From 74f14ac23d25e0c6be2468ceae5e87b62a22e0b1 Mon Sep 17 00:00:00 2001
From: Jordan Borean <jborean93@gmail.com>
Date: Sat, 21 Apr 2018 06:57:08 +1000
Subject: [PATCH] win_setup: backport 2.4 fix for machine sid to work in
 domains with lots of users (#39040)

* win_setup: fix for machine sid to work in domains with lots of users (#38646)

(cherry picked from commit 2fc3ac351666e50bb4e9144fb2be3b280d498c5b)

* Added changelog entry for windows setup.ps1 fix
---
 CHANGELOG.md                          |  2 ++
 lib/ansible/modules/windows/setup.ps1 | 20 ++++++++++++++------
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7e5419ab84..f91d02bc73 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,8 @@ Ansible Changes By Release
 * Fix win_copy to preserve the global Ansible local tmp path instead of
   deleting it when dealing with multiple files
   (https://github.com/ansible/ansible/pull/37964)
+* Fix Windows setup.ps1 for slow performance in large domain environments
+  (https://github.com/ansible/ansible/pull/38646)
 
 
 <a id="2.4.4"></a>
diff --git a/lib/ansible/modules/windows/setup.ps1 b/lib/ansible/modules/windows/setup.ps1
index b079489bd0..dbf1e8d56b 100644
--- a/lib/ansible/modules/windows/setup.ps1
+++ b/lib/ansible/modules/windows/setup.ps1
@@ -41,16 +41,24 @@ Function Get-MachineSid {
     # only accessible by the Local System account. This method get's the local
     # admin account (ends with -500) and lops it off to get the machine sid.
 
+    $admins_sid = "S-1-5-32-544"
+    $admin_group = ([Security.Principal.SecurityIdentifier]$admins_sid).Translate([Security.Principal.NTAccount]).Value 
+
     Add-Type -AssemblyName System.DirectoryServices.AccountManagement
     $principal_context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
-    $user_principal = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal($principal_context)
-    $searcher = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalSearcher($user_principal)
-    $users = $searcher.FindAll() | Where-Object { $_.Sid -like "*-500" }
-    
+    $group_principal = New-Object -TypeName System.DirectoryServices.AccountManagement.GroupPrincipal($principal_context, $admin_group)
+    $searcher = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalSearcher($group_principal)
+    $groups = $searcher.FindOne()
+
     $machine_sid = $null
-    if ($users -ne $null) {
-        $machine_sid = $users.Sid.AccountDomainSid.Value
+    foreach ($user in $groups.Members) {
+        $user_sid = $user.Sid
+        if ($user_sid.Value.EndsWith("-500")) {
+            $machine_sid = $user_sid.AccountDomainSid.Value
+            break
+        }
     }
+
     return $machine_sid
 }