Checking win_domain_user: specified account already exists

[AlexCharette]

SUMMARY

Creating win_domain users works fine, but whenever I re-run a task to configure my win_domain users, it fails saying "Unhandled exception while executing module: The specified account already exists." I've tried adding / removing attributes but nothing seems to work.

Looking at the win_domain_user Powershell code, I assume that $user_obj is somehow being set to $null when running Get-ADUser.

ISSUE TYPE

• Bug Report

COMPONENT NAME

win_domain_user

ANSIBLE VERSION

ansible [core 2.11.6] 
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/acharette/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/acharette/.local/lib/python3.6/site-packages/ansible
  ansible collection location = /home/acharette/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/acharette/.local/bin/ansible
  python version = 3.6.9 (default, Jan 26 2021, 15:33:00) [GCC 8.4.0]
  jinja version = 3.0.3
  libyaml = True

COLLECTION VERSION

# /home/acharette/.local/lib/python3.6/site-packages/ansible_collections
Collection        Version
----------------- -------
community.windows 1.7.0  

# /home/acharette/.ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.windows 1.8.0  

CONFIGURATION

[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.9 (default, Jan 26 2021, 
15:33:00) [GCC 8.4.0]. This feature will be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

OS / ENVIRONMENT

Running on Elementary OS 5.1.7 Hera - built on Ubuntu 18.04.6 LTS
Targeting a VM in Azure running Windows (Windows Server 2019 Datacenter)

STEPS TO REPRODUCE

Command I run: ansible-playbook configure_users.yml
User data is loaded from a file in group_vars

- name: Configure Active Directory users
      community.windows.win_domain_user:
        name: "{{ item.firstname }} {{ item.surname }}"
        firstname: "{{ item.firstname }}"
        surname: "{{ item.surname }}"
        enabled: "{{ item.enabled }}"
        email: "{{ item.email }}"
        password: "{{ item.password }}"
        path: "{{ item.path }}"
        sam_account_name: "{{ item.name }}"
        upn: "{{ item.upn }}"
        update_password: "{{ item.update_password }}"
        user_cannot_change_password: "{{ item.user_cannot_change_password }}"
        state: present
      loop: "{{ ad_users }}"

EXPECTED RESULTS

Task should report as ok, since the users already exist (verified by connecting to the server).

ACTUAL RESULTS

TASK [Configure Active Directory users] *************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was:    at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
failed: [ft_dc] (item={'name': 'jholden', 'firstname': 'Judge', 'surname': 'Holden', 'enabled': True, 'email': '[email protected]', 'password': 'DestroyAllCreation1', 'path': 'ou=Glanton Gang,dc=fsettest,dc=local', 'update_password': 'on_create', 'upn': '[email protected]', 'user_cannot_change_password': False}) => {"ansible_loop_var": "item", "changed": false, "item": {"email": "[email protected]", "enabled": true, "firstname": "Judge", "name": "jholden", "password": "DestroyAllCreation1", "path": "ou=Glanton Gang,dc=fsettest,dc=local", "surname": "Holden", "update_password": "on_create", "upn": "[email protected]", "user_cannot_change_password": false}, "msg": "Unhandled exception while executing module: The specified account already exists"}
...ignoring

TASK [Debug] ****************************************************************************************************************************************************
ok: [ft_dc] => {
    "result": {
        "changed": false,
        "failed": true,
        "msg": "One or more items failed",
        "results": [
            {
                "ansible_loop_var": "item",
                "changed": false,
                "exception": "The specified account already exists\r\nAt line:170 char:21\r\n+ ... $user_obj = New-ADUser @create_args -WhatIf:$check_mode -PassThru @ex ...\r\n+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : ResourceExists: (CN=Judge Holden...ettest,dc=local:String) [New-ADUser], ADIdentityAlreadyExistsException\r\n    + FullyQualifiedErrorId : ActiveDirectoryServer:1316,Microsoft.ActiveDirectory.Management.Commands.NewADUser\r\n\r\nScriptStackTrace:\r\nat <ScriptBlock>, <No file>: line 170\r\n\r\nMicrosoft.ActiveDirectory.Management.ADIdentityAlreadyExistsException: The specified account already exists ---> System.ServiceModel.FaultException: The supplied entry already exists.\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForExtendedError(String extendedErrorMessage, Exception innerException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.Create(ADAddRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Add(ADSessionHandle handle, ADAddRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADActiveObject.Create()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADNewCmdletBase`3.ADNewCmdletBaseProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()",
                "failed": true,
                "item": {
                    "email": "[email protected]",
                    "enabled": true,
                    "firstname": "Judge",
                    "name": "jholden",
                    "password": "DestroyAllCreation1",
                    "path": "ou=Glanton Gang,dc=fsettest,dc=local",
                    "surname": "Holden",
                    "update_password": "on_create",
                    "upn": "[email protected]",
                    "user_cannot_change_password": false
                },
                "msg": "Unhandled exception while executing module: The specified account already exists"
            }
        ],
        "skipped": false
    }
}

[AlexCharette]

Pretty sure this will be fixed by #345 .

[jimbo8098]

Might do, meantime if you set the identity parameter you can use it in the meantime. That passes the parameter to the Get-ADUser -Identity cmdlet in PS.

What you might find though, is that the -Identity parameter for your users is resolves to something else. In such a case, the change won't fix it. It'd be interesting to see how it resolves such an account (I don't have a way to test it to hand right this second).

A good way to test would be to allow the account to create then run the Get-ADUser command with -Identity set to the settings you have and see what returns the account. Whatever you set that parameter to to return the existing account is what identity should be set to.