Active Directory: Domain

Summary

This module contains actions related to Active Directory domain configuration & policies.

Windows Server 2012

Microsoft support for Windows Server 2012 has ended.

Windows Server 2012 does not support newer & more secure TLS cipher suites required by modern versions of OpenSSL. For security reasons we will be removing support for Windows Server 2012 in a future PPA release.

To use plugin version 13 or newer with Windows Server 2012 domain controllers, you must use playbook platform alpine-3.16. This mechanism will be available for the next 6-9 months before being removed from PPA.

Actions

active_directory.domain.

domain_components

Use this action to get the distinguished name of the domain itself.

Minimum Plugin Version: 12.4.0

Input

• domain: a fully qualified Active Directory domain.

Output

The distinguished name of the domain.

Example

The snippet below would generate the following output:

DC=example,DC=domain,DC=net

- active_directory.domain.domain_components:
    domain: example.domain.net
  save: domain_components

active_directory.domain.

get_directory_location

Get the distinguished name of an object's parent Organizational Unit or Container.

This action will accept the distinguishedName of a:

• User
• Group
• Computer
• Container
• Organizational Unit

Minimum Plugin Version: 13.1.0

Input

• distinguishedName: the distinguishedName of the item

Output

The distinguishedName of the item's parent.

Example

Given the distinguishedName below:

- active_directory.domain.get_directory_location:
    distinguishedName: "CN=Example User,OU=Example,DC=Example,DC=Domain"
  save: parent

The output of this action will be:

OU=Example,DC=Example,DC=Domain

active_directory.domain.

lockout_duration

Get the Account Lockout Duration policy setting from the domain.

Minimum Plugin Version: 6.3.0

Input

• domain_controller: a DomainController dictionary

Output

A single TimePeriod.

Example

- active_directory.domain.lockout_duration:
  load:
    domain_controller: domain_controller
  save: lockout_duration

- ppa.ui.output_info:
    text: Accounts will be locked out for {{ lockout_duration.days }} days & {{ lockout_duration.seconds }} seconds.

active_directory.domain.

lockout_threshold

Get the Account Lockout Threshold policy setting from the domain.

Minimum Plugin Version: 6.3.0

Input

• domain_controller: a DomainController dictionary

Output

The account lockout threshold as a number.

Example

- active_directory.domain.lockout_threshold:
  load:
    domain_controller: domain_controller
  save: lockout_threshold

- ppa.ui.output_info:
    text: Accounts will be locked out after {{ lockout_threshold }} failed logon attempts.

active_directory.domain.

maximum_password_age

Get the Maximum Password Age policy setting from the domain.

Minimum Plugin Version: 6.3.0

Input

• domain_controller: a DomainController dictionary

Output

A single TimePeriod.

Example

- active_directory.domain.maximum_password_age:
  load:
    domain_controller: domain_controller
  save: maximum_password_age

- ppa.ui.output_info:
    text: The maximum password age is {{ maximum_password_age.days }} days & {{ maximum_password_age.seconds }} seconds.

active_directory.domain.

minimum_password_age

Get the Minimum Password Age policy setting from the domain.

Minimum Plugin Version: 6.3.0

Input

• domain_controller: a DomainController dictionary

Output

A single TimePeriod.

Example

- active_directory.domain.minimum_password_age:
  load:
    domain_controller: domain_controller
  save: minimum_password_age

- ppa.ui.output_info:
    text: The minimum password age is {{ minimum_password_age.days }} days & {{ minimum_password_age.seconds }} seconds.

active_directory.domain.

minimum_password_length

Get the Minimum Password Length policy setting from the domain.

Minimum Plugin Version: 6.3.0

Input

• domain_controller: a DomainController dictionary

Output

The minimum password length as a number.

Example

- active_directory.domain.minimum_password_length:
  load:
    domain_controller: domain_controller
  save: minimum_length

- ppa.ui.output_info:
    text: New passwords must be at least {{ minimum_length }} characters long.

active_directory.domain.

password_history_length

Get the Enforce Password History policy setting from the domain.

Minimum Plugin Version: 6.3.0

Input

• domain_controller: a DomainController dictionary

Output

The password history length as a number.

Example

- active_directory.domain.password_history_length:
  load:
    domain_controller: domain_controller
  save: history_length

- ppa.ui.output_info:
    text: New passwords must differ from the last {{ history_length }} passwords.