diff --git a/DSCResources/MSFT_xADUser/MSFT_xADUser.psm1 b/DSCResources/MSFT_xADUser/MSFT_xADUser.psm1 index df62b91eb..e5f0f84cd 100644 --- a/DSCResources/MSFT_xADUser/MSFT_xADUser.psm1 +++ b/DSCResources/MSFT_xADUser/MSFT_xADUser.psm1 @@ -77,146 +77,189 @@ function Get-TargetResource [OutputType([System.Collections.Hashtable])] param ( - ## Only used if password is managed. + ## Name of the domain where the user account is located (only used if password is managed) [Parameter(Mandatory)] [System.String] $DomainName, - # SamAccountName + # Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName') [Parameter(Mandatory)] [System.String] $UserName, + ## Specifies a new password value for an account [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Password, + ## Specifies whether the user account is created or deleted [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', - # Common name (CN) + ## Specifies the common nane assigned to the user account (ldapDisplayName 'cn') [ValidateNotNull()] [System.String] $CommonName = $UserName, + ## Specifies the UPN assigned to the user account (ldapDisplayName 'userPrincipalName') [ValidateNotNull()] [System.String] $UserPrincipalName, + ## Specifies the display name of the object (ldapDisplayName 'displayName') [ValidateNotNull()] [System.String] $DisplayName, + ## Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created [ValidateNotNull()] [System.String] $Path, + ## Specifies the user's given name (ldapDisplayName 'givenName') [ValidateNotNull()] [System.String] $GivenName, + ## Specifies the initials that represent part of a user's name (ldapDisplayName 'initials') [ValidateNotNull()] [System.String] $Initials, + ## Specifies the user's last name or surname (ldapDisplayName 'sn') [ValidateNotNull()] [System.String] $Surname, + ## Specifies a description of the object (ldapDisplayName 'description') [ValidateNotNull()] [System.String] $Description, + ## Specifies the user's street address (ldapDisplayName 'streetAddress') [ValidateNotNull()] [System.String] $StreetAddress, + ## Specifies the user's post office box number (ldapDisplayName 'postOfficeBox') [ValidateNotNull()] [System.String] $POBox, + ## Specifies the user's town or city (ldapDisplayName 'l') [ValidateNotNull()] [System.String] $City, + ## Specifies the user's or Organizational Unit's state or province (ldapDisplayName 'st') [ValidateNotNull()] [System.String] $State, + ## Specifies the user's postal code or zip code (ldapDisplayName 'postalCode') [ValidateNotNull()] [System.String] $PostalCode, + ## Specifies the country or region code for the user's language of choice (ldapDisplayName 'c') [ValidateNotNull()] [System.String] $Country, + ## Specifies the user's department (ldapDisplayName 'department') [ValidateNotNull()] [System.String] $Department, + ## Specifies the user's division (ldapDisplayName 'division') [ValidateNotNull()] [System.String] $Division, + ## Specifies the user's company (ldapDisplayName 'company') [ValidateNotNull()] [System.String] $Company, + ## Specifies the location of the user's office or place of business (ldapDisplayName 'physicalDeliveryOfficeName') [ValidateNotNull()] [System.String] $Office, + ## Specifies the user's title (ldapDisplayName 'title') [ValidateNotNull()] [System.String] $JobTitle, + ## Specifies the user's e-mail address (ldapDisplayName 'mail') [ValidateNotNull()] [System.String] $EmailAddress, + ## Specifies the user's employee ID (ldapDisplayName 'employeeID') [ValidateNotNull()] [System.String] $EmployeeID, + ## Specifies the user's employee number (ldapDisplayName 'employeeNumber') [ValidateNotNull()] [System.String] $EmployeeNumber, + ## Specifies a user's home directory path (ldapDisplayName 'homeDirectory') [ValidateNotNull()] [System.String] $HomeDirectory, + ## Specifies a drive that is associated with the UNC path defined by the HomeDirectory property (ldapDisplayName 'homeDrive') [ValidateNotNull()] [System.String] $HomeDrive, + ## Specifies the URL of the home page of the object (ldapDisplayName 'wWWHomePage') [ValidateNotNull()] [System.String] $HomePage, + ## Specifies a path to the user's