File: //lib/python3.9/site-packages/ansible_collections/microsoft/ad/plugins/modules/computer.py
# -*- coding: utf-8 -*-
# Copyright: (c) 2023, Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
DOCUMENTATION = r"""
---
module: computer
short_description: Manage Active Directory computer objects
description:
- Manages Active Directory computer objects and their attributes.
options:
delegates:
description:
- The principal objects that the current AD object can trust for
delegation to either add, remove or set.
- The values for each sub option must be specified as a distinguished name
C(CN=shenetworks,CN=Users,DC=ansible,DC=test)
- This is the value set on the C(msDS-AllowedToActOnBehalfOfOtherIdentity)
LDAP attribute.
- This is a highly sensitive attribute as it allows the principals
specified to impersonate any account when authenticating with the AD
computer object being managed.
- To clear all principals, use I(set) with an empty list.
- See R(Setting list option values,ansible_collections.microsoft.ad.docsite.guide_list_values)
for more information on how to add/remove/set list options.
aliases:
- principals_allowed_to_delegate
type: dict
suboptions:
add:
description:
- The AD objects by their C(DistinguishedName) to add as a principal
allowed to delegate.
- Any existing principals not specified by I(add) will be untouched
unless specified by I(remove) or not in I(set).
type: list
elements: str
remove:
description:
- The AD objects by their C(DistinguishedName) to remove as a principal
allowed to delegate.
- Any existing pricipals not specified by I(remove) will be untouched
unless I(set) is defined.
type: list
elements: str
set:
description:
- The AD objects by their C(DistinguishedName) to set as the only
principals allowed to delegate.
- This will remove any existing principals if not specified in this
list.
- Specify an empty list to remove all principals allowed to delegate.
type: list
elements: str
dns_hostname:
description:
- Specifies the fully qualified domain name (FQDN) of the computer.
- This is the value set on the C(dNSHostName) LDAP attribute.
type: str
enabled:
description:
- C(yes) will enable the group.
- C(no) will disable the group.
type: bool
kerberos_encryption_types:
description:
- Specifies the Kerberos encryption types supported the AD computer
account.
- This is the value set on the C(msDS-SupportedEncryptionTypes) LDAP
attribute.
- Avoid using C(rc4) or C(des) as they are older an insecure encryption
protocols.
- To clear all encryption types, use I(set) with an empty list.
- See R(Setting list option values,ansible_collections.microsoft.ad.docsite.guide_list_values)
for more information on how to add/remove/set list options.
type: dict
suboptions:
add:
description:
- The encryption types to add to the existing set.
- Any existing encryption types not specified by I(add) will be
untouched unless specified by I(remove) or not in I(set).
choices:
- aes128
- aes256
- des
- rc4
type: list
elements: str
remove:
description:
- The encryption types to remove from the existing set.
- Any existing encryption types not specified by I(remove) will be
untouched unless I(set) is defined.
choices:
- aes128
- aes256
- des
- rc4
type: list
elements: str
set:
description:
- The encryption types to set as the only encryption types allowed
by the AD computer.
- This will remove any existing encryption types if not specified in
this list.
- Specify an empty list to remove all encryption types.
choices:
- aes128
- aes256
- des
- rc4
type: list
elements: str
location:
description:
- Sets the location of the computer account.
- This is the value set on the C(location) LDAP attribute.
type: str
managed_by:
description:
- The user or group that manages the object.
- The value can be in the form of a C(distinguishedName), C(objectGUID),
C(objectSid), or sAMAccountName).
- This is the value set on the C(managedBy) LDAP attribute.
type: str
sam_account_name:
description:
- The C(sAMAccountName) value to set for the group.
- If omitted, the I(name) value is used when creating a new group.
- It has a maximum of 256 characters, 15 is advised for older
operating systems compatibility.
- If ommitted the value is the same as C(name$) when the computer is
created.
- Note that all computer C(sAMAccountName) values need to end with a C($).
- If C($) is omitted, it will be added to the end.
type: str
spn:
description:
- Specifies the service principal name(s) for the account to add, remove or
set.
