Windows Working Group agenda - Mar-Jun 2017

[nitzmahone]

This agenda has been migrated to a new location: #195

---

The Windows Working Group is focused on improving Ansible's management of Windows hosts. The group meets every week on Tuesdays at 20:00 UTC (see ical)

More information related to the Windows Working Group is available at:
https://github.com/ansible/community/wiki/Windows

Feel free to add your questions to this ticket to be discussed during the upcoming meeting.

After being discussed, raised items are being updated, and after a month resolved items are being hidden from view (but remain accessible).

[gundalow]

Re-moved ansible/ansible#19070 win_file: fix error when creating an existing dir (merged)
Migrated from #150

• nitzmahone has this on his list
• 21 Feb: nitzmahone should be able to get to this later this week (likely Thursday)

[jborean93]

I probably won't be there for the next meeting but I was hoping we could get a view around creating symlinks. Should we be putting that functionality into win_file and add another parameter that specifies the link type or should it be it's own module? The first keeps it similar to the file module but does add some complexity.

Edit: https://meetbot.fedoraproject.org/ansible-meeting/2017-03-28/windows_working_group.2017-03-28-00.00.log.html
I will create a PR to include the symlink utils in the win_file module to keep things consistent with the file module

Edit: ansible/ansible#23119

[dagwieers]

---

The below list is no longer maintained.
We have moved stuff over to the Ansible community wiki at:

• https://github.com/ansible/community/wiki/Windows

---

Migrated from #152

• Cleaning up the existing Windows modules (see Wiki)
  • Ensure all modules have integration tests (before v2.4)
  • Ensure all modules are idempotent, implement check-mode and diff support where possible
• Select a reference Windows module Select a reference Windows module for the documentation ansible#20505 (before London)
• Improve the existing Windows documentation Client certificate authentication with WinRM needs documentation ansible#16243 Documentation for configuring Windows management is missing 'ntlm' ansible#17311 Documentation - Windows Support page needs an update to show pykerberos ansible#19623 List of core modules working with Windows is displayed as a line ansible#20696 Docs: template vs win_template (on Windows) ansible#21128
  • compare feature-completeness between win_ modules and their python variant (see Wiki)
  • reference windows-variants in python module, and vice versa (before v2.4) Mutually reference Windows and non-Windows modules ansible#25482
  • improve module development checklist for Windows (before v2.4)
• Improvements to ConfigureRemoteingForAnsible.ps1 ConfigureRemotingForAnsible.ps1 and upgrade_to_ps3.ps1 chicken/egg problem ansible#10509 Ansible : Windows SSL certification installation. ansible#14387 RSA 1024 to RSA 4096 ansible#17378
• Implement native newline sequence for win_template Windows: Use the correct newline sequence for the platform ansible#21846
• Issue/PR triage (lots of bugs are waiting for feedback or PRs for review)
  • Open PRs:
    • Repository ansible/ansible (before v2.4 as to close known issues)
    • Repository ansible/ansible-modules-core
    • Repository ansible/ansible-modules-extras
  • Open issues:
    • Repository ansible/ansible
    • Repository ansible/ansible-modules-core
    • Repository ansible/ansible-modules-extras (before London)
• Running Ansible on Windows (WSL) as control master Windows: Add Windows Subsystem for Linux documentation ansible#23515
• How to support DSC best ? New module: win dsc ansible#24872
• Clean up Windows roles
• Using SSH as a transport for Windows Powershell over SSH ansible#25344
• Using Powershell on Unix/Linux (for DSC resources)
• Decide what to do wrt. group policies (on standalone systems, driving AD ?)
• Decide what to do with functional lists of registry keys (i.e. some have been proposed as modules win_scheduled_task, added hourly and interval options, update bug fix ansible#20992 (comment))
• Powershell coding style and CI testing Checkstyle Standards for Powershell Modules proposals#63
  • Implement in Shippable
  • Discuss configuration/rules
• Windows coverage support

[dagwieers]

During next meeting I would like to discuss a structured way of doing idempotency and check-mode testing (all-in-one) for all the Windows modules. I also put it on the TWG agenda so hopefully there is an agreement by next meeting about this. #114 (comment)

Implemented in: ansible/ansible#22833 (merged)

[daBONDi]

I would like to make a feature suggession for the powershell.ps1

Include Powershell Transcript function for Executing Powershell Scripts

It would be easier to debug PS Module errors when executing on remote machines
https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.host/start-transcript

I used it for some debugging purpose on Modules that are not working correctly

Maybe with Options -vvv

Transcript starting for all Powershell Scripts and output file is moved over to control host and get displayed

Update (nitzmahone): We've got something better in mind- we're already getting all 5 streams of output on the controller, and live. "Intermediate module output" is a thing we've been kicking around for awhile- hardest part is organizing it if you've got more than one host executing in parallel.
Update 2017-7-12: Moved item to action plan.