profile (ldapDisplayName 'profilePath') [ValidateNotNull()] [System.String] $ProfilePath, + ## Specifies a path to the user's log on script (ldapDisplayName 'scriptPath') [ValidateNotNull()] [System.String] $LogonScript, + ## Specifies the notes attached to the user's accoutn (ldapDisplayName 'info') [ValidateNotNull()] [System.String] $Notes, + ## Specifies the user's office telephone number (ldapDisplayName 'telephoneNumber') [ValidateNotNull()] [System.String] $OfficePhone, + ## Specifies the user's mobile phone number (ldapDisplayName 'mobile') [ValidateNotNull()] [System.String] $MobilePhone, + ## Specifies the user's fax phone number (ldapDisplayName 'facsimileTelephoneNumber') [ValidateNotNull()] [System.String] $Fax, + ## Specifies the user's home telephone number (ldapDisplayName 'homePhone') [ValidateNotNull()] [System.String] $HomePhone, + ## Specifies the user's pager number (ldapDisplayName 'pager') [ValidateNotNull()] [System.String] $Pager, + ## Specifies the user's IP telephony phone number (ldapDisplayName 'ipPhone') [ValidateNotNull()] [System.String] $IPPhone, - ## User's manager specified as a Distinguished Name (DN) + ## Specifies the user's manager specified as a Distinguished Name (ldapDisplayName 'manager') [ValidateNotNull()] [System.String] $Manager, + ## Specifies if the account is enabled (default True) [ValidateNotNull()] [System.Boolean] $Enabled = $true, + ## Specifies whether the account password can be changed [ValidateNotNull()] [System.Boolean] $CannotChangePassword, + ## Specifies whether the password of an account can expire [ValidateNotNull()] [System.Boolean] $PasswordNeverExpires, + ## Specifies the Active Directory Domain Services instance to use to perform the task. [ValidateNotNull()] [System.String] $DomainController, - ## Ideally this should just be called 'Credential' but is here for backwards compatibility + ## Specifies the user account credentials to use to perform this task. Ideally this should just be called 'Credential' but is here for backwards compatibility [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] - $DomainAdministratorCredential + $DomainAdministratorCredential, + + ## Specifies the authentication context type when testing user passwords #61 + [ValidateSet('Default','Negotiate')] + [System.String] $PasswordAuthentication = 'Default' ) Assert-Module -ModuleName 'ActiveDirectory'; @@ -295,145 +338,189 @@ function Test-TargetResource [OutputType([System.Boolean])] param ( - ## Only used if password is managed. + ## Name of the domain where the user account is located (only used if password is managed) [Parameter(Mandatory)] [System.String] $DomainName, - # SamAccountName + # Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName') [Parameter(Mandatory)] [System.String] $UserName, + ## Specifies a new password value for an account [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Password, + ## Specifies whether the user account is created or deleted [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', - # Common name (CN) + ## Specifies the common nane assigned to the user account (ldapDisplayName 'cn') [ValidateNotNull()] [System.String] $CommonName = $UserName, + ## Specifies the UPN assigned to the user account (ldapDisplayName 'userPrincipalName') [ValidateNotNull()] [System.String] $UserPrincipalName, + ## Specifies the display name of the object (ldapDisplayName 'displayName') [ValidateNotNull()] [System.String] $DisplayName, + ## Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created [ValidateNotNull()] [System.String] $Path, + ## Specifies the user's given name (ldapDisplayName 'givenName') [ValidateNotNull()] [System.String] $GivenName, + ## Specifies the initials that represent part of a user's name (ldapDisplayName 'initials') [ValidateNotNull()] [System.String] $Initials, + ## Specifies the user's last name or surname (ldapDisplayName 'sn') [ValidateNotNull()] [System.String] $Surname, + ## Specifies a description of the object (ldapDisplayName 'description') [ValidateNotNull()] [System.String] $Description, + ## Specifies the user's street address (ldapDisplayName 