win_domain_group using AD LDS?

Archives Ansible Project
1

Attempting to implement group creation/management playbooks via a jump box running AD LDS nets us the below error

The play itself isn’t overly complicated… yet.

##CREATING RW GROUPS
tasks:

  • name: Verify we connect for debug
    win_shell: hostname
  • name: H - Create the RW DL Group
    win_domain_group:
    state: present
    domain_server: “{{ h_domain_server }}”
    domain_username: “{{ h_domain_username }}”
    domain_password: “{{ h_domain_password }}”
    name: “{{ h_dl_prefix }}{{ dl_name }}{{suffix_RW}}”
    scope: domainlocal
    path: “{{ h_dl_path }}”

description: “{{ description_rw }}”

But having ripped apart the .ps1 file and the .py file that support the module, I’m yet to identify where the heck I can list a partition.

fatal: [REDACTED]: FAILED! => {
“changed”: false,
“created”: false,
“msg”: “failed to retrieve initial details for group REDACTED: Parameter: ‘Partition’ is required for this operation.”

To be clear, that is definitely the entire output of errors with -vvvv, everything before the erorr is kinit authenticating.
If AD: LDS isn’t applicable, that’s fine, the org I’m with is trying to give us the least possible footprint to shoot ourselves in the foot with, before just giving me wide open throttle to a DC itself.

halp?

2

https://pastebin.com/Zst497QW

3

From the box I’ve got with AD:LDS installed

PS C:\Users\jal011adm> get-adgroup -identity GDAnsible -server localhost
get-adgroup : Parameter: ‘Partition’ is required for this operation.
At line:1 char:1

  • get-adgroup -identity GDAnsible -server localhost
  • CategoryInfo : InvalidArgument: (GDAnsible:ADGroup) [Get-ADGroup], ArgumentException
  • FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

Digging further into it

For AD LDS environments, the Partition parameter must be specified except in the following two conditions:

-The cmdlet is run from an Active Directory provider drive.

-A default naming context or partition is defined for the AD LDS environment. To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.

Source: https://docs.microsoft.com/en-us/powershell/module/activedirectory/add-adprincipalgroupmembership?view=winserver2012-ps

4

It doesn’t look like the module supports LDS. You will have to edit it and create a PR that modifies it to specify the Partition value with what is required.