Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

microsoft.ad.object can't assign attribute PrincipalsAllowedToRetrieveManagedPassword #98

Closed
gpa7407 opened this issue Feb 21, 2024 · 2 comments
Closed

microsoft.ad.object can't assign attribute PrincipalsAllowedToRetrieveManagedPassword #98

gpa7407 opened this issue Feb 21, 2024 · 2 comments

Comments

@gpa7407
Copy link

gpa7407 commented Feb 21, 2024
edited

SUMMARY

I have been trying to set the attribute PrincipalsAllowedToRetrieveManagedPassword for a MSA (msDS-GroupManagedServiceAccount) account. Not sure if this is a bug or a feature request.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

microsoft.ad.object

ANSIBLE VERSION
ansible [core 2.14.1]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/dist-packages/ansible
  ansible collection location = /ansible/collections:/etc/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3.10)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
/ansible/collections/ansible_collections
Collection   Version
------------ -------
microsoft.ad 1.4.1
CONFIGURATION
ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
CALLBACKS_ENABLED(/etc/ansible/ansible.cfg) = ['profile_tasks']
COLLECTIONS_PATHS(/etc/ansible/ansible.cfg) = ['/ansible/collections', '/etc/ansible']
CONFIG_FILE() = /etc/ansible/ansible.cfg
OS / ENVIRONMENT

Windows Server 2022

STEPS TO REPRODUCE
    - name: Get all properties for the specified account using its DistinguishedName
      microsoft.ad.object_info:
        identity: "CN=<**>L,CN=Managed Service Accounts,{{ domain_dn }}"
        properties: "*"

    - name: Create Service Accounts - ansible module
      microsoft.ad.object:
        attributes:
          set:
            PrincipalsAllowedToRetrieveManagedPassword: "<**>"
        name: <**>
        path: "CN=Managed Service Accounts,{{ domain_dn }}"
        protect_from_deletion: true
        state: present
        type: "msDS-GroupManagedServiceAccount"
EXPECTED RESULTS

I expect to set PrincipalsAllowedToRetrieveManagedPassword attribute

ACTUAL RESULTS
TASK [Create Service Accounts - ansible module] ********************************
task path: /ansible/collections/ansible_collections/**/**/playbooks/prep_ad_post.yml:76
Tuesday 20 February 2024  18:48:45 +0000 (0:00:03.119)       0:00:49.050 ****** 
Using module file /ansible/collections/ansible_collections/microsoft/ad/plugins/modules/object.ps1
Pipelining is enabled.
<**IP**> ESTABLISH WINRM CONNECTION FOR USER: <**User**> on PORT <**Port**> TO <**IP**>
EXEC (via pipeline wrapper)
The full traceback is:
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
fatal: [<**Host**>]: FAILED! => {
    "changed": false,
    "msg": "Unhandled exception while executing module: The specified directory service attribute or value does not exist\r\nParameter name: PrincipalsAllowedToRetrieveManagedPassword"
}
@jborean93
Copy link
Collaborator

The PrincipalsAllowedToRetrieveManagedPassword is a special property/parameter on the New-ADServiceAccount cmdlet and not an actual LDAP attribute. The actual attribute is called msDS-GroupMSAMembership.

@jborean93
Copy link
Collaborator

Closing per the above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jborean93 @gpa7407