'streetAddress') [ValidateNotNull()] [System.String] $StreetAddress, + ## Specifies the user's post office box number (ldapDisplayName 'postOfficeBox') [ValidateNotNull()] [System.String] $POBox, + ## Specifies the user's town or city (ldapDisplayName 'l') [ValidateNotNull()] [System.String] $City, + ## Specifies the user's or Organizational Unit's state or province (ldapDisplayName 'st') [ValidateNotNull()] [System.String] $State, + ## Specifies the user's postal code or zip code (ldapDisplayName 'postalCode') [ValidateNotNull()] [System.String] $PostalCode, + ## Specifies the country or region code for the user's language of choice (ldapDisplayName 'c') [ValidateNotNull()] [System.String] $Country, + ## Specifies the user's department (ldapDisplayName 'department') [ValidateNotNull()] [System.String] $Department, + ## Specifies the user's division (ldapDisplayName 'division') [ValidateNotNull()] [System.String] $Division, + ## Specifies the user's company (ldapDisplayName 'company') [ValidateNotNull()] [System.String] $Company, + ## Specifies the location of the user's office or place of business (ldapDisplayName 'physicalDeliveryOfficeName') [ValidateNotNull()] [System.String] $Office, + ## Specifies the user's title (ldapDisplayName 'title') [ValidateNotNull()] [System.String] $JobTitle, + ## Specifies the user's e-mail address (ldapDisplayName 'mail') [ValidateNotNull()] [System.String] $EmailAddress, + ## Specifies the user's employee ID (ldapDisplayName 'employeeID') [ValidateNotNull()] [System.String] $EmployeeID, + ## Specifies the user's employee number (ldapDisplayName 'employeeNumber') [ValidateNotNull()] [System.String] $EmployeeNumber, + ## Specifies a user's home directory path (ldapDisplayName 'homeDirectory') [ValidateNotNull()] [System.String] $HomeDirectory, + ## Specifies a drive that is associated with the UNC path defined by the HomeDirectory property (ldapDisplayName 'homeDrive') [ValidateNotNull()] [System.String] $HomeDrive, + ## Specifies the URL of the home page of the object (ldapDisplayName 'wWWHomePage') [ValidateNotNull()] [System.String] $HomePage, + ## Specifies a path to the user's profile (ldapDisplayName 'profilePath') [ValidateNotNull()] [System.String] $ProfilePath, + ## Specifies a path to the user's log on script (ldapDisplayName 'scriptPath') [ValidateNotNull()] [System.String] $LogonScript, + ## Specifies the notes attached to the user's accoutn (ldapDisplayName 'info') [ValidateNotNull()] [System.String] $Notes, + ## Specifies the user's office telephone number (ldapDisplayName 'telephoneNumber') [ValidateNotNull()] [System.String] $OfficePhone, + ## Specifies the user's mobile phone number (ldapDisplayName 'mobile') [ValidateNotNull()] [System.String] $MobilePhone, + ## Specifies the user's fax phone number (ldapDisplayName 'facsimileTelephoneNumber') [ValidateNotNull()] [System.String] $Fax, + ## Specifies the user's home telephone number (ldapDisplayName 'homePhone') [ValidateNotNull()] [System.String] $HomePhone, + ## Specifies the user's pager number (ldapDisplayName 'pager') [ValidateNotNull()] [System.String] $Pager, + ## Specifies the user's IP telephony phone number (ldapDisplayName 'ipPhone') [ValidateNotNull()] [System.String] $IPPhone, - ## User's manager specified as a Distinguished Name (DN) + ## Specifies the user's manager specified as a Distinguished Name (ldapDisplayName 'manager') [ValidateNotNull()] [System.String] $Manager, + ## Specifies if the account is enabled (default True) [ValidateNotNull()] [System.Boolean] $Enabled = $true, + ## Specifies whether the account password can be changed [ValidateNotNull()] [System.Boolean] $CannotChangePassword, + ## Specifies whether the password of an account can expire [ValidateNotNull()] [System.Boolean] $PasswordNeverExpires, + ## Specifies the Active Directory Domain Services instance to use to perform the task. [ValidateNotNull()] [System.String] $DomainController, + ## Specifies the user account credentials to use to perform this task. Ideally this should just be called 'Credential' but is here for backwards compatibility [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] - $DomainAdministratorCredential + $DomainAdministratorCredential, + + ## Specifies the authentication context type when testing user passwords #61 + [ValidateSet('Default','Negotiate')] + [System.String] $PasswordAuthentication = 'Default' ) Assert-Parameters @PSBoundParameters; @@ -462,6 +549,7 @@ function Test-TargetResource Username = $UserName; Password = $Password; DomainName = $DomainName; + PasswordAuthentication = $PasswordAuthentication; } if ($DomainAdministratorCredential) { @@ -499,144 +587,189 @@ function Set-TargetResource [CmdletBinding()] param ( - ## Only used if password is managed. + ## Name of the domain where the user account is located (only used if password is managed) [Parameter(Mandatory)] [System.String] $DomainName, - # SamAccountName + # Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName') [Parameter(Mandatory)] [System.String] $UserName, + ## Specifies a new password value for an account [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Password, + ## Specifies whether the user account is created or deleted [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', + ## Specifies the common nane assigned to the user account (ldapDisplayName 'cn') [ValidateNotNull()] [System.String] $CommonName = $UserName, + ## Specifies the UPN assigned to the user account (ldapDisplayName 'userPrincipalName') [ValidateNotNull()] [System.String] $UserPrincipalName, + ## Specifies the display name of the object (ldapDisplayName 'displayName') [ValidateNotNull()] [System.String] $DisplayName, + ## Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created [ValidateNotNull()] [System.String] $Path, + ## Specifies the user's given name (ldapDisplayName 'givenName') [ValidateNotNull()] [System.String] $GivenName, + ## Specifies the initials that represent part of a user's name (ldapDisplayName 'initials') [ValidateNotNull()] [System.String] $Initials, + ## Specifies the user's last name or surname (ldapDisplayName 'sn') [ValidateNotNull()] [System.String] $Surname, + ## Specifies a description of the object (ldapDisplayName 'description') [ValidateNotNull()] [System.String] $Description, + ## Specifies the user's street address (ldapDisplayName 'streetAddress') [ValidateNotNull()] [System.String] $StreetAddress, + ## Specifies the user's post office box number (ldapDisplayName 'postOfficeBox') [ValidateNotNull()] [System.String] $POBox, + ## Specifies the user's town or city (ldapDisplayName 'l') [ValidateNotNull()] [System.String] $City, + ## Specifies the user's or Organizational Unit's state or province (ldapDisplayName 'st') [ValidateNotNull()] [System.String] $State, + ## Specifies the user's postal code or zip code (ldapDisplayName 'postalCode') [ValidateNotNull()] [System.String] $PostalCode, + ## Specifies the country or region code for the user's language of choice (ldapDisplayName 'c') [ValidateNotNull()] [System.String] $Country, + ## Specifies the user's department (ldapDisplayName 'department') [ValidateNotNull()] [System.String] $Department, + ## Specifies the user's division (ldapDisplayName 'division') [ValidateNotNull()] [System.String] $Division, + ## Specifies the user's company (ldapDisplayName 'company') [ValidateNotNull()] [System.String] $Company, + ## Specifies the location of the user's office or place of business (ldapDisplayName 'physicalDeliveryOfficeName') [ValidateNotNull()] [System.String] $Office, + ## Specifies the user's title (ldapDisplayName 'title') [ValidateNotNull()] [System.String] $JobTitle, + ## Specifies the user's e-mail address (ldapDisplayName 'mail') [ValidateNotNull()] [System.String] $EmailAddress, + ## Specifies the user's employee ID (ldapDisplayName 'employeeID') [ValidateNotNull()] [System.String] $EmployeeID, + ## Specifies the user's employee number (ldapDisplayName 'employeeNumber') [ValidateNotNull()] [System.String] $EmployeeNumber, + ## Specifies a user's home directory path (ldapDisplayName 'homeDirectory') [ValidateNotNull()] [System.String] $HomeDirectory, + ## Specifies a drive that is associated with the UNC path defined by the HomeDirectory property (ldapDisplayName 