Create an Active Directory RBAC With Ansible for Windows

In this blog post, I will show you how I create a role-based access control rule with Ansible for Windows.

DSC Module

In this playbook, I will use the Ansible DSC module that allows us to use Windows Desired State Configuration (DSC) with Ansible playbooks and YAML. We have learned how to use it in OU creation post.

The playbook will use the ActiveDirectoryDSC PowerShell module and in the first task of the playbook, we installed the module and continue to create the RBAC.

In the RBAC configuration, I am giving the DB admins security group permissions to create and delete computers from the servers OU.

Playbook

The playbook is listed below, for more Ansible posts visit this page.

---
-  name: "Create RBAC config"
   hosts: dcs
   tasks:
   - win_shell: install-packageprovider -name nuget -force
   - name: "Install ActiveDirectoryDSC"
     win_psmodule: 
        name: ActiveDirectoryDSC
        state: present
   - name: RBAC config
     ansible.windows.win_dsc:
        resource_name: ADObjectPermissionEntry
        Ensure: Present
        Path: 'OU=servers,DC=domain,DC=local'
        identityReference: 'domain\DB Admins'
        activeDirectoryRights: 'CreateChild,DeleteChild'
        accessControlType: 'Allow'
        objectType: 'bf967a86-0de6-11d0-a285-00aa003049e2'
        activeDirectorySecurityInheritance: 'All'
        inheritedObjectType: '00000000-0000-0000-0000-000000000000'
        

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.