Ansible, Windows and PowerShell: the Basics – Part 11, Local Groups

In Part 11 of this series we’ll continue our journey with Ansible, Windows and PowerShell and look at how to handle local Windows groups. This can prove to be a useful method to configure local group membership with both local and domain user accounts if perhaps you don’t want to or are not able to use Group Policy.

In this example we will look at how to create a new local group, add both a local user and a domain group to the new local group and also ensure only the domain printer_admins group exists in the local Print Operators group. We will use the win_group and win_group_membership Ansible modules for this work.

Our set of local groups is the standard out-of-the-box set of Groups in Windows Server 2016:

The Print Operators group has been populated with two domain groups, printer_admins and sql_admins. Our objective with this particular local group is to only have it populated with the printer_admins group.

Our job template in AWX is _10_local_groups.

The contents of _10_local_groups.yml are as follows:

Note: Using a state of pure ensures that only the entries listed under members will be populated in the group.

Running a job from the _10_local_groups job template produces the following result:

Observe the group test_users has been created and is populated with both a local user account and a domain group:

Meanwhile the Print Operators group now only contains the domain group printer_admins, the sql_admins group has been removed: