SUMMARY
microsoft.ad.group does not support adding group members from another forest. If ForestA has a bidirectional forest trust with ForestB, I should be able to add a user from ForestB to a group in ForestA.
This is related to a previous issue: #56
This issue fixed the issue for domain trusts with two domains in the same forest. However, the solution is not working for a forest trust between two domains in separate forests.
The reason for this, the code currently uses the server attribute for each member to resolve the full distinguishedName and then adds the member via dn with Set-AdGroup -Add @{member="<distinguished_name>"}, but that does not work for forest trusts. Instead something like this would work:
$user = Get-ADUser "user_in_forest_b" -Server "forest_b" -Credential $forest_b_cred;
Add-ADGroupMember -Identify GroupInForestA -Members @(,$user) -Credential $forest_a_cred
ISSUE TYPE
COMPONENT NAME
microsoft.ad.group
ANSIBLE VERSION
COLLECTION VERSION
Collection Version
------------ -------
microsoft.ad 1.9.2
OS / ENVIRONMENT
Both domain controllers are running Windows Server 2016
STEPS TO REPRODUCE
- name: Add user to AD group
microsoft.ad.group:
identity: GroupInForestA
name: GroupInForestA
domain_server: forest_a
members:
add:
# Will lookup on default DC
- user1
# Will lookup on forest_b
- name: user_in_forest_b
server: forest_b
EXPECTED RESULTS
The user_in_forest_b should be a member of the GroupInForestA
ACTUAL RESULTS
Errors out with "The specified account does not exist"
SUMMARY
microsoft.ad.group does not support adding group members from another forest. If ForestA has a bidirectional forest trust with ForestB, I should be able to add a user from ForestB to a group in ForestA.
This is related to a previous issue: #56
This issue fixed the issue for domain trusts with two domains in the same forest. However, the solution is not working for a forest trust between two domains in separate forests.
The reason for this, the code currently uses the
serverattribute for each member to resolve the fulldistinguishedNameand then adds the member via dn withSet-AdGroup -Add @{member="<distinguished_name>"}, but that does not work for forest trusts. Instead something like this would work:ISSUE TYPE
COMPONENT NAME
microsoft.ad.group
ANSIBLE VERSION
COLLECTION VERSION
OS / ENVIRONMENT
Both domain controllers are running Windows Server 2016
STEPS TO REPRODUCE
EXPECTED RESULTS
The user_in_forest_b should be a member of the GroupInForestA
ACTUAL RESULTS
Errors out with "The specified account does not exist"