# Test code for win_group_membership # Copyright: (c) 2017, Andrew Saraceni # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - name: Look up built-in Administrator account name (-500 user whose domain == computer name) raw: $machine_sid = (Get-CimInstance Win32_UserAccount -Filter "Domain='$env:COMPUTERNAME'")[0].SID -replace '(S-1-5-21-\d+-\d+-\d+)-\d+', '$1'; (Get-CimInstance Win32_UserAccount -Filter "SID='$machine_sid-500'").Name check_mode: no register: admin_account_result - set_fact: admin_account_name: "{{ admin_account_result.stdout_lines[0] }}" - name: Remove potentially leftover group members win_group_membership: name: "{{ win_local_group }}" members: - "{{ admin_account_name }}" - "{{ win_local_user }}" - NT AUTHORITY\SYSTEM - NT AUTHORITY\NETWORK SERVICE state: absent - name: Add user to fake group win_group_membership: name: FakeGroup members: - "{{ admin_account_name }}" state: present register: add_user_to_fake_group failed_when: add_user_to_fake_group.changed != false or add_user_to_fake_group.msg != "Could not find local group FakeGroup" - name: Add fake local user win_group_membership: name: "{{ win_local_group }}" members: - FakeUser state: present register: add_fake_local_user failed_when: add_fake_local_user.changed != false or add_fake_local_user.msg is not search("account_name FakeUser is not a valid account, cannot get SID.*") - name: Add users to group win_group_membership: &wgm_present name: "{{ win_local_group }}" members: - "{{ admin_account_name }}" - "{{ win_local_user }}" - NT AUTHORITY\SYSTEM state: present register: add_users_to_group - name: Test add_users_to_group (normal mode) assert: that: - add_users_to_group.changed == true - add_users_to_group.added == ["{{ ansible_hostname }}\\{{ admin_account_name }}", "{{ ansible_hostname }}\\{{ win_local_user }}", "NT AUTHORITY\\SYSTEM"] - add_users_to_group.members == ["{{ ansible_hostname }}\\{{ admin_account_name }}", "{{ ansible_hostname }}\\{{ win_local_user }}", "NT AUTHORITY\\SYSTEM"] when: not in_check_mode - name: Test add_users_to_group (check-mode) assert: that: - add_users_to_group.changed == true - add_users_to_group.added == [] - add_users_to_group.members == [] when: in_check_mode - name: Add users to group (again) win_group_membership: *wgm_present register: add_users_to_group_again - name: Test add_users_to_group_again (normal mode) assert: that: - add_users_to_group_again.changed == false - add_users_to_group_again.added == [] - add_users_to_group_again.members == ["{{ ansible_hostname }}\\{{ admin_account_name }}", "{{ ansible_hostname }}\\{{ win_local_user }}", "NT AUTHORITY\\SYSTEM"] when: not in_check_mode - name: Add different syntax users to group (again) win_group_membership: <<: *wgm_present members: - '{{ ansible_hostname }}\{{ admin_account_name }}' - '.\{{ win_local_user }}' register: add_different_syntax_users_to_group_again - name: Test add_different_syntax_users_to_group_again (normal mode) assert: that: - add_different_syntax_users_to_group_again.changed == false - add_different_syntax_users_to_group_again.added == [] - add_different_syntax_users_to_group_again.members == ["{{ ansible_hostname }}\\{{ admin_account_name }}", "{{ ansible_hostname }}\\{{ win_local_user }}", "NT AUTHORITY\\SYSTEM"] when: not in_check_mode - name: Test add_different_syntax_users_to_group_again (check-mode) assert: that: - add_different_syntax_users_to_group_again.changed == true - add_different_syntax_users_to_group_again.added == [] - add_different_syntax_users_to_group_again.members == [] when: in_check_mode - name: Add another user to group win_group_membership: &wgma_present <<: *wgm_present members: - NT AUTHORITY\NETWORK SERVICE register: add_another_user_to_group - name: Test add_another_user_to_group (normal mode) assert: that: - add_another_user_to_group.changed == true - add_another_user_to_group.added == ["NT AUTHORITY\\NETWORK SERVICE"] - add_another_user_to_group.members == ["{{ ansible_hostname }}\\{{ admin_account_name }}", "{{ ansible_hostname }}\\{{ win_local_user }}", "NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK SERVICE"] when: not in_check_mode - name: Test add_another_user_to_group (check-mode) assert: that: - add_another_user_to_group.changed == true - add_another_user_to_group.added == [] - add_another_user_to_group.members == [] when: in_check_mode - name: Add another user to group (again) win_group_membership: *wgma_present register: add_another_user_to_group_again - name: Test add_another_user_to_group_1_again (normal mode) assert: that: - add_another_user_to_group_again.changed == false - add_another_user_to_group_again.added == [] - add_another_user_to_group_again.members == ["{{ ansible_hostname }}\\{{ admin_account_name }}", "{{ ansible_hostname }}\\{{ win_local_user }}", "NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK SERVICE"] when: not in_check_mode - name: Remove users from group win_group_membership: &wgm_absent <<: *wgm_present state: absent register: remove_users_from_group - name: Test remove_users_from_group (normal mode) assert: that: - remove_users_from_group.changed == true - remove_users_from_group.removed == ["{{ ansible_hostname }}\\{{ admin_account_name }}", "{{ ansible_hostname }}\\{{ win_local_user }}", "NT AUTHORITY\\SYSTEM"] - remove_users_from_group.members == ["NT AUTHORITY\\NETWORK SERVICE"] when: not in_check_mode - name: Test remove_users_from_group (check-mode) assert: that: - remove_users_from_group.changed == false - remove_users_from_group.removed == [] - remove_users_from_group.members == [] when: in_check_mode - name: Remove users from group (again) win_group_membership: *wgm_absent register: remove_users_from_group_again - name: Test remove_users_from_group_again (normal mode) assert: that: - remove_users_from_group_again.changed == false - remove_users_from_group_again.removed == [] - remove_users_from_group_again.members == ["NT AUTHORITY\\NETWORK SERVICE"] when: not in_check_mode - name: Remove different syntax users from group (again) win_group_membership: <<: *wgm_absent members: - '{{ ansible_hostname }}\{{ admin_account_name }}' - '.\{{ win_local_user }}' register: remove_different_syntax_users_from_group_again - name: Test remove_different_syntax_users_from_group_again (normal mode) assert: that: - remove_different_syntax_users_from_group_again.changed == false - remove_different_syntax_users_from_group_again.removed == [] - remove_different_syntax_users_from_group_again.members == ["NT AUTHORITY\\NETWORK SERVICE"] when: not in_check_mode - name: Test add_different_syntax_users_to_group_again (check-mode) assert: that: - remove_different_syntax_users_from_group_again.changed == false - remove_different_syntax_users_from_group_again.removed == [] - remove_different_syntax_users_from_group_again.members == [] when: in_check_mode - name: Remove another user from group win_group_membership: &wgma_absent <<: *wgm_absent members: - NT AUTHORITY\NETWORK SERVICE register: remove_another_user_from_group - name: Test remove_another_user_from_group (normal mode) assert: that: - remove_another_user_from_group.changed == true - remove_another_user_from_group.removed == ["NT AUTHORITY\\NETWORK SERVICE"] - remove_another_user_from_group.members == [] when: not in_check_mode - name: Test remove_another_user_from_group (check-mode) assert: that: - remove_another_user_from_group.changed == false - remove_another_user_from_group.removed == [] - remove_another_user_from_group.members == [] when: in_check_mode - name: Remove another user from group (again) win_group_membership: *wgma_absent register: remove_another_user_from_group_again - name: Test remove_another_user_from_group_again (normal mode) assert: that: - remove_another_user_from_group_again.changed == false - remove_another_user_from_group_again.removed == [] - remove_another_user_from_group_again.members == [] when: not in_check_mode