community.windows.win_domain_object_info module – Gather information an Active Directory object
Note
This module is part of the community.windows collection (version 1.10.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.windows
.
To use it in a playbook, specify: community.windows.win_domain_object_info
.
Parameters
Parameter |
Comments |
---|---|
The password for |
|
Specified the Active Directory Domain Services instance to connect to. Can be in the form of an FQDN or NetBIOS name. If not specified then the value is based on the default domain of the computer running PowerShell. |
|
The username to use when interacting with AD. If this is not set then the user that is used for authentication will be the connection user. Ansible will be unable to use the connection user unless auth is Kerberos with credential delegation or CredSSP, or become is used on the task. |
|
Specifies a query string using the PowerShell Expression Language syntax. This follows the same rules and formatting as the This is mutually exclusive with identity and ldap_filter. |
|
Specifies a single Active Directory object by its distinguished name or its object GUID. This is mutually exclusive with filter and ldap_filter. This cannot be used with either the search_base or search_scope options. |
|
Also search for deleted Active Directory objects. Choices:
|
|
Like filter but this is a tradiitional LDAP query string to filter the objects to return. This is mutually exclusive with filter and identity. |
|
A list of properties to return. If a property is If a property is valid on the object but not set, it is only returned if defined explicitly in this option list. The properties Specifying multiple properties can have a performance impact, it is best to only return what is needed. If an invalid property is specified then the module will display a warning for each object it is invalid on. |
|
Specify the Active Directory path to search for objects in. This cannot be set with identity. By default the search base is the default naming context of the target AD instance which is the DN returned by “(Get-ADRootDSE).defaultNamingContext”. |
|
Specify the scope of when searching for an object in the
This cannot be set with identity. Choices:
|
Notes
Note
The
sAMAccountType_AnsibleFlags
anduserAccountControl_AnsibleFlags
return property is something set by the module itself as an easy way to view what those flags represent. These properties cannot be used as part of the filter or ldap_filter and are automatically added if those properties were requested.
Examples
- name: Get all properties for the specified account using its DistinguishedName
community.windows.win_domain_object_info:
identity: CN=Username,CN=Users,DC=domain,DC=com
properties: '*'
- name: Get the SID for all user accounts as a filter
community.windows.win_domain_object_info:
filter: ObjectClass -eq 'user' -and objectCategory -eq 'Person'
properties:
- objectSid
- name: Get the SID for all user accounts as a LDAP filter
community.windows.win_domain_object_info:
ldap_filter: (&(objectClass=user)(objectCategory=Person))
properties:
- objectSid
- name: Search all computer accounts in a specific path that were added after February 1st
community.windows.win_domain_object_info:
filter: objectClass -eq 'computer' -and whenCreated -gt '20200201000000.0Z'
properties: '*'
search_scope: one_level
search_base: CN=Computers,DC=domain,DC=com
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
A list of dictionaries that are the Active Directory objects found and the properties requested. The dict’s keys are the property name and the value is the value for the property. All date properties are return in the ISO 8601 format in the UTC timezone. All SID properties are returned as a dict with the keys All byte properties are returned as a base64 string. All security descriptor properties are returned as the SDDL string of that descriptor. The properties Returned: always Sample: “[{\n \”accountExpires\”: 0,\n \”adminCount\”: 1,\n \”CanonicalName\”: \”domain.com/Users/Administrator\”,\n \”CN\”: \”Administrator\”,\n \”Created\”: \”2020-01-13T09:03:22.0000000Z\”,\n \”Description\”: \”Built-in account for administering computer/domain\”,\n \”DisplayName\”: null,\n \”DistinguishedName\”: \”CN=Administrator,CN=Users,DC=domain,DC=com\”,\n \”memberOf\”: [\n \”CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=com\”,\n \”CN=Domain Admins\”,CN=Users,DC=domain,DC=com\”\n ],\n \”Name\”: \”Administrator\”,\n \”nTSecurityDescriptor\”: \”O:DAG:DAD:PAI(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)\”,\n \”ObjectCategory\”: \”CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com\”,\n \”ObjectClass\”: \”user\”,\n \”ObjectGUID\”: \”c8c6569e-4688-4f3c-8462-afc4ff60817b\”,\n \”objectSid\”: {\n \”Sid\”: \”S-1-5-21-2959096244-3298113601-420842770-500\”,\n \”Name\”: \”DOMAIN\\Administrator\”\n },\n \”sAMAccountName\”: \”Administrator\”,\n}]\n” |
Authors
Jordan Borean (@jborean93)