From abf209ffdfb9d4f2a4a13dca8eb104d4e05f6de6 Mon Sep 17 00:00:00 2001 From: Jordan Borean Date: Wed, 24 Jun 2026 13:43:02 +1000 Subject: [PATCH] Fix post action ADObject on move Use the proper ADObject when calling the module's PostAction to ensure any actions are done on the final object that may have been moved. --- changelogs/fragments/user-post-action-moved.yml | 4 ++++ plugins/module_utils/_ADObject.psm1 | 1 + tests/integration/targets/user/tasks/tests.yml | 13 +++++++++++++ 3 files changed, 18 insertions(+) create mode 100644 changelogs/fragments/user-post-action-moved.yml diff --git a/changelogs/fragments/user-post-action-moved.yml b/changelogs/fragments/user-post-action-moved.yml new file mode 100644 index 00000000..407ad1ab --- /dev/null +++ b/changelogs/fragments/user-post-action-moved.yml @@ -0,0 +1,4 @@ +bugfixes: + - >- + user - Ensure any post actions like editing the user's groups are performed on the correct distinguished name. This + fixes the error when changing the user's groups when the user was moved in the same module invocation. diff --git a/plugins/module_utils/_ADObject.psm1 b/plugins/module_utils/_ADObject.psm1 index 09911cc6..fd0b0052 100644 --- a/plugins/module_utils/_ADObject.psm1 +++ b/plugins/module_utils/_ADObject.psm1 @@ -1507,6 +1507,7 @@ Function Invoke-AnsibleADObject { # Won't be set in check mode if ($finalADObject) { + $adObject = $finalADObject $objectDN = $finalADObject.DistinguishedName } else { diff --git a/tests/integration/targets/user/tasks/tests.yml b/tests/integration/targets/user/tasks/tests.yml index fe9eae0c..e8b95e1b 100644 --- a/tests/integration/targets/user/tasks/tests.yml +++ b/tests/integration/targets/user/tasks/tests.yml @@ -123,6 +123,9 @@ name: MyUser2 identity: '{{ object_sid }}' # ID by SID path: '{{ setup_domain_info.output[0].defaultNamingContext }}' + groups: + add: + - Domain Admins register: move_user_check check_mode: true @@ -131,6 +134,7 @@ identity: '{{ object_identity }}' properties: - sAMAccountName + - memberOf register: move_user_check_actual - name: assert move user - check @@ -141,12 +145,16 @@ - move_user_check_actual.objects[0].DistinguishedName == 'CN=MyUser2,CN=Users,' ~ setup_domain_info.output[0].defaultNamingContext - move_user_check_actual.objects[0].Name == 'MyUser2' - move_user_check_actual.objects[0].sAMAccountName == 'MyUser' + - move_user_check_actual.objects[0].memberOf == None - name: move user user: name: MyUser2 identity: '{{ object_sid }}' # ID by SID path: '{{ setup_domain_info.output[0].defaultNamingContext }}' + groups: + add: + - Domain Admins register: move_user - name: get result of move user @@ -154,6 +162,7 @@ identity: '{{ object_identity }}' properties: - sAMAccountName + - memberOf register: move_user_actual - name: assert move user @@ -164,12 +173,16 @@ - move_user_actual.objects[0].DistinguishedName == 'CN=MyUser2,' ~ setup_domain_info.output[0].defaultNamingContext - move_user_actual.objects[0].Name == 'MyUser2' - move_user_actual.objects[0].sAMAccountName == 'MyUser' + - move_user_actual.objects[0].memberOf == ["CN=Domain Admins,CN=Users," ~ setup_domain_info.output[0].defaultNamingContext] - name: move user - idempotent user: name: MyUser2 identity: '{{ object_sid }}' # ID by SID path: '{{ setup_domain_info.output[0].defaultNamingContext }}' + groups: + add: + - Domain Admins register: move_user_again - name: assert move user - idempotent