win_domain_user fails with unexpected error

Archives Ansible Project
1

I am currently working on automating the provisioning of the Active Directory servers in our environment. I have completed the majority of steps (Windows Features & Roles, Domain Creation, OUs, Groups, Group Memberships), but I have run into an issue with creating user accounts.

The following YAML code is what I am using to create a new user, and it is failing part way through. The user is created in AD, but does not have the group mappings (I have also tried different user / group combinations with no luck).

create_ansible_user.yml

  • name: Create Ansible Domain User
    hosts: ADC_Primary
    gather_facts: yes
    tasks:

  • name: “Create {{ domain_admin_user }} account”
    win_domain_user:
    name: ‘{{ domain_admin_name }}’
    firstname: ‘{{ domain_admin_name }}’
    surname: ‘{{ domain_admin_name }}’
    password: ‘{{ domain_admin_password }}’
    groups:

  • Domain Users

  • Domain Admins
    state: present

all.yml

ansible_user: administrator@MYDOMAIN.NET
ansible_password: myPassword123!
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_port: 5986
ansible_winrm_server_cert_validation: ignore

domain_lower:
prefix: mydomain
suffix: net

domain_admin_name: s_ansible
domain_admin_user: ‘{{ domain_admin_name }}@{{ domain_lower.prefix }}.{{ domain_lower.suffix }}’
domain_admin_password: myPassw0rd123!

hosts

[ADC_Primary]
PRIASADC01.MYDOMAIN.NET

Output

TASK [Create s_ansible@mydomain.net account] ***************************************************************************************************************************************************************************************************************************************************************************************************************************
fatal: [PRIASADC01.MYDOMAIN.NET]: FAILED! => {“changed”: true, “msg”: “An unspecified error has occurred”, “password_updated”: true}

As you can see, the module throws an unspecified error. The user itself is actually created, but does not have any group mappings apart from Domain Users.

Is there any way to get a stacktrace or more details? Verbose did not seem to add anything.

2

Unfortunately no, I had a look at the code and it still used the old way of working which was to wrap exceptions at the top level and this unfortunately hid things from view. I’ve raised a PR to remove this behaviour so that on a failure it will show the proper error message and stacktrace when you run with -vvv https://github.com/ansible/ansible/pull/58357.

The actual error is being returned by a cmdlet so it’s unfortunate it doesn’t return something useful but once we find out what cmdlet is failing that should help. Looking at your code I can’t really see what it may be. The code that manages the groups can be found at https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/windows/win_domain_user.ps1#L211-L259 so it might be a good idea to run it manually and see if it fails.

Thanks

Jordan