[gundalow]

Ansible 2.3 RC1 has been released for testing
Please see https://groups.google.com/forum/#!topic/ansible-devel/V2ESSQqLnS0 for details
We would appreciate your help testing.
Any issues, please raise at https://github.com/ansible/ansible/issues/new
Thanks!

[akcrisp]

Hi Can you confirm if support for Windows Desired State Config (DSC) is being planned ?

Thanks

UPDATE (nitzmahone): trond will be doing a PR to include his win_dsc module in the 2.4 timeframe, which will allow for dynamic execution of arbitrary DSC resources from Ansible. (PR merged for 2.4)

[seljuck]

Are there any plans to control Active Directory?
For example

Add/Edit/Delete Organizational Units
Add/Edit/Delete Security Groups
Add/Edit/Delete Users and Computers
Add/Edit/Delete Group Policy Objects

Thanks

[jhawkesworth]

Bug fixing.
There are around 40 open bugs against windows things at the moment (ignoring feature ideas and things awaiting info from issue owners)

https://github.com/ansible/ansible/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aopen%20label%3Awindows%20-label%3Aneeds_info%20-label%3Afeature_idea%20

Can we, the community (i.e. not @nitzmahone ) divide these up at all and see if we can squash as many bugs as possible before 2.3 completes?
I'm looking a win_regedit one at the moment - ansible/ansible#18880
and after that I play to tackle ansible/ansible#22871 and ansible/ansible#21128

Does anyone else have time for a 'bug push' - if so what things do you want to tackle so we don't wind up tackling the same things?

Update: We are now doing sprints to tackle this problem.

[jhawkesworth]

Reminder to ask how others are debugging while we are in the (temporary) position of not being able to use ANSIBLE_KEEP_REMOTE_FILES=1 for windows modules at the moment.

Update: You can now use ANSIBLE_KEEP_REMOTE_FILES=1 in latest 2.4 devel.

[jhawkesworth]

@seljuck - I wonder if it might be possible to use https://docs.ansible.com/ansible/ldap_entry_module.html and https://docs.ansible.com/ansible/ldap_attr_module.html to do some of the things you want to do? Since they are wrappers for python-ldap and there are examples around of people connecting to Active Directory using it - see https://blog.thomastoye.be/python-ldap-authentication-with-microsoft-active-directory-46661bebc483#.ikll25llj for example - then it might be worth trying out.

[seljuck]

@jhawkesworth Thanks for the info on the ldap module for Ansible. Based on a quick review it doe look like it would work. But I would need to know all the internal attributes that Active Directory creates for each object. While this is all doable it's much more then I was hoping to get into. I was looking for the simplicity that Ansible has brought to other modules I work with.

I am curious if Windows Desired State Config (DSC) can be used for this as well, that would kill two birds with one stone.

[gundalow]

Ansible 2.3 RC3 has been released https://groups.google.com/forum/#!topic/ansible-devel/X8sYLl-ZuTY
We welcome your feedback, after all, we can only fix what we know is broken. If you spot any issues please raise via https://github.com/ansible/ansible/issues/new
Thanks again for your help

[jborean93]

One thing that I am hoping we can discuss at the next UG is around desired formatting of powershell code. Some questions/standards I am hoping we can decide on would be around

1. Indenting and braces, I've seen modules written in C# style and other in more of a Python style, do we want to enforce a particular standard
2. Using pipelines in functions, do we want to allow this or frown upon it if possible to keep things similar to Python
3. Variable definitions, camelCase, CamelCase2, under_scores or any other standards
4. Aliases, should we support things like rm or try and use the full cmdlet name like Remove-Item
5. Command Parameters keys, do we want to try and enforce stating the key and value or allow using just the variables, i.e. New-Item C:\ansible vs New-Item -Path C:\ansible

Personally I want to keep things as similar to Python as possible, not use aliases, pipelines and staging parameter keys but happy for other peoples thoughts. There are probably more which I'm not thinking off but happy to discuss it futher.

