# this won't run in Ansible's integration tests until we get a domain set up # these are here if someone wants to run the module tests locally on their own # domain. # Requirements: # LDAP Base path set in defaults/main.yml like DC=ansible,DC=local # Custom OU path set in defaults/main.yml like OU=ou1,DC=ansible,DC=local --- - name: ensure the test group is deleted before the test win_domain_group: name: '{{test_win_domain_group_name}}' state: absent ignore_protection: True - name: fail pass in an invalid path win_domain_group: name: '{{test_win_domain_group_name}}' state: present organizational_unit: OU=fakeou,{{test_win_domain_group_ldap_base}} register: fail_invalid_path failed_when: fail_invalid_path.msg != 'the group path OU=fakeou,' + test_win_domain_group_ldap_base + ' does not exist, please specify a valid LDAP path' - name: create group with defaults check win_domain_group: name: '{{test_win_domain_group_name}}' scope: global state: present register: create_default_check check_mode: yes - name: get actual group with defaults check win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'" register: create_default_actual_check ignore_errors: True - name: assert create group with defaults checl assert: that: - create_default_check is changed - create_default_actual_check.rc == 1 - name: create group with defaults win_domain_group: name: '{{test_win_domain_group_name}}' scope: global state: present register: create_default - name: get actual group with defaults win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'" register: create_default_actual - name: assert create group with defaults assert: that: - create_default is changed - create_default.category == 'Security' - create_default.description == None - create_default.display_name == None - create_default.distinguished_name == 'CN=' + test_win_domain_group_name + ',CN=Users,' + test_win_domain_group_ldap_base - create_default.group_scope == 'Global' - create_default.guid is defined - create_default.managed_by == None - create_default.name == test_win_domain_group_name - create_default.protected_from_accidental_deletion == False - create_default.sid is defined - create_default_actual.rc == 0 - name: create group with defaults again win_domain_group: name: '{{test_win_domain_group_name}}' scope: global state: present register: create_default_again - name: assert create group with defaults again assert: that: - create_default_again is not changed - name: remove group check win_domain_group: name: '{{test_win_domain_group_name}}' state: absent register: remove_group_check check_mode: yes - name: get actual remove group check win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'" register: remove_group_actual_check - name: assert remove group check assert: that: - remove_group_check is changed - remove_group_actual_check.rc == 0 - name: remove group win_domain_group: name: '{{test_win_domain_group_name}}' state: absent register: remove_group - name: get actual remove group win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'" register: remove_group_actual ignore_errors: True - name: assert remove group assert: that: - remove_group is changed - remove_group_actual.rc == 1 - name: remove group again win_domain_group: name: '{{test_win_domain_group_name}}' state: absent register: remove_group_again - name: assert remove group again assert: that: - remove_group_again is not changed - name: create non default group check win_domain_group: name: '{{test_win_domain_group_name}}' state: present description: Group Description display_name: Group Display Name managed_by: Domain Admins organizational_unit: '{{test_win_domain_group_ou_path}}' category: distribution scope: domainlocal attributes: mail: test@email.com wWWHomePage: www.google.com protect: True register: create_non_default_check check_mode: yes - name: get actual create non default group check win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'" register: create_non_default_actual_check ignore_errors: True - name: assert create non default group check assert: that: - create_non_default_check is changed - create_non_default_actual_check.rc == 1 - name: create non default group win_domain_group: name: '{{test_win_domain_group_name}}' state: present description: Group Description display_name: Group Display Name managed_by: Domain Admins organizational_unit: '{{test_win_domain_group_ou_path}}' category: distribution scope: domainlocal attributes: mail: test@email.com wWWHomePage: www.google.com protect: True register: create_non_default - name: get actual create non default group win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'" register: create_non_default_actual ignore_errors: True - name: assert create non default group assert: that: - create_non_default is changed - create_non_default.category == 'Distribution' - create_non_default.description == 'Group Description' - create_non_default.display_name == 'Group Display Name' - create_non_default.distinguished_name == 'CN=' + test_win_domain_group_name + ',' + test_win_domain_group_ou_path - create_non_default.group_scope == 'DomainLocal' - create_non_default.guid is defined - create_non_default.managed_by == 'CN=Domain Admins,CN=Users,' + test_win_domain_group_ldap_base - create_non_default.name == test_win_domain_group_name - create_non_default.protected_from_accidental_deletion == True - create_non_default.sid is defined - create_non_default.attributes.mail == 'test@email.com' - create_non_default.attributes.wWWHomePage == 'www.google.com' - create_non_default_actual.rc == 0 - name: create non default group again win_domain_group: name: '{{test_win_domain_group_name}}' state: present description: Group Description display_name: Group Display Name managed_by: Domain Admins organizational_unit: '{{test_win_domain_group_ou_path}}' category: distribution scope: domainlocal attributes: mail: test@email.com wWWHomePage: www.google.com register: create_non_default_again - name: assert create non default group again assert: that: - create_non_default_again is not changed - name: try and move group with protection mode on win_domain_group: name: '{{test_win_domain_group_name}}' state: present organizational_unit: CN=Users,{{test_win_domain_group_ldap_base}} register: fail_move_with_protection failed_when: fail_move_with_protection.msg != 'cannot move group ' + test_win_domain_group_name + ' when ProtectedFromAccidentalDeletion is turned on, run this module with ignore_protection=true to override this' - name: modify existing group check win_domain_group: name: '{{test_win_domain_group_name}}' state: present description: New Description display_name: New Display Name managed_by: Administrator organizational_unit: 'CN=Users,{{test_win_domain_group_ldap_base}}' category: security scope: global attributes: mail: anothertest@email.com ignore_protection: True register: modify_existing_check check_mode: yes - name: get actual of modify existing group check win_command: powershell.exe "Import-Module ActiveDirectory; (Get-ADGroup -Identity '{{test_win_domain_group_name}}').DistinguishedName" register: modify_existing_actual_check - name: assert modify existing group check assert: that: - modify_existing_check is changed - modify_existing_actual_check.stdout == 'CN=' + test_win_domain_group_name + ',' + test_win_domain_group_ou_path + '\r\n' - name: modify existing group win_domain_group: name: '{{test_win_domain_group_name}}' state: present description: New Description display_name: New Display Name managed_by: Administrator organizational_unit: CN=Users,{{test_win_domain_group_ldap_base}} category: security scope: global attributes: mail: anothertest@email.com protect: True ignore_protection: True register: modify_existing - name: get actual of modify existing group win_command: powershell.exe "Import-Module ActiveDirectory; (Get-ADGroup -Identity '{{test_win_domain_group_name}}').DistinguishedName" register: modify_existing_actual - name: assert modify existing group assert: that: - modify_existing is changed - modify_existing.category == 'Security' - modify_existing.description == 'New Description' - modify_existing.display_name == 'New Display Name' - modify_existing.distinguished_name == 'CN=' + test_win_domain_group_name + ',CN=Users,' + test_win_domain_group_ldap_base - modify_existing.group_scope == 'Global' - modify_existing.guid is defined - modify_existing.managed_by == 'CN=Administrator,CN=Users,' + test_win_domain_group_ldap_base - modify_existing.name == test_win_domain_group_name - modify_existing.protected_from_accidental_deletion == True - modify_existing.sid is defined - modify_existing.attributes.mail == 'anothertest@email.com' - modify_existing_actual.stdout == 'CN=' + test_win_domain_group_name + ',CN=Users,' + test_win_domain_group_ldap_base + '\r\n' - name: modify existing group again win_domain_group: name: '{{test_win_domain_group_name}}' state: present description: New Description display_name: New Display Name managed_by: Administrator organizational_unit: CN=Users,{{test_win_domain_group_ldap_base}} category: Security scope: global attributes: mail: anothertest@email.com protect: True ignore_protection: True register: modify_existing_again - name: assert modify existing group again assert: that: - modify_existing_again is not changed - name: fail change managed_by to invalid user win_domain_group: name: '{{test_win_domain_group_name}}' state: present scope: global managed_by: fake user register: fail_invalid_managed_by_user failed_when: fail_invalid_managed_by_user.msg != 'failed to find managed_by user or group fake user to be used for comparison' - name: fail delete group with protection mode on win_domain_group: name: '{{test_win_domain_group_name}}' state: absent register: fail_delete_with_protection failed_when: fail_delete_with_protection.msg != 'cannot delete group ' + test_win_domain_group_name + ' when ProtectedFromAccidentalDeletion is turned on, run this module with ignore_protection=true to override this' - name: delete group with protection mode on win_domain_group: name: '{{test_win_domain_group_name}}' state: absent ignore_protection: True register: delete_with_force - name: get actual delete group with protection mode on win_command: powershell.exe "Import-Module ActiveDirectory; Get-ADGroup -Identity '{{test_win_domain_group_name}}'" register: delete_with_force_actual ignore_errors: True - name: assert delete group with protection mode on assert: that: - delete_with_force is changed - delete_with_force_actual.rc == 1 - name: ensure the test group is deleted after the test win_domain_group: name: '{{test_win_domain_group_name}}' state: absent ignore_protection: True