'homeDrive') [ValidateNotNull()] [System.String] $HomeDrive, + ## Specifies the URL of the home page of the object (ldapDisplayName 'wWWHomePage') [ValidateNotNull()] [System.String] $HomePage, + ## Specifies a path to the user's profile (ldapDisplayName 'profilePath') [ValidateNotNull()] [System.String] $ProfilePath, + ## Specifies a path to the user's log on script (ldapDisplayName 'scriptPath') [ValidateNotNull()] [System.String] $LogonScript, + ## Specifies the notes attached to the user's accoutn (ldapDisplayName 'info') [ValidateNotNull()] [System.String] $Notes, + ## Specifies the user's office telephone number (ldapDisplayName 'telephoneNumber') [ValidateNotNull()] [System.String] $OfficePhone, + ## Specifies the user's mobile phone number (ldapDisplayName 'mobile') [ValidateNotNull()] [System.String] $MobilePhone, + ## Specifies the user's fax phone number (ldapDisplayName 'facsimileTelephoneNumber') [ValidateNotNull()] [System.String] $Fax, + ## Specifies the user's home telephone number (ldapDisplayName 'homePhone') [ValidateNotNull()] [System.String] $HomePhone, + ## Specifies the user's pager number (ldapDisplayName 'pager') [ValidateNotNull()] [System.String] $Pager, + ## Specifies the user's IP telephony phone number (ldapDisplayName 'ipPhone') [ValidateNotNull()] [System.String] $IPPhone, - ## User's manager specified as a Distinguished Name (DN) + ## Specifies the user's manager specified as a Distinguished Name (ldapDisplayName 'manager') [ValidateNotNull()] [System.String] $Manager, + ## Specifies if the account is enabled (default True) [ValidateNotNull()] [System.Boolean] $Enabled = $true, + ## Specifies whether the account password can be changed [ValidateNotNull()] [System.Boolean] $CannotChangePassword, + ## Specifies whether the password of an account can expire [ValidateNotNull()] [System.Boolean] $PasswordNeverExpires, + ## Specifies the Active Directory Domain Services instance to use to perform the task. [ValidateNotNull()] [System.String] $DomainController, + ## Specifies the user account credentials to use to perform this task. Ideally this should just be called 'Credential' but is here for backwards compatibility [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] - $DomainAdministratorCredential + $DomainAdministratorCredential, + + ## Specifies the authentication context type when testing user passwords #61 + [ValidateSet('Default','Negotiate')] + [System.String] $PasswordAuthentication = 'Default' ) Assert-Parameters @PSBoundParameters; @@ -825,7 +958,12 @@ function Test-Password [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] - $DomainAdministratorCredential + $DomainAdministratorCredential, + + ## Specifies the authentication context type when testing user passwords #61 + [Parameter(Mandatory)] + [ValidateSet('Default','Negotiate')] + [System.String] $PasswordAuthentication ) Write-Verbose -Message ($LocalizedData.CreatingADDomainConnection -f $DomainName); @@ -834,15 +972,41 @@ function Test-Password if ($DomainAdministratorCredential) { $principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext( - 'Domain', $DomainName, $DomainAdministratorCredential.UserName, ` - $DomainAdministratorCredential.GetNetworkCredential().Password); + [System.DirectoryServices.AccountManagement.ContextType]::Domain, + $DomainName, + $DomainAdministratorCredential.UserName, + $DomainAdministratorCredential.GetNetworkCredential().Password + ); } else { - $principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('Domain', $DomainName, $null, $null); + $principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext( + [System.DirectoryServices.AccountManagement.ContextType]::Domain, + $DomainName, + $null, + $null + ); } Write-Verbose -Message ($LocalizedData.CheckingADUserPassword -f $UserName); - return $principalContext.ValidateCredentials($UserName, $Password.GetNetworkCredential().Password); + + if ($PasswordAuthentication -eq 'Negotiate') + { + return $principalContext.ValidateCredentials( + $UserName, + $Password.GetNetworkCredential().Password, + [System.DirectoryServices.AccountManagement.ContextOptions]::Negotiate -bor + [System.DirectoryServices.AccountManagement.ContextOptions]::Signing -bor + [System.DirectoryServices.AccountManagement.ContextOptions]::Sealing + ); + } + else + { + ## Use default authentication context + return $principalContext.ValidateCredentials( + $UserName, + $Password.GetNetworkCredential().Password + ); + } } #end function Test-Password diff --git a/DSCResources/MSFT_xADUser/MSFT_xADUser.schema.mof b/DSCResources/MSFT_xADUser/MSFT_xADUser.schema.mof index f3f35589b..c0ad1d63e 100644 --- a/DSCResources/MSFT_xADUser/MSFT_xADUser.schema.mof +++ b/DSCResources/MSFT_xADUser/MSFT_xADUser.schema.mof @@ -1,49 +1,50 @@ -[ClassVersion("1.0.1.0"), FriendlyName("xADUser")] +[ClassVersion("1.0.1.0"), FriendlyName("xADUser")] class MSFT_xADUser : OMI_BaseResource { - [Key] String DomainName; - [Key] String UserName; - [Write, EmbeddedInstance("MSFT_Credential")] String Password; - [Write, ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] String Ensure; - [Write] String CommonName; - [Write] String UserPrincipalName; - [Write] String DisplayName; - [Write] String Path; - [Write] String GivenName; - [Write] String Initials; - [Write] String Surname; - [Write] String Description; - [Write] String StreetAddress; - [Write] String POBox; - [Write] String City; - [Write] String State; - [Write] String PostalCode; - [Write] String Country; - [Write] String Department; - [Write] String Division; - [Write] String Company; - [Write] String Office; - [Write] String JobTitle; - [Write] String EmailAddress; - [Write] String EmployeeID; - [Write] String EmployeeNumber; - [Write] String HomeDirectory; - [Write] String HomeDrive; - [Write] String HomePage; - [Write] String ProfilePath; - [Write] String LogonScript; - [Write] String Notes; - [Write] String OfficePhone; - [Write] String MobilePhone; - [Write] String Fax; - [Write] String HomePhone; - [Write] String Pager; - [Write] String IPPhone; - [Write] String Manager; - [Write] Boolean Enabled; - [Write] Boolean CannotChangePassword; - [Write] Boolean PasswordNeverExpires; - [Write] String DomainController; - [Write, EmbeddedInstance("MSFT_Credential")] String DomainAdministratorCredential; - [Read, Description("")] String DistinguishedName; + [Key, Description("Name of the domain where the user account is located (only used if password is managed)")] String DomainName; + [Key, Description("Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName')")] String UserName; + [Write, Description("Specifies a new password value for the account"), EmbeddedInstance("MSFT_Credential")] String Password; + [Write, Description("Specifies whether the user account is created or deleted"), ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] String Ensure; + [Write, Description("Specifies the common nane assigned to the user account (ldapDisplayName 'cn')")] String CommonName; + [Write, Description("Specifies the UPN assigned to the user account (ldapDisplayName 'userPrincipalName')")] String UserPrincipalName; + [Write, Description("Specifies the display name of the object (ldapDisplayName 'displayName')")] String DisplayName; + [Write, Description("Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created")] String Path; + [Write, Description("Specifies the user's given name (ldapDisplayName 'givenName')")] String GivenName; + [Write, Description("Specifies the initials that represent part of a user's name (ldapDisplayName 'initials')")] String Initials; + [Write, Description("Specifies the user's last name or surname (ldapDisplayName 'sn')")] String Surname; + [Write, Description("Specifies a description of the object (ldapDisplayName 'description')")] String Description; + [Write, Description("Specifies the user's street address (ldapDisplayName 'streetAddress')")] String StreetAddress; + [Write, Description("Specifies the user's post office box number (ldapDisplayName 'postOfficeBox')")] String POBox; + [Write, Description("Specifies the user's town or city (ldapDisplayName 'l')")] String City; + [Write, Description("Specifies the user's or Organizational Unit's state or province (ldapDisplayName 'st')")] String State; + [Write, Description("Specifies