Update (nitzmahone): jborean93 to propose strawman community-enforceable coding standards, to be discussed at a future WWG meeting
Update 2017-07-12: Moved item to action plan.

[dagwieers]

The documentation still states that Ansible is not supported on a Windows control machine. However, it works fine on Windows 10's Subsystem for Linux (WSL). The installation is identical to Linux (because it basically is Linux) although the version Ansible/WinRM in Ubuntu 16.04 is rather old, we need to rely on python pip or git for newer versions. (not different from the current documentation at that)

Since Ansible on WSL lowers the bar for Windows admins, I would open up the documentation to the possibility of running Ansible on WSL, and basically stating that WSL is just Linux on top of Windows.

I have the documentation prepared for something like this already.

<>
sudo apt-get install python-pip
pip install pywinrm
git clone https://github.com/ansible/ansible.git
source ansible/hacking/env-setup

UPDATE (nitzmahone): dagwieers to propose verbiage (with lots of caution tape) that it works under WSL for dev/test purposes, but not "supported" and recommended for production use (as Microsoft itself says re:WSL).

Implemented in: ansible/ansible#23515 (merged)

[dagwieers]

For the new win_route module (ansible/ansible#23405) there is some uncertainty on how to handle ip-address and netmask information. Mostly because the route command and the Powershell interface do it differently, but also because other modules do it differently too.
So maybe we do want to have a standard way for doing this in Windows modules ?

cc: @dlazz

UPDATE (nitzmahone): discussed "CIDR by default" and possibility of future module_utils support to convert between CIDR/netmask formats as necessary.

Update: The win_route module as been adapted: ansible/ansible#23405
Update: Merged!

[gundalow]

Ansible 2.3.0 FINAL has been released. Thank you for all your help with this release
https://groups.google.com/forum/#!topic/ansible-project/aKnggI-Y8dk

For Windows:

• Pipelining support for faster module execution (20-50% performance boost for many modules).
• Support for the "runas" become method to execute as a different user and allow for transparent second-hop authentication in many cases.
• Many other improvements for existing WIndows modules such as check mode, and other fixes for the winrm connection type.
• Fourteen new modules, including:
  • win_domain
  • win_domain_controller
  • win_domain_membership
  • win_path
  • win_region
  • win_shortcut

[dagwieers]

Can we evaluate:

• Windows: Small fix to Add-Warning and Add-DeprecationWarning ansible#23520
• win_psexec: Enable -nobanner option by default ansible#23422
• win_firewall_rule: Implement idempotency, check-mode and diff support ansible#23162
• windows: Various small documentation fixes ansible#23138
• powershell: Add support for list parameters ansible#23131

And maybe this:

• Windows: Make winrm connection output less verbose ansible#21898

Although you probably have better ideas for this one. Although I had hoped this was ok for v2.3.

[gundalow]

Ansible 2.2.3 FINAL released, 2.1.6rc1 and 2.3.1rc1 available for testing

All of these releases address at least one CVE (listed below). Users of 2.2.x should upgrade to 2.2.3 as soon as possible. The CVE impacting 2.1.x and 2.3.0 is MODERATE in nature, however users should look to upgrade as soon as the final releases are done.

https://groups.google.com/forum/#!topic/ansible-devel/etlpnJDerY0

[jhawkesworth]

Anything else needed to push this to the line:

ansible/ansible#23559 and ansible/ansible#23581
win_copy folder fix - anything else needed or can this be cherry picked to 2.3.1 (I know I missed first RC).
Or can we do a 2.3.2 and try to get the others here https://github.com/ansible/ansible/issues?utf8=%E2%9C%93&q=is%3Aopen%20milestone%3A2.3.0%20label%3Awindows in?
(merged and cherry-picked to stable-2.3 for 2.3.1rc2)

[jhawkesworth]

Also - https://groups.google.com/forum/#!topic/ansible-devel/PEus1yp08h0 - is there anything we can do without analogous arg specification for windows modules? I haven't dug into the code but I get the impression its the controller side that is handling the no_log of individual params. Happy to take a stab at this if there's a good direction to go in. (OP misunderstood diff between control-side no_log and module arg-level no_log)