- This is the value set on the C(servicePrincipalName) LDAP attribute.
- To clear all service principal names, use I(set) with an empty list.
- See R(Setting list option values,ansible_collections.microsoft.ad.docsite.guide_list_values)
for more information on how to add/remove/set list options.
aliases:
- spns
type: dict
suboptions:
add:
description:
- The SPNs to add to C(servicePrincipalName).
type: list
elements: str
remove:
description:
- The SPNs to remove from C(servicePrincipalName).
type: list
elements: str
set:
description:
- The SPNs to set as the only values in C(servicePrincipalName).
- This will clear out any existing SPNs if not in the specified list.
- Set to an empty list to clear all SPNs on the AD object.
type: list
elements: str
trusted_for_delegation:
description:
- Specifies whether an account is trusted for Kerberos delegation.
- This is also known as unconstrained Kerberos delegation.
- This sets the C(ADS_UF_TRUSTED_FOR_DELEGATION) flag in the
C(userAccountControl) LDAP attribute.
type: bool
upn:
description:
- Configures the User Principal Name (UPN) for the account.
- The format is C(<username>@<domain>).
- This is the value set on the C(userPrincipalName) LDAP attribute.
type: str
notes:
- See R(win_domain_computer migration,ansible_collections.microsoft.ad.docsite.guide_migration.migrated_modules.win_domain_computer)
for help on migrating from M(community.windows.win_domain_computer) to this
module.
extends_documentation_fragment:
- microsoft.ad.ad_object
- ansible.builtin.action_common_attributes
attributes:
check_mode:
support: full
diff_mode:
support: full
platform:
platforms:
- windows
seealso:
- module: microsoft.ad.domain
- module: microsoft.ad.domain_controller
- module: microsoft.ad.membership
- module: microsoft.ad.object_info
- module: microsoft.ad.object
- module: microsoft.ad.offline_join
- module: microsoft.ad.group
- ref: Migration guide <ansible_collections.microsoft.ad.docsite.guide_migration.migrated_modules.win_domain_computer>
description: This module replaces C(community.windows.win_domain_computer). See the migration guide for details.
- module: community.windows.win_domain_computer
author:
- Jordan Borean (@jborean93)
"""
EXAMPLES = r"""
- name: Add linux computer to Active Directory OU using a windows machine
microsoft.ad.computer:
name: one_linux_server
sam_account_name: linux_server$
dns_hostname: one_linux_server.my_org.local
path: OU=servers,DC=my_org,DC=local
description: Example of linux server
enabled: yes
state: present
- name: Remove linux computer from Active Directory using a windows machine
microsoft.ad.computer:
name: one_linux_server
state: absent
- name: Add SPNs to computer
microsoft.ad.computer:
name: TheComputer
spn:
add:
- HOST/TheComputer
- HOST/TheComputer.domain.test
- HOST/TheComputer.domain.test:1234
- name: Remove SPNs on the computer
microsoft.ad.computer:
name: TheComputer
spn:
remove:
- HOST/TheComputer
- HOST/TheComputer.domain.test
- HOST/TheComputer.domain.test:1234
- name: Set the principals the computer trusts for delegation from
microsoft.ad.computer:
name: TheComputer
delegates:
set:
- CN=FileShare,OU=Computers,DC=domain,DC=test
- CN=DC,OU=Domain Controllers,DC=domain,DC=test
"""
RETURN = r"""
object_guid:
description:
- The C(objectGUID) of the AD object that was created, removed, or edited.
- If a new object was created in check mode, a GUID of 0s will be returned.
returned: always
type: str
sample: d84a141f-2b99-4f08-9da0-ed2d26864ba1
distinguished_name:
description:
- The C(distinguishedName) of the AD object that was created, removed, or edited.
returned: always
type: str
sample: CN=MyComputer,CN=Computers,DC=domain,DC=test
sid:
description:
- The Security Identifier (SID) of the account managed.
- If a new computer was created in check mode, the SID will be C(S-1-5-0000).
returned: always
type: str
sample: S-1-5-21-4151808797-3430561092-2843464588-1104
"""