community.windows.win_domain_user module – Manages Windows Active Directory user accounts
Note
This module is part of the community.windows collection (version 1.10.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.windows
.
To use it in a playbook, specify: community.windows.win_domain_user
.
Parameters
Parameter |
Comments |
---|---|
Note that there is not a way to lock an account as an administrator. Accounts are locked due to user actions; as an admin, you may only unlock a locked account. If you wish to administratively disable an account, set enabled to Choices:
|
|
A dict of custom LDAP attributes to set on the user. This can be used to set custom attributes that are not exposed as module parameters, e.g. See the examples on how to format this parameter. |
|
Configures the user’s city. |
|
Configures the user’s company name. |
|
Configures the user’s country code. Note that this is a two-character ISO 3166 code. |
|
Specifies an array of principal objects. This parameter sets the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer account object. Must be specified as a distinguished name |
|
Description of the user |
|
The password for username. |
|
Specifies the Active Directory Domain Services instance to connect to. Can be in the form of an FQDN or NetBIOS name. If not specified then the value is based on the domain of the computer running PowerShell. |
|
The username to use when interacting with AD. If this is not set then the user Ansible used to log in with will be used instead when using CredSSP or Kerberos with credential delegation. |
|
Configures the user’s email address. This is a record in AD and does not do anything to configure any email servers or systems. |
|
Choices:
|
|
Configures the user’s first name (given name). |
|
Adds or removes the user from this list of groups, depending on the value of groups_action. To remove all but the Principal Group, set Note that users cannot be removed from their principal group (for example, “Domain Users”). |
|
If If If Choices:
|
|
Controls what happens when a group specified by
Choices:
|
|
Identity parameter used to find the User in the Active Directory. This value can be in the forms Default to |
|
Name of the user to create, remove or modify. |
|
Optionally set the user’s password to this (plain text) value. To enable an account - enabled - a password must already be configured on the account, or you must provide a password here. |
|
This is mutually exclusive with password_never_expires. Choices:
|
|
This is mutually exclusive with password_expired. Choices:
|
|
Container or OU for the new user; if you do not specify this, the user will be placed in the default container for users in the domain. Setting the path is only available when a new user is created; if you specify a path on an existing user, the user’s path will not be updated - you must delete (e.g., |
|
Configures the user’s postal code / zip code. |
|
Configures the SAM Account Name ( This is allowed to a maximum of 20 characters due to pre-Windows 2000 restrictions. Default to the |
|
Specifies the service principal name(s) for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. |
|
If If If Choices:
|
|
When When When Choices:
|
|
Configures the user’s state or province. |
|
Configures the user’s street address. |
|
Configures the user’s last name (surname). |
|
Choices:
|
|
Configures the User Principal Name (UPN) for the account. This is not required, but is best practice to configure for modern versions of Active Directory. The format is |
|
Choices:
|
Notes
Note
Works with Windows 2012R2 and newer.
If running on a server that is not a Domain Controller, credential delegation through CredSSP or Kerberos with delegation must be used or the domain_username, domain_password must be set.
Note that some individuals have confirmed successful operation on Windows 2008R2 servers with AD and AD Web Services enabled, but this has not received the same degree of testing as Windows 2012R2.
See Also
See also
- ansible.windows.win_domain
The official documentation on the ansible.windows.win_domain module.
- ansible.windows.win_domain_controller
The official documentation on the ansible.windows.win_domain_controller module.
- community.windows.win_domain_computer
The official documentation on the community.windows.win_domain_computer module.
- community.windows.win_domain_group
The official documentation on the community.windows.win_domain_group module.
- ansible.windows.win_domain_membership
The official documentation on the ansible.windows.win_domain_membership module.
- ansible.windows.win_user
The official documentation on the ansible.windows.win_user module.
- community.windows.win_user_profile
The official documentation on the community.windows.win_user_profile module.
Examples
- name: Ensure user bob is present with address information
community.windows.win_domain_user:
name: bob
firstname: Bob
surname: Smith
company: BobCo
password: B0bP4ssw0rd
state: present
groups:
- Domain Admins
street: 123 4th St.
city: Sometown
state_province: IN
postal_code: 12345
country: US
attributes:
telephoneNumber: 555-123456
- name: Ensure user bob is created and use custom credentials to create the user
community.windows.win_domain_user:
name: bob
firstname: Bob
surname: Smith
password: B0bP4ssw0rd
state: present
domain_username: DOMAIN\admin-account
domain_password: SomePas2w0rd
domain_server: [email protected]
- name: Ensure user bob is present in OU ou=test,dc=domain,dc=local
community.windows.win_domain_user:
name: bob
password: B0bP4ssw0rd
state: present
path: ou=test,dc=domain,dc=local
groups:
- Domain Admins
- name: Ensure user bob is absent
community.windows.win_domain_user:
name: bob
state: absent
- name: Ensure user has spn's defined
community.windows.win_domain_user:
name: liz.kenyon
spn:
- MSSQLSvc/us99db-svr95:1433
- MSSQLSvc/us99db-svr95.vmware.com:1433
- name: Ensure user has spn added
community.windows.win_domain_user:
name: liz.kenyon
spn_action: add
spn:
- MSSQLSvc/us99db-svr95:2433
- name: Ensure user is created with delegates and spn's defined
community.windows.win_domain_user:
name: shmemmmy
password: The3rubberducki33!
state: present
groups:
- Domain Admins
- Enterprise Admins
delegates:
- CN=shenetworks,CN=Users,DC=ansible,DC=test
- CN=mk.ai,CN=Users,DC=ansible,DC=test
- CN=jessiedotjs,CN=Users,DC=ansible,DC=test
spn:
- MSSQLSvc/us99db-svr95:2433
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
true if the account is locked Returned: always Sample: false |
|
true if the account changed during execution Returned: always Sample: false |
|
The user city Returned: always Sample: “Indianapolis” |
|
The user company Returned: always Sample: “RedHat” |
|
The user country Returned: always Sample: “US” |
|
Whether a user was created Returned: always Sample: true |
|
Principals allowed to delegate Returned: always Sample: [“CN=svc.tech.unicorn,CN=Users,DC=ansible,DC=test”, “CN=geoff,CN=Users,DC=ansible,DC=test”] |
|
A description of the account Returned: always Sample: “Server Administrator” |
|
DN of the user account Returned: always Sample: “CN=nick,OU=test,DC=domain,DC=local” |
|
true if the account is enabled and false if disabled Returned: always Sample: true |
|
The user first name Returned: always Sample: “Nick” |
|
AD Groups to which the account belongs Returned: always Sample: [“Domain Admins”, “Domain Users”] |
|
Summary message of whether the user is present or absent Returned: always Sample: “User nick is present” |
|
The username on the account Returned: always Sample: “nick” |
|
true if the account password has expired Returned: always Sample: false |
|
true if the password changed during this execution Returned: always Sample: true |
|
The user postal code Returned: always Sample: 46033 |
|
The SAM Account Name of the account Returned: always Sample: “nick” |
|
The SID of the account Returned: always Sample: “S-1-5-21-2752426336-228313920-2202711348-1175” |
|
The service principal names Returned: always Sample: [“HTTPSvc/ws1intel-svc1”, “HTTPSvc/ws1intel-svc1.vmware.com”] |
|
The state of the user account Returned: always Sample: “present” |
|
The user state or province Returned: always Sample: “IN” |
|
The user street address Returned: always Sample: “123 4th St.” |
|
The user last name Returned: always Sample: “Doe” |
|
true if the user is not allowed to change password Returned: always Sample: false |
Authors
Nick Chandler (@nwchandler)
Joe Zollo (@zollo)