[dagwieers]

New windows modules waiting for review/feedback:

• win_wait_for: win_wait_for: added module ansible#26556
• win_xml: win_xml module for manipulating XML files on Windows ansible#26404
• win_security_policy: win_secedit: Added module with tests/diff mode ansible#26332 new in v2.4
• win_group_member: New Module: Manage Windows local group membership (win_group_member) ansible#26307
• win_user_right: win_user_right: add module with tests ansible#26276
• win_wakeonlan: win_wakeonlan: New module to send Wake-On-Lan packets ansible#26232 new in v2.4
• win_certificate: New module 'win_certificate' ansible#25837
• win_pagefile: Adds win_pagefile module ansible#25605
• win_dsc: New module: win dsc ansible#24872 new in v2.4
• win_domain_user: New module: Add module or managing Windows Active Directory users (windows/win_domain_user) ansible#24075
• win_psmodule: New module: Add module to install/remove/register/unregiser windows powershell modules (windows/win_psmodule) ansible#23604 new in v2.4
• win_route: New module: Add module to add/remove a network static route on windows (windows/win_route) ansible#23405 new in v2.4
• win_firewall: New module: Add module to manage Windows Firewall (windows/win_firewall) ansible#23224 new in v2.4
• win_defrag: New module: Add module to defragment Windows local volumes (windows/win_defrag) ansible#23140 new in v2.4
• win_domain: [WIP] initial commit of win_domain module ansible#22179 new in v2.3
• win_disk_image: [WIP] initial commit of win_disk_image ansible#22175 new in v2.3
• win_domain_controller: initial commit of win_domain_controller ansible#22115 new in v2.3
• win_domain_membership: initial commit of win_domain_membership module ansible#22027 new in v2.3
• win_dns_client: initial commit of win_dns_client module ansible#22016 new in v2.3
• win_msg: Add win_msg module  ansible#22008 new in v2.3
• win_tempfile: win_tempfile: New module implementing tempfile on Windows ansible#21623 new in v2.3
• win_shortcut: win_shortcut: Create, manage, remove Windows shortcuts ansible#20164 new in v2.3
• win_psexec: win_psexec: execute cmds on remote systems as any user ansible#20141 new in v2.3
• win_path: New Module: win_path ansible#20073 new in v2.3
• win_region: Win region module ansible#19147 new in v2.3
• win_reg_stat: Win reg stat module ansible#19145 new in v2.3
• win_find: Added win_find module ansible#19144 new in v2.3
• win_say: Win say ansible-modules-extras#2866 new in v2.3

Once merged, please add to CHANGELOG.md !

[dagwieers]

I have been reviewing a lot of the old issues on:

• ansible-modules-core
• ansible-modules-extras

And it seems both win_robocopy and the win_iis* modules need some more love to close a few more issues. Maybe we could get in contact with the authors to get them involved again ?

Most of the older issues require retesting because of various improvements we made the past few months.

[dagwieers]

We discussed using a Github Project or the Github Wiki for tracking Windows-related progress and distributing some of the bug triage/review/documentation work. Eventually we can get rid of those action-list comments, and Etherpad.

@nitzmahone We wanted a location to collaborate on WWG meeting agenda's, TODO lists, project progress and possibly an example library (DSC, registry, etc.). I am not sure how read-only collaborators will help for any of this.
@nitzmahone will set up a Wiki space for the WWG to collaborate and access to everyone involved in the WWG or Windows modules.
Update 2017-06-22: It was decided we are going to leverage the ansible/community wiki for doing progress tracking and collaboration. @gregdek !

[jborean93]

YFW you realise the meetings were last week and not this week

[jborean93]

Hoping to get some guidance from the others around this PR ansible/ansible#22775

I was first going to just make the changes myself and try and get it merged in as is but as I am going through it I think it should be split up into separate modules. Instead of one module to set the parameters in exported by secedit I am thinking of creating a module for the following;

* Keep the module as is to do raw editing of this file for the extra stuff
* One to configure the user/privilege rights - add/remove/set users/groups to a right
* One to configure the Event Audit policies - set non/success/failure for an audit event

Unfortunately there might be some shared code between the 3 and I am wary of splitting up a module if the process is similar but I personally think 1 and 2 are nice not 100% sure of 3. Does anyone else have any thoughts?
(Jordan to implement as separate module)

[gundalow]

Ansible Contributor Summit 4 (Part of AnsibleFest 2017 London)

We are happy to announce our fourth Ansible Contributors Summit!
AnsibleFest London (http://www.ansible.com/ansiblefest) will be on Thursday 22nd June, and the Contributor Summit will be held on Wednesday 21st June, from 9:30am to 4pm (time subject to change).

Contributors Summit is a day-long working session with the core team and key contributors to discuss important issues affecting the Ansible community. You can participate in person or online

Proposed topics: https://public.etherpad-mozilla.org/p/ansible-summit-june-2017

See https://groups.google.com/forum/#!topic/ansible-devel/stUITiM6hMs for more info

[jborean93]

I apologise for delaying this for so long but I've finally found some time to work on the standards stuff we talked about a month ago or so. I've raised a proposal for this ansible/proposals#63 and I hope you guys can have a good look and give your thoughts. I'm happy to provide more info if required but I believe the rules I have set out are fair and keep us more consistent with Python but will see what you think.

Update 2017-07-12: This needs to be implemented in Shippable CI, moved item to action plan.

[dagwieers]

I would like to discuss the documentation updates to reference non-Windows and Windows modules.
ansible/ansible#25482

Update 2017-06-09: @nitzmahone to check with core/docs folks if they have any objection
Update 2017-06-22 Everyone signed off on it, so it now needs to be merged
Update 2017-09-20 Implemented in ansible/ansible#30588

[dagwieers]

For the win_uri module we would need a basic webserver to test against (this is how Python is doing it). ansible/ansible#25420

Is anyone interested in writing this in Powershell, or do we look for something else ?
cc: @gundalow @mattclay

Update 2017-06-09: @nitzmahone prefers to use something lightweight/builtin, so a bespoke HttpListener-based test server is still probably our best bet.
Update 2017-06-22: An idea coined was to use httptester (docker), requires to open up the docker network for VMs first (@mattclay) Moved item to action plan.

[dagwieers]

WinRM and Connection refused issues, what can we do to make this recoverable ?
ansible/ansible#25532

cc: @jborean93

Update 2017-06-09: @dagwieers to try and get a solid repro of this using Ansible, then we'll look at possible code changes to pywinrm to silently retry in "connection refused" case
Update 2017-06-12: Repro using SCVMM installer add to ansible/ansible#25532
Update 2017-06-17 @dagwieers has a working implementation doing retries

[dagwieers]

Item raised during the meeting to move the meetings around so in Europe (CEST) we don't have a meeting either at 2AM or 18:30PM (on Friday).

Update: Meeting was moved to weekly at 20:00PM UTC. Calendar, MEETINGS.md and WWG updated.

[dagwieers]

We now have an IRC channel #ansible-windows for closer collaboration or support.

Update: This is now documented in the Windows Working Group info.

[gundalow]

Ansible Contributor Summit 4 (Part of AnsibleFest 2017 London)

Agenda for Contributor Summit has finalised can be found at https://public.etherpad-mozilla.org/p/ansible-summit-june-2017-agenda.

As a reminder, it will be in #ansible-meeting and BlueJeans

Note that there are sub pages for each topic. It's on the sub pages where you can add any topics there, rather than on the main agenda page.

[nitzmahone]

NO WWG MEETINGS WEEK OF JUNE 18-24 (AnsibleFest London + Contributor Summit)

Next meeting June 27/28

[nitzmahone]

~So long as we can corner somebody with owner privs to turn it on on our repo (it's currently disabled, not sure if that's on purpose).~

[nitzmahone]

With the new weekly schedule, might as well start it this week... The new meeting time falls on a US holiday next week (July 4), but if @jborean93 or someone else with #ansible-windows channel ops is willing to run it, no reason to cancel. (I will be eating BBQ, apple pie, and blowing things up)

https://s-media-cache-ak0.pinimg.com/736x/8d/34/e2/8d34e2b76e4d26ab9708699f7d101b1a--simpsons-funny-los-simpsons.jpg

[jborean93]

I've got a fun 2 days at orientation Tuesday and Wednesday next week so won't be able to do it as well. Looks like we have a week off.