the user's postal code or zip code (ldapDisplayName 'postalCode')")] String PostalCode; + [Write, Description("Specifies the country or region code for the user's language of choice (ldapDisplayName 'c')")] String Country; + [Write, Description("Specifies the user's department (ldapDisplayName 'department')")] String Department; + [Write, Description("Specifies the user's division (ldapDisplayName 'division')")] String Division; + [Write, Description("Specifies the user's company (ldapDisplayName 'company')")] String Company; + [Write, Description("Specifies the location of the user's office or place of business (ldapDisplayName 'physicalDeliveryOfficeName')")] String Office; + [Write, Description("Specifies the user's title (ldapDisplayName 'title')")] String JobTitle; + [Write, Description("Specifies the user's e-mail address (ldapDisplayName 'mail')")] String EmailAddress; + [Write, Description("Specifies the user's employee ID (ldapDisplayName 'employeeID')")] String EmployeeID; + [Write, Description("Specifies the user's employee number (ldapDisplayName 'employeeNumber')")] String EmployeeNumber; + [Write, Description("Specifies a user's home directory path (ldapDisplayName 'homeDirectory')")] String HomeDirectory; + [Write, Description("Specifies a drive that is associated with the UNC path defined by the HomeDirectory property (ldapDisplayName 'homeDrive')")] String HomeDrive; + [Write, Description("Specifies the URL of the home page of the object (ldapDisplayName 'wWWHomePage')")] String HomePage; + [Write, Description("Specifies a path to the user's profile (ldapDisplayName 'profilePath')")] String ProfilePath; + [Write, Description("Specifies a path to the user's log on script (ldapDisplayName 'scriptPath')")] String LogonScript; + [Write, Description("Specifies the notes attached to the user's accoutn (ldapDisplayName 'info')")] String Notes; + [Write, Description("Specifies the user's office telephone number (ldapDisplayName 'telephoneNumber')")] String OfficePhone; + [Write, Description("Specifies the user's mobile phone number (ldapDisplayName 'mobile')")] String MobilePhone; + [Write, Description("Specifies the user's fax phone number (ldapDisplayName 'facsimileTelephoneNumber')")] String Fax; + [Write, Description("Specifies the user's home telephone number (ldapDisplayName 'homePhone')")] String HomePhone; + [Write, Description("Specifies the user's pager number (ldapDisplayName 'pager')")] String Pager; + [Write, Description("Specifies the user's IP telephony phone number (ldapDisplayName 'ipPhone')")] String IPPhone; + [Write, Description("Specifies the user's manager specified as a Distinguished Name (ldapDisplayName 'manager')")] String Manager; + [Write, Description("Specifies if the account is enabled (default True)")] Boolean Enabled; + [Write, Description("Specifies whether the account password can be changed")] Boolean CannotChangePassword; + [Write, Description("Specifies whether the password of an account can expire")] Boolean PasswordNeverExpires; + [Write, Description("Specifies the Active Directory Domain Services instance to use to perform the task.")] String DomainController; + [Write, Description("Specifies the user account credentials to use to perform this task"), EmbeddedInstance("MSFT_Credential")] String DomainAdministratorCredential; + [Write, Description("Specifies the authentication context type used when testing passwords"), ValueMap{"Default","Negotiate"},Values{"Default","Negotiate"}] String PasswordAuthentication; + [Read, Description("Returns the X.500 path of the object")] String DistinguishedName; }; diff --git a/README.md b/README.md index 61827247a..e8ab2cab3 100644 --- a/README.md +++ b/README.md @@ -116,6 +116,8 @@ These DSC Resources allow you to configure new domains, child domains, and high * If not specified, this value defaults to False. * **CannotChangePassword**: Specifies whether the account password can be changed (optional). * If not specified, this value defaults to False. +* **PasswordAuthentication**: Specifies the authentication context used when testing users' passwords (optional). + * The 'Negotiate' option