# Test code for win_group_membership # (c) 2017, Andrew Saraceni # # This file is part of Ansible # # Ansible is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Ansible is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . - name: Look up built-in Administrator account name (-500 user whose domain == computer name) raw: $machine_sid = (Get-CimInstance Win32_UserAccount -Filter "Domain='$env:COMPUTERNAME'")[0].SID -replace '(S-1-5-21-\d+-\d+-\d+)-\d+', '$1'; (Get-CimInstance Win32_UserAccount -Filter "SID='$machine_sid-500'").Name check_mode: no register: admin_account_result - set_fact: admin_account_name: "{{ admin_account_result.stdout_lines[0] }}" - name: Remove potentially leftover group members win_group_membership: name: "{{ win_local_group }}" members: - "{{ admin_account_name }}" - Guest - NT AUTHORITY\SYSTEM - NT AUTHORITY\NETWORK SERVICE state: absent - name: Add user to fake group win_group_membership: name: FakeGroup members: - "{{ admin_account_name }}" state: present register: add_user_to_fake_group failed_when: add_user_to_fake_group.changed != false or add_user_to_fake_group.msg != "Could not find local group FakeGroup" - name: Add fake local user win_group_membership: name: "{{ win_local_group }}" members: - FakeUser state: present register: add_fake_local_user failed_when: add_fake_local_user.changed != false or add_fake_local_user.msg != "Could not resolve group member FakeUser" - name: Add fake FQDN domain user win_group_membership: name: "{{ win_local_group }}" members: - FakeUser@domain.fake state: present register: add_fake_fqdn_domain_user failed_when: add_fake_fqdn_domain_user.changed != false or add_fake_fqdn_domain_user.msg != "Could not resolve NetBIOS name for domain domain.fake" - name: Add users to group win_group_membership: &wgm_present name: "{{ win_local_group }}" members: - "{{ admin_account_name }}" - Guest - NT AUTHORITY\SYSTEM state: present register: add_users_to_group - name: Test add_users_to_group (normal mode) assert: that: - add_users_to_group.changed == true - add_users_to_group.added == [admin_account_name, "Guest", "NT AUTHORITY\\SYSTEM"] - add_users_to_group.members == [admin_account_name, "Guest", "NT AUTHORITY\\SYSTEM"] when: not in_check_mode - name: Test add_users_to_group (check-mode) assert: that: - add_users_to_group.changed == true - add_users_to_group.added == [] - add_users_to_group.members == [] when: in_check_mode - name: Add users to group (again) win_group_membership: *wgm_present register: add_users_to_group_again - name: Test add_users_to_group_again (normal mode) assert: that: - add_users_to_group_again.changed == false - add_users_to_group_again.added == [] - add_users_to_group_again.members == [admin_account_name, "Guest", "NT AUTHORITY\\SYSTEM"] when: not in_check_mode - name: Add different syntax users to group (again) win_group_membership: <<: *wgm_present members: - '{{ ansible_hostname }}\{{ admin_account_name }}' - .\Guest register: add_different_syntax_users_to_group_again - name: Test add_different_syntax_users_to_group_again (normal mode) assert: that: - add_different_syntax_users_to_group_again.changed == false - add_different_syntax_users_to_group_again.added == [] - add_different_syntax_users_to_group_again.members == [admin_account_name, "Guest", "NT AUTHORITY\\SYSTEM"] when: not in_check_mode - name: Test add_different_syntax_users_to_group_again (check-mode) assert: that: - add_different_syntax_users_to_group_again.changed == true - add_different_syntax_users_to_group_again.added == [] - add_different_syntax_users_to_group_again.members == [] when: in_check_mode - name: Add another user to group win_group_membership: &wgma_present <<: *wgm_present members: - NT AUTHORITY\NETWORK SERVICE register: add_another_user_to_group - name: Test add_another_user_to_group (normal mode) assert: that: - add_another_user_to_group.changed == true - add_another_user_to_group.added == ["NT AUTHORITY\\NETWORK SERVICE"] - add_another_user_to_group.members == [admin_account_name, "Guest", "NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK SERVICE"] when: not in_check_mode - name: Test add_another_user_to_group (check-mode) assert: that: - add_another_user_to_group.changed == true - add_another_user_to_group.added == [] - add_another_user_to_group.members == [] when: in_check_mode - name: Add another user to group (again) win_group_membership: *wgma_present register: add_another_user_to_group_again - name: Test add_another_user_to_group_1_again (normal mode) assert: that: - add_another_user_to_group_again.changed == false - add_another_user_to_group_again.added == [] - add_another_user_to_group_again.members == [admin_account_name, "Guest", "NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK SERVICE"] when: not in_check_mode - name: Remove users from group win_group_membership: &wgm_absent <<: *wgm_present state: absent register: remove_users_from_group - name: Test remove_users_from_group (normal mode) assert: that: - remove_users_from_group.changed == true - remove_users_from_group.removed == [admin_account_name, "Guest", "NT AUTHORITY\\SYSTEM"] - remove_users_from_group.members == ["NT AUTHORITY\\NETWORK SERVICE"] when: not in_check_mode - name: Test remove_users_from_group (check-mode) assert: that: - remove_users_from_group.changed == false - remove_users_from_group.removed == [] - remove_users_from_group.members == [] when: in_check_mode - name: Remove users from group (again) win_group_membership: *wgm_absent register: remove_users_from_group_again - name: Test remove_users_from_group_again (normal mode) assert: that: - remove_users_from_group_again.changed == false - remove_users_from_group_again.removed == [] - remove_users_from_group_again.members == ["NT AUTHORITY\\NETWORK SERVICE"] when: not in_check_mode - name: Remove different syntax users from group (again) win_group_membership: <<: *wgm_absent members: - '{{ ansible_hostname }}\{{ admin_account_name }}' - .\Guest register: remove_different_syntax_users_from_group_again - name: Test remove_different_syntax_users_from_group_again (normal mode) assert: that: - remove_different_syntax_users_from_group_again.changed == false - remove_different_syntax_users_from_group_again.removed == [] - remove_different_syntax_users_from_group_again.members == ["NT AUTHORITY\\NETWORK SERVICE"] when: not in_check_mode - name: Test add_different_syntax_users_to_group_again (check-mode) assert: that: - remove_different_syntax_users_from_group_again.changed == false - remove_different_syntax_users_from_group_again.removed == [] - remove_different_syntax_users_from_group_again.members == [] when: in_check_mode - name: Remove another user from group win_group_membership: &wgma_absent <<: *wgm_absent members: - NT AUTHORITY\NETWORK SERVICE register: remove_another_user_from_group - name: Test remove_another_user_from_group (normal mode) assert: that: - remove_another_user_from_group.changed == true - remove_another_user_from_group.removed == ["NT AUTHORITY\\NETWORK SERVICE"] - remove_another_user_from_group.members == [] when: not in_check_mode - name: Test remove_another_user_from_group (check-mode) assert: that: - remove_another_user_from_group.changed == false - remove_another_user_from_group.removed == [] - remove_another_user_from_group.members == [] when: in_check_mode - name: Remove another user from group (again) win_group_membership: *wgma_absent register: remove_another_user_from_group_again - name: Test remove_another_user_from_group_again (normal mode) assert: that: - remove_another_user_from_group_again.changed == false - remove_another_user_from_group_again.removed == [] - remove_another_user_from_group_again.members == [] when: not in_check_mode