Support for Non-Domain Joined Windows Servers

Description

This is not a playbook, but an include file, so it can't be ran on it's own. It can only be added to a playbook that connects to windows servers.

It retrieves credentials for Windows servers that are not joined to a domain. It uses Passwordstate to securely fetch the username and password for the specified host when it has the tag no_domainjoin (type: ManagementExceptions). The credentials are the set as Ansible facts for use in subsequent tasks.

How to use

Include the file as first task in your playbook
Add the credential sys_ps_NonDomainServ to your template in AAP.
gather_facts needs te be false so the playbook does not try connect before the credentials are fetched. Otherwise the playbook wil fail.

If you need facts, you can execute the task ansible.builtin.setup after the import (see example)

Add non-domain joined server

Tag the server with the tag no_domainjoin (type: ManagementExceptions) in Neon
"Copy & link" the local "admDistrict09" account to the "sys_ps_NonDomainServ" passwordlist in Passwordstate. Title needs to be in the format SHORTNAME (all caps)

Set the registry key "LocalAccountTokenFilterPolicy" to 1

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1 -Type DWord

Example

---
- name: Play to test ansible connection to server
  hosts: "{{ target }}"
  gather_facts: false
  tasks:
  - name: Get credentials if server is not domain joined
    ansible.builtin.include_tasks:
      file: non_domain_server_cred.yml

  - name: Get basic facts
    ansible.builtin.setup:

  - name: Ping windows server
    ansible.builtin.win_ping:

Credentials

sys_ps_NonDomainServ (credential in Ansible)

Input

Variable	Description
`pws_user`	Passwordstate API username
`pws_password`	Passwordstate API password

Output

None