#!/usr/bin/python # -*- coding: utf-8 -*- # Copyright: (c) 2023, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) DOCUMENTATION = r""" --- module: computer short_description: Manage Active Directory computer objects description: - Manages Active Directory computer objects and their attributes. options: delegates: description: - The principal objects that the current AD object can trust for delegation to either add, remove or set. - The values for each sub option must be specified as a distinguished name C(CN=shenetworks,CN=Users,DC=ansible,DC=test) - This is the value set on the C(msDS-AllowedToActOnBehalfOfOtherIdentity) LDAP attribute. - This is a highly sensitive attribute as it allows the principals specified to impersonate any account when authenticating with the AD computer object being managed. - To clear all principals, use I(set) with an empty list. - See R(Setting list option values,ansible_collections.microsoft.ad.docsite.guide_list_values) for more information on how to add/remove/set list options. aliases: - principals_allowed_to_delegate type: dict suboptions: add: description: - The AD objects by their C(DistinguishedName) to add as a principal allowed to delegate. - Any existing principals not specified by I(add) will be untouched unless specified by I(remove) or not in I(set). type: list elements: str remove: description: - The AD objects by their C(DistinguishedName) to remove as a principal allowed to delegate. - Any existing pricipals not specified by I(remove) will be untouched unless I(set) is defined. type: list elements: str set: description: - The AD objects by their C(DistinguishedName) to set as the only principals allowed to delegate. - This will remove any existing principals if not specified in this list. - Specify an empty list to remove all principals allowed to delegate. type: list elements: str dns_hostname: description: - Specifies the fully qualified domain name (FQDN) of the computer. - This is the value set on the C(dNSHostName) LDAP attribute. type: str enabled: description: - C(yes) will enable the group. - C(no) will disable the group. type: bool kerberos_encryption_types: description: - Specifies the Kerberos encryption types supported the AD computer account. - This is the value set on the C(msDS-SupportedEncryptionTypes) LDAP attribute. - Avoid using C(rc4) or C(des) as they are older an insecure encryption protocols. - To clear all encryption types, use I(set) with an empty list. - See R(Setting list option values,ansible_collections.microsoft.ad.docsite.guide_list_values) for more information on how to add/remove/set list options. type: dict suboptions: add: description: - The encryption types to add to the existing set. - Any existing encryption types not specified by I(add) will be untouched unless specified by I(remove) or not in I(set). choices: - aes128 - aes256 - des - rc4 type: list elements: str remove: description: - The encryption types to remove from the existing set. - Any existing encryption types not specified by I(remove) will be untouched unless I(set) is defined. choices: - aes128 - aes256 - des - rc4 type: list elements: str set: description: - The encryption types to set as the only encryption types allowed by the AD computer. - This will remove any existing encryption types if not specified in this list. - Specify an empty list to remove all encryption types. choices: - aes128 - aes256 - des - rc4 type: list elements: str location: description: - Sets the location of the computer account. - This is the value set on the C(location) LDAP attribute. type: str managed_by: description: - The user or group that manages the object. - The value can be in the form of a C(distinguishedName), C(objectGUID), C(objectSid), or sAMAccountName). - This is the value set on the C(managedBy) LDAP attribute. type: str sam_account_name: description: - The C(sAMAccountName) value to set for the group. - If omitted, the I(name) value is used when creating a new group. - It has a maximum of 256 characters, 15 is advised for older operating systems compatibility. - If ommitted the value is the same as C(name$) when the computer is created. - Note that all computer C(sAMAccountName) values need to end with a C($). - If C($) is omitted, it will be added to the end. type: str spn: description: - Specifies the service principal name(s) for the account to add, remove or set. - This is the value set on the C(servicePrincipalName) LDAP attribute. - To clear all service principal names, use I(set) with an empty list. - See R(Setting list option values,ansible_collections.microsoft.ad.docsite.guide_list_values) for more information on how to add/remove/set list options. aliases: - spns type: dict suboptions: add: description: - The SPNs to add to C(servicePrincipalName). type: list elements: str remove: description: - The SPNs to remove from C(servicePrincipalName). type: list elements: str set: description: - The SPNs to set as the only values in C(servicePrincipalName). - This will clear out any existing SPNs if not in the specified list. - Set to an empty list to clear all SPNs on the AD object. type: list elements: str trusted_for_delegation: description: - Specifies whether an account is trusted for Kerberos delegation. - This is also known as unconstrained Kerberos delegation. - This sets the C(ADS_UF_TRUSTED_FOR_DELEGATION) flag in the C(userAccountControl) LDAP attribute. type: bool upn: description: - Configures the User Principal Name (UPN) for the account. - The format is C(@). - This is the value set on the C(userPrincipalName) LDAP attribute. type: str notes: - See R(win_domain_computer migration,ansible_collections.microsoft.ad.docsite.guide_migration.migrated_modules.win_domain_computer) for help on migrating from M(community.windows.win_domain_computer) to this module. extends_documentation_fragment: - microsoft.ad.ad_object - ansible.builtin.action_common_attributes attributes: check_mode: support: full diff_mode: support: full platform: platforms: - windows seealso: - module: microsoft.ad.domain - module: microsoft.ad.domain_controller - module: microsoft.ad.membership - module: microsoft.ad.object_info - module: microsoft.ad.object - module: microsoft.ad.offline_join - module: microsoft.ad.group - ref: Migration guide description: This module replaces C(community.windows.win_domain_computer). See the migration guide for details. - module: community.windows.win_domain_computer author: - Jordan Borean (@jborean93) """ EXAMPLES = r""" - name: Add linux computer to Active Directory OU using a windows machine microsoft.ad.computer: name: one_linux_server sam_account_name: linux_server$ dns_hostname: one_linux_server.my_org.local path: OU=servers,DC=my_org,DC=local description: Example of linux server enabled: yes state: present - name: Remove linux computer from Active Directory using a windows machine microsoft.ad.computer: name: one_linux_server state: absent - name: Add SPNs to computer microsoft.ad.computer: name: TheComputer spn: add: - HOST/TheComputer - HOST/TheComputer.domain.test - HOST/TheComputer.domain.test:1234 - name: Remove SPNs on the computer microsoft.ad.computer: name: TheComputer spn: remove: - HOST/TheComputer - HOST/TheComputer.domain.test - HOST/TheComputer.domain.test:1234 - name: Set the principals the computer trusts for delegation from microsoft.ad.computer: name: TheComputer delegates: set: - CN=FileShare,OU=Computers,DC=domain,DC=test - CN=DC,OU=Domain Controllers,DC=domain,DC=test """ RETURN = r""" object_guid: description: - The C(objectGUID) of the AD object that was created, removed, or edited. - If a new object was created in check mode, a GUID of 0s will be returned. returned: always type: str sample: d84a141f-2b99-4f08-9da0-ed2d26864ba1 distinguished_name: description: - The C(distinguishedName) of the AD object that was created, removed, or edited. returned: always type: str sample: CN=MyComputer,CN=Computers,DC=domain,DC=test sid: description: - The Security Identifier (SID) of the account managed. - If a new computer was created in check mode, the SID will be C(S-1-5-0000). returned: always type: str sample: S-1-5-21-4151808797-3430561092-2843464588-1104 """