microsoft.ad.group module – Manage Active Directory group objects
Note
This module is part of the microsoft.ad collection (version 1.4.1).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install microsoft.ad.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: microsoft.ad.group.
Synopsis
Manages Active Directory group objects and their attributes.
Requirements
The below requirements are needed on the host that executes this module.
ActiveDirectoryPowerShell module
Parameters
Parameter |
Comments |
|---|---|
The attributes to either add, remove, or set on the AD object. The value of each attribute option should be a dictionary where the key is the LDAP attribute, e.g. The attribute value(s) can either be the raw string, integer, or bool value to add, remove, or set on the attribute in question. The value can also be a dictionary with the type key set to The The The The String attribute values are compared using a case sensitive match on the AD object being managed. See LDAP attributes help for more information. Default: |
|
A dictionary of all the attributes and their value(s) to add to the AD object being managed if they are not already present. This is used for attributes that can contain multiple values, if the attribute only allows a single value, use set instead. Default: |
|
A dictionary of all the attributes and their value(s) to remove from the AD object being managed if they are present. This is used for attributes that can contain multiple values, if the attribute only allows a single value, use set instead. Default: |
|
A dictionary of all attributes and their value(s) to set on the AD object being managed. This will replace any existing values if they do not match the ones being requested. The order of attribute values are not checked only, only that the values requested are the only values on the object attribute. Set this to null or an empty list to clear any values for the attribute. Default: |
|
The category of the group. If a new group is created then A This is the value set on the Choices:
|
|
The description of the AD object to set. This is the value set on the |
|
The display name of the AD object to set. This is the value of the |
|
The password for domain_username. |
|
Specified the Active Directory Domain Services instance to connect to. Can be in the form of an FQDN or NetBIOS name. If not specified then the value is based on the default domain of the computer running PowerShell. |
|
The username to use when interacting with AD. If this is not set then the user that is used for authentication will be the connection user. Ansible will be unable to use the connection user unless auth is Kerberos with credential delegation or CredSSP, or become is used on the task. |
|
The homepage of the group. This is the value set on the |
|
The identity of the AD object used to find the AD object to manage. Must be specified if name is not set, when trying to rename the object with a new name, or when trying to move the object into a different path. The identity can be in the form of a GUID representing the If omitted, the AD object to managed is selected by the |
|
The user or group that manages the group. The value can be in the form of a This is the value set on the |
|
The members of the group to set. The value is a dictionary that contains 3 keys, add, remove, and set. Each subkey is set to a list of AD principal objects to add, remove or set as the members of this AD group respectively. A principal can be in the form of a The module will fail if it cannot find any of the members referenced. |
|
Adds the principals specified as members of the group, keeping the existing membership if they are not specified. |
|
Removes the principals specified as members of the group, keeping the existing membership if they are not specified. |
|
Sets only the principals specified as members of the group. Any other existing member will be removed from the group membership if not specified in this list. Set this to an empty list to remove all members from a group. |
|
The If identity is specified, and the name of the object it found does not match this value, the object will be renamed. This if identity must be set to find the object to manage. This is not always going to be the same as the |
|
The path of the OU or the container where the new object should exist in. If creating a new object, the new object will be created at the path specified. If no path is specified then the If managing an existing object found by identity, the path of the found object will be moved to the one specified by this option. If no path is specified, the object will not be moved. The modules microsoft.ad.computer, microsoft.ad.user, and microsoft.ad.group have their own default path that is configured on the Active Directory domain controller. This can be set to |
|
Marks the object as protected from accidental deletion. This applies a deny access right from deleting the object normally and the protection needs to be removed before the object can be deleted through the GUI or any other tool outside Ansible. Using state=absent will still delete the AD object even if it is marked as protected from deletion. Choices:
|
|
The If omitted, the name value is used when creating a new group. |
|
The scope of the group. This is required when state=present and the group does not already exist. See Group scope for more information on the various domain group scopes. This is the value set on the Choices:
|
|
Set to Set to The option name must be set when state=present. Using Choices:
|
Attributes
Attribute |
Support |
Description |
|---|---|---|
Support: full |
Can run in check_mode and return changed status prediction without modifying target |
|
Support: full |
Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode |
|
Platform: windows |
Target OS/families that can be operated against |
Notes
Note
See win_group migration for help on migrating from community.windows.win_domain_group to this module.
Some LDAP attributes can have only a single value set while others can have multiple. Some attributes are also read only and cannot be changed. It is recommended to look at the schema metadata for an attribute where
System-Onlyare read only values andIs-Single-Valueare attributes with only 1 value.Attempting to set multiple values to a
Is-Single-Valueattribute results in undefined behaviour.If running on a server that is not a Domain Controller, credential delegation through CredSSP or Kerberos with delegation must be used or the domain_username, domain_password must be set.
See Also
See also
- microsoft.ad.domain
Ensures the existence of a Windows domain.
- microsoft.ad.domain_controller
Manage domain controller/member server state for a Windows host.
- microsoft.ad.membership
Manage domain/workgroup membership for a Windows host.
- microsoft.ad.object_info
Gather information an Active Directory object.
- microsoft.ad.object
Manage Active Directory objects.
- microsoft.ad.user
Manage Active Directory users.
- Migration guide
This module replaces
community.windows.win_domain_group. See the migration guide for details.- community.windows.win_domain_group
Creates, modifies or removes domain groups.
Examples
- name: Ensure a group exists
microsoft.ad.group:
name: Cow
scope: global
- name: Remove a group
microsoft.ad.group:
name: Cow
state: absent
- name: Create a group in a custom path
microsoft.ad.group:
name: Cow
scope: global
path: OU=groups,DC=ansible,DC=local
state: present
- name: Remove a group in a custom path
microsoft.ad.group:
name: Cow
path: OU=groups,DC=ansible,DC=local
state: absent
- name: Create group with delete protection enabled and custom attributes
microsoft.ad.group:
name: Ansible Users
scope: domainlocal
category: security
homepage: www.ansible.com
attributes:
set:
mail: [email protected]
protect_from_deletion: true
- name: Change the path of a group
microsoft.ad.group:
name: MyGroup
scope: global
identity: S-1-5-21-2171456218-3732823212-122182344-1189
path: OU=groups,DC=ansible,DC=local
- name: Add managed_by user
microsoft.ad.group:
name: Group Name Here
scope: global
managed_by: Domain Admins
- name: Add group and specify the AD domain services to use for the create
microsoft.ad.group:
name: Test Group
domain_username: [email protected]
domain_password: Password01!
domain_server: corp-DC12.corp.ansible.com
scope: domainlocal
- name: Add members to the group, preserving existing membership
microsoft.ad.group:
name: Test Group
scope: domainlocal
members:
add:
- Domain Admins
- Domain Users
- name: Remove members from the group, preserving existing membership
microsoft.ad.group:
name: Test Group
scope: domainlocal
members:
remove:
- Domain Admins
- Domain Users
- name: Replace entire membership of group
microsoft.ad.group:
name: Test Group
scope: domainlocal
members:
set:
- Domain Admins
- Domain Users
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The Returned: always Sample: |
|
The If a new object was created in check mode, a GUID of 0s will be returned. Returned: always Sample: |
|
The Security Identifier (SID) of the group managed. If a new group was created in check mode, the SID will be Returned: always Sample: |