Skip to content

Commit

Permalink
ADGroup: Fix issue #151, issue #189, issue #493 (#497)
Browse files Browse the repository at this point in the history 
- Changes to ActiveDirectoryDsc.Common
  - Update helper function `Add-ADCommonGroupMember` to reduce duplicated
    code, and add an evaluation if `Members` is empty.
  - Updated helper function `Restore-ADCommonObject` to write out a verbose
    message when no object was found in the recycle bin.
  - Updated helper function `Assert-MemberParameters` to not throw an error
    if the parameter `Members` is en empty array.
- Changes to ADGroup
  - Added a read-only property `DistinguishedName`.
  - Refactor the function `Set-TargetResource` to use the function
    `Get-TargetResource` so that `Set-TargetResource` can correctly throw
    an error when something goes wrong (issue #151, issue #166, issue #493).
  - It is now possible to enforce a group with no members by using
    `Members = @()` in a configuration (issue #189).
  • Loading branch information
@johlju
johlju authored Sep 2, 2019
1 parent 2490788 commit b6d67dd
Show file tree
Hide file tree
Showing 12 changed files with 757 additions and 262 deletions.
14 changes: 14 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,12 @@
authentication exceptions when the credentials cannot be authenticated.
- Updated the function `Test-ADReplicationSite` to make the parameter
`Credential` mandatory.
- Update helper function `Add-ADCommonGroupMember` to reduce duplicated
code, and add an evaluation if `Members` is empty.
- Updated helper function `Restore-ADCommonObject` to write out a verbose
message when no object was found in the recycle bin.
- Updated helper function `Assert-MemberParameters` to not throw an error
if the parameter `Members` is en empty array.
- Changes to WaitForADDomain
- Correct grammar issues in example descriptions.
- An optional parameter `WaitForValidCredentials` can be set to $true
Expand Down Expand Up @@ -70,6 +76,14 @@
- Now Get-TargetResource returns correct value when the group does not
exist.
- Added integration tests ([issue #350](https://github.com/PowerShell/ActiveDirectoryDsc/issues/350)).
- Added a read-only property `DistinguishedName`.
- Refactor the function `Set-TargetResource` to use the function
`Get-TargetResource` so that `Set-TargetResource` can correctly throw
an error when something goes wrong ([issue #151](https://github.com/PowerShell/ActiveDirectoryDsc/issues/151),
[issue #166](https://github.com/PowerShell/ActiveDirectoryDsc/issues/166),
[issue #493](https://github.com/PowerShell/ActiveDirectoryDsc/issues/493)).
- It is now possible to enforce a group with no members by using
`Members = @()` in a configuration ([issue #189](https://github.com/PowerShell/xActiveDirectory/issues/189)).

## 4.0.0.0

Expand Down
2 changes: 1 addition & 1 deletion DSCResources/MSFT_ADDomainController/en-US/about_ADDomainController.help.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -449,7 +449,7 @@ Configuration ADDomainController_AddDomainControllerUsingInstallDns_Config
SafeModeAdministratorPassword = $Credential
InstallDns = $false

DependsOn = '[xWaitForADDomain]WaitForestAvailability'
DependsOn = '[WaitForADDomain]WaitForestAvailability'
}
}
}
Expand Down
242 changes: 137 additions & 105 deletions DSCResources/MSFT_ADGroup/MSFT_ADGroup.psm1
View file

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions DSCResources/MSFT_ADGroup/MSFT_ADGroup.schema.mof
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,5 @@ class MSFT_ADGroup : OMI_BaseResource
[Write, Description("Active Directory managed by attribute specified as a DistinguishedName.")] String ManagedBy;
[Write, Description("Active Directory group notes field.")] String Notes;
[Write, Description("Try to restore the group from the recycle bin before creating a new one.")] Boolean RestoreFromRecycleBin;
[Read, Description("Returns the distinguished name of the Active Directory group.")] String DistinguishedName;
};
2 changes: 1 addition & 1 deletion DSCResources/MSFT_ADGroup/en-US/MSFT_ADGroup.strings.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ ConvertFrom-StringData @'
GroupMembershipNotDesiredState = Group membership is NOT in the desired state. (ADG0002)
AddingGroupMembers = Adding '{0}' member(s) to AD group '{1}'. (ADG0003)
RemovingGroupMembers = Removing '{0}' member(s) from AD group '{1}'. (ADG0004)
AddingGroup = Adding AD Group '{0}'. (ADG0005)
AddingGroup = Creating AD Group '{0}'. (ADG0005)
UpdatingGroup = Updating AD Group '{0}'. (ADG0006)
RemovingGroup = Removing AD Group '{0}'. (ADG0007)
MovingGroup = Moving AD Group '{0}' to '{1}'. (ADG0008)
Expand Down
4 changes: 4 additions & 0 deletions DSCResources/MSFT_ADGroup/en-US/about_ADGroup.help.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,10 @@
Write - Boolean
Try to restore the group from the recycle bin before creating a new one.

.PARAMETER DistinguishedName
Read - String
Returns the distinguished name of the Active Directory group.

