0

I am trying to use a simple Powershell command to retrieve the OU from a Windows Machine.

I tried it two ways as Administrator in Powershell on the Machine:

  1. ([adsisearcher]'(&(name=$env:computername)(objectClass=computer))').findall().path
  2. gpresult /r /scope computer

Both ways return me the OU just fine when I execute them on the Machine itself.

However, I want to execute this Powershell command using Ansible. When I try it on Ansible, both commands return an empty value. I am using the Administrator User while performing Powershell Commands in Ansible.

What do I need to do to be able to retrieve the OU using Powershell in Ansible?

This is my ansible task:

- name: Get Active Directory OU from Instance
  ansible.windows.win_powershell:
    script: "gpresult /r /scope computer"
  become_method: runas
  become: yes
  become_user: Administrator
  register: active_directory_ou

As a result, when using

gpresult/r /scope computer

I get something like this:

{
"changed": true,
"invocation": {
    "module_args": {
        "depth": 2,
        "removes": null,
        "chdir": null,
        "parameters": null,
        "creates": null,
        "executable": null,
        "error_action": "continue",
        "arguments": null,
        "script": "gpresult /r /scope computer"
    }
},
"result": {},
"host_out": "",
"host_err": "",
"output": [
    "",
    "Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0",
    "© 2018 Microsoft Corporation. All rights reserved.",
    "",
    "Created on ‎10.‎11.‎2021 at 13:47:10",
    "",
    "",
    "",
    "RSOP data for  on AWSD199 : Logging Mode",
    "---------------------------------------------",
    "",
    "OS Configuration:            Member Server",
    "OS Version:                  10.0.17763",
    "Site Name:                   FFM-DC",
    "Roaming Profile:             ",
    "Local Profile:               ",
    "Connected over a slow link?: No",
    "",
    "",
    "COMPUTER SETTINGS",
    "------------------",
    "    ",    -----------------> HERE SHOULD BE THE OU BUT IT IS EMPTY!
    "    Last time Group Policy was applied: 10.11.2021 at 13:42:50",
    "    Group Policy was applied from:      *******************",
    "    Group Policy slow link threshold:   500 kbps",
    "    Domain Name:                        BKU",
    "    Domain Type:                        Windows 2008 or later",
    "",
    "    The following GPOs were not applied because they were filtered out",
    "    -------------------------------------------------------------------",
    "        Local Group Policy",
    "            Filtering:  Not Applied (Empty)",
    "",
    "    The computer is a part of the following security groups",
    "    -------------------------------------------------------",
    "        BUILTIN\\Administrators",
    "        Everyone",
    "        BUILTIN\\Users",
    "        NT AUTHORITY\\NETWORK",
    "        NT AUTHORITY\\Authenticated Users",
    "        This Organization",
    "        AWSD199$",
    "        Domain Computers",
    "        Claims Valid",
    "        Authentication authority asserted identity",
    "        System Mandatory Level",
    "        "
],
"error": [],
"warning": [],
"verbose": [],
"debug": [],
"information": [],
"_ansible_no_log": false

}

When I try to use:

([adsisearcher]'(&(name=$env:computername)(objectClass=computer))').findall().path

I get this error message:

{
    "changed": true,
    "invocation": {
        "module_args": {
            "depth": 2,
            "removes": null,
            "chdir": null,
            "parameters": null,
            "creates": null,
            "executable": null,
            "error_action": "continue",
            "arguments": null,
            "script": "([adsisearcher]\"(&(name=$env:computername)(objectClass=user))\").findall().Path"
        }
    },
    "result": {},
    "host_out": "",
    "host_err": "",
    "output": [],
    "error": [
        {
            "script_stack_trace": "at <ScriptBlock>, <No file>: line 1",
            "fully_qualified_error_id": "COMException",
            "exception": {
                "inner_exception": {
                    "inner_exception": null,
                    "message": "The specified domain either does not exist or could not be contacted.\r\n",
                    "source": "System.DirectoryServices",
                    "help_link": null,
                    "type": "System.Runtime.InteropServices.COMException",
                    "hresult": -2147023541
                },
                "message": "Exception calling \"FindAll\" with \"0\" argument(s): \"The specified domain either does not exist or could not be contacted.\r\n\"",
                "source": "System.Management.Automation",
                "help_link": null,
                "type": "System.Management.Automation.MethodInvocationException",
                "hresult": -2146233087
            },
            "target_object": null,
            "error_details": null,
            "output": "Exception calling \"FindAll\" with \"0\" argument(s): \"The specified domain either does not exist or could not be contacted.\r\n\"\r\nAt line:1 char:1\r\n+ ([adsisearcher]\"(&(name=$env:computername)(objectClass=user))\").finda ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException\r\n    + FullyQualifiedErrorId : COMException\r\n \r\n",
            "pipeline_iteration_info": [],
            "category_info": {
                "target_name": "",
                "target_type": "",
                "activity": "",
                "category_id": 0,
                "reason": "MethodInvocationException",
                "category": "NotSpecified"
            }
        }
    ],
    "warning": [],
    "verbose": [],
    "debug": [],
    "information": [],
    "_ansible_no_log": false
}
Benny
  • 839
  • 16
  • 32
  • could you show your playbook? – Frenchy Nov 10 '21 at 13:04
  • I updated to show the task I am running – Benny Nov 10 '21 at 13:45
  • You could try a different command for getting the computer OU. I'm not quite sure which property you're after. For instance: 'Get-ADComputer -Identity $env:COMPUTERNAME -Properties * | Select-Object -ExpandProperty DistinguishedName' Or 'Get-ADComputer -Identity $env:COMPUTERNAME -Properties * | Select-Object -Property *' to list all the properties and find the one you need and replace the property name in the first command I gave. – Mogash Nov 10 '21 at 13:45
  • I know about Get-ADComputer, however, it requires me to install additional Modules for AD commands, if possible, I would like to avoid this, for me it is not clear why the commands I use do not return any value, although it works on the machine itself. Do I miss permissions to retrieve the OU using Ansible? I thought the only requirement would be to be an Administrator on the Machine. – Benny Nov 10 '21 at 13:49

1 Answers1

0

Change ' to " and this will work. Everything inside ' is not expanded to its value so you search a computer with a name that is $env:computername. For sure none exist in your directory with that name. ([adsisearcher]"(&(name=$env:computername)(objectClass=user))").findall().Path

Hazrelle
  • 758
  • 5
  • 9
  • What is funny is that he mentions the command works fine when running it on a local computer. Shouldn't the same behaviour apply there? – Mogash Nov 10 '21 at 14:13
  • I updated my post, I receive an error on using: ([adsisearcher]'(&(name=$env:computername)(objectClass=computer))').findall().path "The specified domain either does not exist or could not be contacted" – Benny Nov 10 '21 at 14:18
  • Exchanging ' with " did not work by the way, still the same error – Benny Nov 10 '21 at 14:19
  • That comment clearly shows that you didn't change the quotes. – Abraham Zinala Nov 10 '21 at 14:35