[dagwieers]

We are planning a Windows sprint on 2017-07-04 instead of the meeting. Now, we may decide to do this earlier than the scheduled meeting time since all participants are close to UTC (@jhawkesworth, @trondhindenes, @gundalow, @dagwieers)

Preliminary sprint agenda is at: https://github.com/ansible/community/wiki/Windows:-sprints

[jborean93]

There are some PR's and Issues around adding/fixing facts for the Windows side, was hoping we can come to a consensus around how we want to handle them (the below are just some brief ones I've found)

Issues:

• Can windows setup have disk info like linux? ansible#25993
• windows setup use async has problem ansible#25952
• Can windows setup has mac address like linux? ansible#25748

PRs:

• Adds hotfix id and caption to windows facts ansible#25917
• Add mac address to windows facts ansible#25803
• Add Windows AD Domain facts for membership and server type ansible#23500

Update 2017-07-12: We decide to list the various missing/new facts in the Wiki and then take it from there. Moved item to action plan.

[dagwieers]

So none of the Windows file-manipulating modules have backup: support (e.g. win_copy, win_template, win_lineinfile), now the new win_xml module comes with this option, and we should implement this in the same way for the other modules. @richardcs is willing to look at this and report back

See: ansible/ansible#26404 (comment) and the python implementation at: https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/basic.py#L2208

Update 2017-07-12: We decided @richardcs can propose an implementation based on the python code, which will then be merged into the revamped module_utils for Powershell when it is ready. Moved item to action plan.

[dagwieers]

We probably should discuss the Windows Sprint 1 to learn from it. I already listed a few things from the top of my hat: https://github.com/ansible/community/blob/master/SPRINTS.md#best-practices

But new ideas and feedback is very welcome.

[dagwieers]

We have prepared documentation related to Windows paths and how Ansible works with quoting and backslashes. This documentation currently lives in the Wiki and we have a set of integration tests at ansible/ansible#26490, but we may want to move the docs to a PR so we can use the normal review process. Feedback welcome.

Update 2017-07-12: Move this to a PR to the documentation. Moved item to action plan.

[dagwieers]

We need a discussion about the use of Test-Path -LiteralPath for modules. Most modules are now allowing for globs in their tests where they probably should not. But how would we handle globs from Get-AnsibleParam when using type="path" ? Is there a need for this ?

[EDIT: nitzmahone]: -LiteralPath didn't seem to make any difference in any of the scenarios that use -IsValid, so we need to decide how/if to handle paths with globs, as well as paths with invalid (at validation time) drive letters: ansible/ansible#26623
[EDIT: dagwieers]: This comment was not related to the -IsValid changes, but more general for all modules.

Update 2017-07-12: Create integration tests to prove the issue and scope, then fix modules individually. Moved item to action plan.

[jborean93]

Floating around the idea of creating a diagnostic script which users can run manually on their Windows servers. This script will check the current WinRM configuration for common issues like

    General
        Encryption level and if a HTTPS listener exists
    HTTPS/Certificate Checks
        NETWORK SERVICE can read the certificate
        CN matching hostname
        Subject Alternative names
        Expiry Date
        Signature Algorithm (for channel binding diagnostics)
    NTLM
        LmCompatibilityLevel
    CredSSP
        Value for winrm/config/service/CertificateThumbprint and that NETWORK SERVICE can access it
        TLS version supported by Windows
    Kerberos
        DNS stuff
        setspn -q ....

This can help us by being able to easily point users to a script that will either show warning or error messages that we know are problematic as well as giving us more info to help debug issues for users.

Update 2017-07-12: This idea was approved by everyone. Moved item to action plan.

[jborean93]

Another thing to add to the agenda, we have a few modules that deal with converting usernames/groups to SIDs and a question has come up around the forms we want to handle. Currently there are 2 PRs out there which handle it in one form or another

ansible/ansible#26276 and ansible/ansible#26307 accepts similar forms except 26276 allows you to specify service accounts like SYSTEM, NETWORK SERVICE without specifying NT AUTHORITY while 26307 requires you to set NT AUTHORITY. There is also a minor different in how it handles local users on a DC but I don't think local users really apply on DCs.

I am hoping we can come to a consensus around this so when the modular utils are online we can have a consistent way Ansible can parse usernames and groups to a SID. @andrewsaraceni

Update 2017-07-12: Consensus was that service accounts don't need NT AUTHORITY\ prepended for convenience. Moved item to action plan.

[dagwieers]

---

This agenda has been migrated to a new location: #195

---