.EXAMPLE 1

This configuration will create a new domain-local group
Expand Down
77 changes: 43 additions & 34 deletions Modules/ActiveDirectoryDsc.Common/ActiveDirectoryDsc.Common.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -664,7 +664,6 @@ function Assert-MemberParameters
param
(
[Parameter()]
[ValidateNotNull()]
[System.String[]]
$Members,

Expand All @@ -687,12 +686,6 @@ function Assert-MemberParameters
$errorMessage = $script:localizedData.MembersAndIncludeExcludeError -f 'Members', 'MembersToInclude', 'MembersToExclude'
New-InvalidArgumentException -ArgumentName 'Members' -Message $errorMessage
}

if ($Members.Length -eq 0)
{
$errorMessage = $script:localizedData.MembersIsNullError -f 'Members', 'MembersToInclude', 'MembersToExclude'
New-InvalidArgumentException -ArgumentName 'Members' -Message $errorMessage
}
}

if ($PSBoundParameters.ContainsKey('MembersToInclude'))
Expand Down Expand Up @@ -1350,6 +1343,7 @@ function Restore-ADCommonObject
$restoreParams['ErrorAction'] = 'Stop'
$restoreParams['Identity'] = $restorableObject.DistinguishedName
$restoredObject = Restore-ADObject @restoreParams

Write-Verbose -Message ($script:localizedData.RecycleBinRestoreSuccessful -f $Identity, $ObjectClass) -Verbose
}
catch [Microsoft.ActiveDirectory.Management.ADException]
Expand All @@ -1359,6 +1353,10 @@ function Restore-ADCommonObject
New-InvalidOperationException -Message $errorMessage -ErrorRecord $_
}
}
else
{
Write-Verbose -Message ($script:localizedData.NoObjectFoundInRecycleBin) -Verbose
}

return $restoredObject
}
Expand Down Expand Up @@ -1454,41 +1452,52 @@ function Add-ADCommonGroupMember

Assert-Module -ModuleName ActiveDirectory

if ($MembersInMultipleDomains.IsPresent)
if ($Members)
{
foreach ($member in $Members)
if ($MembersInMultipleDomains.IsPresent)
{
$memberDomain = Get-ADDomainNameFromDistinguishedName -DistinguishedName $member

if (-not $memberDomain)
foreach ($member in $Members)
{
$errorMessage = $script:localizedData.EmptyDomainError -f $member, $Parameters.Identity
New-InvalidOperationException -Message $errorMessage
}
$memberDomain = Get-ADDomainNameFromDistinguishedName -DistinguishedName $member

Write-Verbose -Message ($script:localizedData.AddingGroupMember -f $member, $memberDomain, $Parameters.Identity)
if (-not $memberDomain)
{
$errorMessage = $script:localizedData.EmptyDomainError -f $member, $Parameters.Identity
New-InvalidOperationException -Message $errorMessage
}

$memberObjectClass = (Get-ADObject -Identity $member -Server $memberDomain -Properties ObjectClass).ObjectClass
Write-Verbose -Message ($script:localizedData.AddingGroupMember -f $member, $memberDomain, $Parameters.Identity)

if ($memberObjectClass -eq 'computer')
{
$memberObject = Get-ADComputer -Identity $member -Server $memberDomain
}
elseif ($memberObjectClass -eq 'group')
{
$memberObject = Get-ADGroup -Identity $member -Server $memberDomain
}
elseif ($memberObjectClass -eq 'user')
{
$memberObject = Get-ADUser -Identity $member -Server $memberDomain
}
$commonParameters = @{
Identity = $member
Server = $memberDomain
ErrorAction = 'Stop'
}

$activeDirectoryObject = Get-ADObject @commonParameters -Properties @('ObjectClass')

$memberObjectClass = $activeDirectoryObject.ObjectClass

if ($memberObjectClass -eq 'computer')
{
$memberObject = Get-ADComputer @commonParameters
}
elseif ($memberObjectClass -eq 'group')
{
$memberObject = Get-ADGroup @commonParameters
}
elseif ($memberObjectClass -eq 'user')
{
$memberObject = Get-ADUser @commonParameters
}

Add-ADGroupMember @Parameters -Members $memberObject
Add-ADGroupMember @Parameters -Members $memberObject -ErrorAction 'Stop'
}
}
else
{
Add-ADGroupMember @Parameters -Members $Members -ErrorAction 'Stop'
}
}
else
{
Add-ADGroupMember @Parameters -Members $Members
}
}

Expand Down
2 changes: 1 addition & 1 deletion Modules/ActiveDirectoryDsc.Common/en-US/ActiveDirectoryDsc.Common.strings.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ ConvertFrom-StringData @'
UnableToCompareType = Unable to compare the type {0} as it is not handled by the Test-DscPropertyState cmdlet. (ADCOMMON0009)
ModuleNotFoundError = Please ensure that the PowerShell module for role '{0}' is installed. (ADCOMMON0010)
MembersAndIncludeExcludeError = The '{0}' and '{1}' and/or '{2}' parameters conflict. The '{0}' parameter should not be used in any combination with the '{1}' and '{2}' parameters. (ADCOMMON0011)
MembersIsNullError = The Members parameter value is null. The '{0}' parameter must be provided if neither '{1}' nor '{2}' is provided. (ADCOMMON0012)
IncludeAndExcludeConflictError = The member '{0}' is included in both '{1}' and '{2}' parameter values. The same member must not be included in both '{1}' and '{2}' parameter values. (ADCOMMON0014)
IncludeAndExcludeAreEmptyError = The '{0}' and '{1}' parameters are either both null or empty. At least one member must be specified in one of these parameters. (ADCOMMON0015)
RecycleBinRestoreFailed = Failed restoring {0} ({1}) from the recycle bin. (ADCOMMON0017)
Expand Down Expand Up @@ -51,4 +50,5 @@ ConvertFrom-StringData @'
SearchingForDomainController = Searching for a domain controller in the domain '{0}'. (ADCOMMON0052)
SearchingForDomainControllerInSite = Searching for a domain controller in the site '{0}' in the domain '{1}'. (ADCOMMON0053)
IgnoreCredentialError = Suppressing the credential error '{0}' with the message '{1}'. (ADCOMMON0054)
NoObjectFoundInRecycleBin = Did not find a restorable object in the recycle bin. (ADCOMMON0055)
'@
Loading

0 comments on commit b6d67dd

Please sign in to comment.