This repository has been archived by the owner on Jan 20, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
81 lines (75 loc) · 2.8 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
---
- name: Download gitignore
when: domain_passwords_shuffle
block:
- name: Create passwords file
ansible.windows.win_tempfile:
suffix: "gitignore"
state: file
register: gitignore_file
- name: Add * to gitignore
community.windows.win_lineinfile:
path: "{{ gitignore_file.path }}"
line: "*"
- name: Fetch gitignore
ansible.builtin.fetch:
src: "{{ gitignore_file.path }}"
dest: "{{ playbook_dir }}/domain/.gitignore"
flat: true
- name: Delete gitignore
become: true
ansible.builtin.file:
path: /tmp/.gitignore
state: absent
- name: Shuffle windows passwords
when: domain_passwords_shuffle
block:
# - name: Disable password complexity
# community.windows.win_security_policy:
# section: "System Access"
# key: "PasswordComplexity"
# value: 0
- name: Print ansible_user
ansible.builtin.debug:
var: ansible_user
- name: Create random location for passwords csv
ansible.builtin.set_fact:
adpasswordfile_suffix: "{{ lookup('community.general.random_string', length=12, special=false) }}"
- name: Create passwords file
ansible.windows.win_tempfile:
suffix: "{{ adpasswordfile_suffix }}"
state: file
register: adpasswordfile
- name: Get the SID for all user accounts as a filter
microsoft.ad.object_info:
filter: ObjectClass -eq 'user' -and objectCategory -eq 'Person'
properties:
- objectSid
register: ad_users
- name: Shuffle through users and change their password
ansible.builtin.include_tasks:
file: tasks/shuffle_passwords.yml
when: "{{ item.Name != ansible_user }}"
loop: "{{ ad_users.objects }}"
- name: Generate password of {{ ansible_user }}
when: not domain_admin_password
ansible.builtin.set_fact:
domain_admin_password: "{{ lookup('community.general.random_string', length=12, special=false) }}"
- name: Export password of {{ ansible_user }}
ansible.builtin.win_lineinfile:
path: "{{ adpasswordfile.path }}"
line: "{{ ansible_user }},{{ domain_admin_password }}"
- name: Fetch adpassworsd
ansible.builtin.fetch:
src: "{{ adpasswordfile.path }}"
dest: "{{ playbook_dir }}/domain/{{ inventory_hostname if inventory_hostname in domain_localhost else ansible_facts['nodename'] }}.csv"
flat: true
- name: Delete passwords file
ansible.windows.win_file:
path: "{{ adpasswordfile.path }}"
state: absent
- name: Change password of {{ ansible_user }}
microsoft.ad.user:
name: "{{ ansible_user }}"
#identity: "{{ item.ObjectGUID }}" # What if two domain users have the same name?
password: "{{ domain_admin_password }}"