supports NTLM authentication - which may be required when testing users' passwords when Active Directory Certificate Services (ADCS) is deployed. ### **xWaitForADDomain** @@ -239,6 +241,10 @@ Setting an ODJ Request file path for a configuration that creates a computer acc ### Unreleased * Converted AppVeyor.yml to pull Pester from PSGallery instead of Chocolatey +* xADUser: Adds 'PasswordAuthentication' option when testing user passwords to support NTLM authentication with Active Directory Certificate Services deployments +* xADUser: Adds descriptions to user properties within the schema file. + + ### 2.12.0.0 * xADDomainController: Customer identified two cases of incorrect variables being called in Verbose output messages. Corrected. * xADComputer: New resource added. @@ -1139,4 +1145,3 @@ Example_xADComputerAccountODJ -DomainController 'DC01' ` Start-DscConfiguration -Path .\Example_xADComputerAccount -Wait -Verbose ``` - diff --git a/Tests/Unit/MSFT_xADUser.Tests.ps1 b/Tests/Unit/MSFT_xADUser.Tests.ps1 index a6877e4c2..4f9f9ee42 100644 --- a/Tests/Unit/MSFT_xADUser.Tests.ps1 +++ b/Tests/Unit/MSFT_xADUser.Tests.ps1 @@ -1,27 +1,20 @@ -[System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '')] -param() - -$Global:DSCModuleName = 'xActiveDirectory' # Example xNetworking -$Global:DSCResourceName = 'MSFT_xADUser' # Example MSFT_xFirewall +$Global:DSCModuleName = 'xActiveDirectory' +$Global:DSCResourceName = 'MSFT_xADUser' #region HEADER [String] $moduleRoot = Split-Path -Parent (Split-Path -Parent (Split-Path -Parent $Script:MyInvocation.MyCommand.Path)) -Write-Host $moduleRoot -ForegroundColor Green; if ( (-not (Test-Path -Path (Join-Path -Path $moduleRoot -ChildPath 'DSCResource.Tests'))) -or ` (-not (Test-Path -Path (Join-Path -Path $moduleRoot -ChildPath 'DSCResource.Tests\TestHelper.psm1'))) ) { & git @('clone','https://github.com/PowerShell/DscResource.Tests.git',(Join-Path -Path $moduleRoot -ChildPath '\DSCResource.Tests\')) } -else -{ - & git @('-C',(Join-Path -Path $moduleRoot -ChildPath '\DSCResource.Tests\'),'pull') -} + Import-Module (Join-Path -Path $moduleRoot -ChildPath 'DSCResource.Tests\TestHelper.psm1') -Force $TestEnvironment = Initialize-TestEnvironment ` -DSCModuleName $Global:DSCModuleName ` -DSCResourceName $Global:DSCResourceName ` -TestType Unit -#endregion +#endregion HEADER # Begin Testing @@ -30,8 +23,6 @@ try #region Pester Tests - # The InModuleScope command allows you to perform white-box unit testing on the internal - # (non-exported) code of a Script Module. InModuleScope $Global:DSCResourceName { $testPresentParams = @{ @@ -54,7 +45,7 @@ try } $testDomainController = 'TESTDC'; - $testCredential = New-Object System.Management.Automation.PSCredential 'DummyUser', (ConvertTo-SecureString 'DummyPassword' -AsPlainText -Force); + $testCredential = [System.Management.Automation.PSCredential]::Empty; $testStringProperties = @( 'UserPrincipalName', 'DisplayName', 'Path', 'GivenName', 'Initials', 'Surname', 'Description', 'StreetAddress', @@ -151,6 +142,24 @@ try Test-TargetResource @testPresentParams -Password $testCredential | Should Be $false; } + It "Calls 'Test-Password' with 'Default' PasswordAuthentication by default" { + Mock Get-TargetResource { return $testPresentParams } + Mock Test-Password -ParameterFilter { $PasswordAuthentication -eq 'Default' } { return $true; } + + Test-TargetResource @testPresentParams -Password $testCredential; + + Assert-MockCalled Test-Password -ParameterFilter { $PasswordAuthentication -eq 'Default' } -Scope It; + } + + It "Calls 'Test-Password' with 'Negotiate' PasswordAuthentication when specified" { + Mock Get-TargetResource { return $testPresentParams } + Mock Test-Password -ParameterFilter { $PasswordAuthentication -eq 'Negotiate' } { return $false; } + + Test-TargetResource @testPresentParams -Password $testCredential -PasswordAuthentication 'Negotiate'; + + Assert-MockCalled Test-Password -ParameterFilter { $PasswordAuthentication -eq 'Negotiate' } -Scope It; + } + foreach ($testParameter in $testStringProperties) { It "Passes when user account '$testParameter' matches AD account property" {