Issue running get-aduser in powershell from playbook

Gregory_Machin · May 2, 2023, 1:27am

Hi,

I’m currently testing using AWX as an API to run PowerShell commands via ansible playbooks.

I’m currently testing using the Get-AD user command as this is close to what I’ll be doing.

I’m using the following Ansible playbook

name: Test Extra Variables and PowerShell Command
hosts: all
collections:
tasks:
name: Show Extra Variables
debug:
msg:
“NewUserName: {{ NewUserName }}”
“UserManager: {{ UserManager }}”
name: Run PowerShell Command with SYSTEM account
ansible.windows.win_shell: |
whoami
Test-NetConnection server.Domain.local -port 9389
Get-ADDomainController -ForceDiscover -Discover -Service ADWS -NextClosestSite
Get-ADUser -Identity {{ NewUserName }}
register: result
name: Show PowerShell Command Result
debug:
var: result.stdout_lines

but get-ADUser errors with :

Get-ADUser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it
does not have the Active Directory Web Services running.
At line:4 char:1

Get-ADUser -Identity bbuilder
CategoryInfo : ResourceUnavailable: (bbuilder:ADUser) [Get-ADUser], ADServerDownException
FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser

but I don’t have any issues running Get-ADUser under my account or the service account used for the playbook on the same server.

the following in the playbook work as expected:
Test-NetConnection server.Domain.local -port 9389
Get-ADDomainController -ForceDiscover -Discover -Service ADWS -NextClosestSite

It feels like there is something missing PowerShell environment used by Ansible, but I cant see what could cause this.

Please advise.

thank you
G

jborean · May 2, 2023, 7:14pm

This is most likely the double hop problem where the WinRM process on the Windows side is unable to authenticate itself when talking to a downstream server [1]

There are a few ways you can solve this

Use become on the task [2]
Use CredSSP as your authentication protocol with WinRM
Setup Kerberos delegation through either
- Unconstrained delegation
- Constrained delegation
- Resource based delegation
  Thanks

Jordan

[1] https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3
[2] https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#become-and-windows

Gregory_Machin · May 4, 2023, 9:27am

Hi Jordan,

Thanks for that, you resolved it.

for the next person this is what I ended up doing:

name: Run PowerShell Command with SYSTEM account
ansible.windows.win_shell: |
Get-ADUser -Identity {{ NewUserName }} -properties *
register: result
become: yes
become_method: runas

Topic		Replies	Views
variable passing in win_shell module with powershell command AWX Project windows	2	2	November 11, 2020
Cannot run playbooks on AWX AWX Project awx	2	0	May 29, 2020
Run powershell script on Windows servers which require Powershell to be run with admin privilages Ansible Project windows	3	0	May 23, 2017
Trying to add variable while running ad-hoc command against window server AWX Project windows	2	0	January 18, 2018
The powershell shell family is incompatible with the sudo become plugin Ansible Project awx	5	1	August 6, 2020

Issue running get-aduser in powershell from playbook

Related topics