborean93]

Fair enough, sounds like a typical Microsoft thing to me.

[jborean93]

There is now a list type that will automatically convert a the item to a list if it isn't already.

[nwchandler]

Hi, @jborean93 - My apologies for the late reply, but thank you for the comments. Good to know about the list type; I'll update this.

[jborean93]

If using the list type it will automatically convert it to a list and split it by , if it is a string.

[jborean93]

Can you add a notes section around where this module can run and the requirements?

[nwchandler]

Yes, I'll add that.

[nathanwebsterdotme]

Looking forward to this one!

[dagwieers]

@nathanwebsterdotme If you do, I'd suggest you test it out in your environment and provide feedback. And help with code-review. Those things will speed up it being merged.

[dagwieers]

Trailing semi-colon is not needed.

[dagwieers]

Please look into adding check-mode support. Often you can get away with some strategically places -WhatIf:$check_mode statements !

[dagwieers]

If parameters are not required, you don't have to add required: false. Only add required: true if they are required.

[dagwieers]

This is not needed, the default value is null, so it's implicit.

[dagwieers]

Wouldn't the choice be [ 'yes', 'no' ] as you'd expect from a boolean ?
As per previous remark, this would become:

    type: bool

[dagwieers]

Nowadays we do:

    type: bool
    default: 'yes'

[dagwieers]

Trailing dot required. I know, quite pedantic rules and all.

[dagwieers]

We tend to not add quotes where they are no needed in YAML.
Here they are not needed.

[nwchandler]

Hi, all. I believe I've addressed the comments in the new version of code (pending one last Shippable test). @dagwieers - I did some work on enabling check_mode, but it gave me some problems. I think it may take a little more re-work than I originally envisioned. So, I pushed the other requested changes. I can take another swing at it at some point, but it may be a while before I can, and I wanted to get the other updates in. I'll defer to you whether that would be a blocker or would be something we could add in the future.

[dagwieers]

This should be a string:

version_added: '2.4'

[dagwieers]

This should be:

type: bool

[dagwieers]

This should be:

type: bool

[dagwieers]

This should be:

type: bool

[dagwieers]

Add here -WhatIf:$check_mode

[dagwieers]

Add here -WhatIf:$check_mode

[dagwieers]

I guess, skip everything that follows on $check_mode (e.g. by running Exit-Json)

[dagwieers]

Add here -WhatIf:$check_mode

[dagwieers]

Add here -WhatIf:$check_mode

[dagwieers]

Add here -WhatIf:$check_mode

[dagwieers]

@nwchandler check-mode is a must-have for every (new) module. It is best to first make it full-featured, then look at supporting check-mode. In this case, I think you can get away with adding -WhatIf:$check_mode to most statements that modify things (like Add-ADUser, Set-ADUser, ...) and leave out some of the post-change validation/lookups. Maybe terminate the module prematurely if needed (even if that means not everything can be checked properly). Check-mode is often best-effort (and heavily depends on low-level implementation details we have no control over).

Let me know if you need help.

[nwchandler]

Thanks for the feedback and ideas on check_mode support, @dagwieers. I have made some updates accordingly. Short-circuiting and exiting early is a good idea.

[jborean93]

Looks good, just did some local tests and things seem to work correctly here. Keen to get this in and people testing it in real life situations.

[jborean93]

shitpit

[nwchandler]

Thanks for everyone's reviews and feedback!

[dagwieers]

So the module freeze deadline for v2.4 is getting closer (2017-08-29). Now is the time to finish up, get it reviewed and merged with no delay.

[nwchandler]

It looks like @jborean93 approved - anything else I need to do to make this happen, @dagwieers ?

[dagwieers]

@nwchandler If you're asking me specifically, the only thing I noted was the use of type: bool in the documentation. Ah, and now I see you did add it, but it should replace the choices: ['no', 'yes'] part.

[jborean93]

Thanks for the work here @nwchandler, I'm going to merge this in so people can start using it in devel. Are you able to update https://github.com/ansible/ansible/blob/devel/.github/BOTMETA.yml and https://github.com/ansible/ansible/blob/devel/CHANGELOG.md with the relevant info for the new module.

[dagwieers]

BOTMETA should not require updating if the author(s) are listed in the module.

[jborean93]

oh did not know that, the more you know