From 51a74bc7066a679012368d9e4756cc8ee9506305 Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sat, 3 Aug 2019 10:45:29 +0200 Subject: [PATCH 1/6] ADComputer: Add example to create cluster computer account (#461) - Changes to ActiveDirectoryDsc - Fix examples that had duplicate guid that would have prevented them to be published. - Changes to ADComputer - Add example showing how to create cluster computer account (issue #401). --- CHANGELOG.md | 3 + .../en-US/about_ADComputer.help.txt | 47 +++++++++++++ .../en-US/about_WaitForADDomain.help.txt | 11 +++- ...er_CreateClusterComputerAccount_Config.ps1 | 66 +++++++++++++++++++ ...ledState_EnabledComputerAccount_Config.ps1 | 2 +- ...PrestagedClusterComputerAccount_Config.ps1 | 2 +- ...ateUserAndIgnorePasswordChanges_Config.ps1 | 2 +- ...ontrollerUsingBuiltInCredential_Config.ps1 | 2 +- ...DomainControllerUsingCredential_Config.ps1 | 2 +- ...n_WaitForDomainControllerInSite_Config.ps1 | 2 +- ...itForDomainControllerWithReboot_Config.ps1 | 2 +- ...DomainControllerWithLongerDelay_Config.ps1 | 2 +- 12 files changed, 134 insertions(+), 9 deletions(-) create mode 100644 Examples/Resources/ADComputer/5-ADComputer_CreateClusterComputerAccount_Config.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index d0e6491d7..d54167546 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -55,6 +55,8 @@ - Updated all the examples files to be prefixed with the resource name so they are more easily discovered in PowerShell Gallery and Azure Automation ([issue #416](https://github.com/PowerShell/ActiveDirectoryDsc/issues/416)). + - Fix examples that had duplicate guid that would have prevented them + to be published. - Changes to ADManagedServiceAccount - Added a requirement to README stating "Group Managed Service Accounts need at least one Windows Server 2012 Domain Controller" @@ -68,6 +70,7 @@ any credential with enough permission to perform the task ([issue #269](https://github.com/PowerShell/ActiveDirectoryDsc/issues/269)). - Fixed the GUID in Example 3-AddComputerAccountSpecificPath_Config ([issue #410](https://github.com/PowerShell/ActiveDirectoryDsc/issues/410)). + - Add example showing how to create cluster computer account ([issue #401](https://github.com/PowerShell/ActiveDirectoryDsc/issues/401)). - Changes to ADOrganizationalUnit - Catch exception when the path property specifies a non-existing path ([issue #408](https://github.com/PowerShell/ActiveDirectoryDsc/issues/408)). diff --git a/DSCResources/MSFT_ADComputer/en-US/about_ADComputer.help.txt b/DSCResources/MSFT_ADComputer/en-US/about_ADComputer.help.txt index ebe5b7e28..23cdc0733 100644 --- a/DSCResources/MSFT_ADComputer/en-US/about_ADComputer.help.txt +++ b/DSCResources/MSFT_ADComputer/en-US/about_ADComputer.help.txt @@ -221,4 +221,51 @@ Configuration ADComputer_AddComputerAccountAndCreateODJRequest_Config } } +.EXAMPLE 5 + +This configuration will create a computer account disabled, configure +a cluster using the disabled computer account, and enforcing the +computer account to be enabled. + +Configuration ADComputer_CreateClusterComputerAccount_Config +{ + param + ( + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [System.Management.Automation.PSCredential] + $Credential + ) + + Import-DscResource -ModuleName ActiveDirectoryDsc + Import-DscResource -ModuleName xFailoverCluster + + node localhost + { + ADComputer 'ClusterAccount' + { + ComputerName = 'CLU_CNO01' + EnabledOnCreation = $false + } + + xCluster 'CreateCluster' + { + Name = 'CLU_CNO01' + StaticIPAddress = '192.168.100.20/24' + DomainAdministratorCredential = $Credential + + DependsOn = '[ADComputer]ClusterAccount' + } + + ADObjectEnabledState 'EnforceEnabledPropertyToEnabled' + { + Identity = 'CLU_CNO01' + ObjectClass = 'Computer' + Enabled = $true + + DependsOn = '[xCluster]CreateCluster' + } + } +} + diff --git a/DSCResources/MSFT_WaitForADDomain/en-US/about_WaitForADDomain.help.txt b/DSCResources/MSFT_WaitForADDomain/en-US/about_WaitForADDomain.help.txt index 0884a2e88..848eac46e 100644 --- a/DSCResources/MSFT_WaitForADDomain/en-US/about_WaitForADDomain.help.txt +++ b/DSCResources/MSFT_WaitForADDomain/en-US/about_WaitForADDomain.help.txt @@ -2,7 +2,16 @@ WaitForADDomain .DESCRIPTION - The WaitForADDomain resource is used to wait for Active Directory to become available. + The WaitForADDomain resource is used to wait for Active Directory domain + controller to become available in the domain, or available in + a specific site in the domain. + + >Running the resource as *NT AUTHORITY\SYSTEM*, only work when + >evaluating the domain on the current node, for example on a + >node that should be a domain controller (which might require a + >restart of the node once the node becomes a domain controller). + >In all other scenarios use either the built-in parameter + >`PsDscRunAsCredential`, or the parameter `Credential`. ## Requirements diff --git a/Examples/Resources/ADComputer/5-ADComputer_CreateClusterComputerAccount_Config.ps1 b/Examples/Resources/ADComputer/5-ADComputer_CreateClusterComputerAccount_Config.ps1 new file mode 100644 index 000000000..c7e7f3af4 --- /dev/null +++ b/Examples/Resources/ADComputer/5-ADComputer_CreateClusterComputerAccount_Config.ps1 @@ -0,0 +1,66 @@ +<#PSScriptInfo +.VERSION 1.0.0 +.GUID 331c7f40-112d-468c-9bd0-8f1b073bee44 +.AUTHOR Microsoft Corporation +.COMPANYNAME Microsoft Corporation +.COPYRIGHT (c) Microsoft Corporation. All rights reserved. +.TAGS DSCConfiguration +.LICENSEURI https://github.com/PowerShell/ActiveDirectoryDsc/blob/master/LICENSE +.PROJECTURI https://github.com/PowerShell/ActiveDirectoryDsc +.ICONURI +.EXTERNALMODULEDEPENDENCIES +.REQUIREDSCRIPTS +.EXTERNALSCRIPTDEPENDENCIES +.RELEASENOTES First version. +.PRIVATEDATA 2016-Datacenter,2016-Datacenter-Server-Core +#> + +#Requires -module ActiveDirectoryDsc +#Requires -module xFailoverCluster + +<# + .DESCRIPTION + This configuration will create a computer account disabled, configure + a cluster using the disabled computer account, and enforcing the + computer account to be enabled. +#> +Configuration ADComputer_CreateClusterComputerAccount_Config +{ + param + ( + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [System.Management.Automation.PSCredential] + $Credential + ) + + Import-DscResource -ModuleName ActiveDirectoryDsc + Import-DscResource -ModuleName xFailoverCluster + + node localhost + { + ADComputer 'ClusterAccount' + { + ComputerName = 'CLU_CNO01' + EnabledOnCreation = $false + } + + xCluster 'CreateCluster' + { + Name = 'CLU_CNO01' + StaticIPAddress = '192.168.100.20/24' + DomainAdministratorCredential = $Credential + + DependsOn = '[ADComputer]ClusterAccount' + } + + ADObjectEnabledState 'EnforceEnabledPropertyToEnabled' + { + Identity = 'CLU_CNO01' + ObjectClass = 'Computer' + Enabled = $true + + DependsOn = '[xCluster]CreateCluster' + } + } +} diff --git a/Examples/Resources/ADObjectEnabledState/1-ADObjectEnabledState_EnabledComputerAccount_Config.ps1 b/Examples/Resources/ADObjectEnabledState/1-ADObjectEnabledState_EnabledComputerAccount_Config.ps1 index 9b4724806..50fef6b55 100644 --- a/Examples/Resources/ADObjectEnabledState/1-ADObjectEnabledState_EnabledComputerAccount_Config.ps1 +++ b/Examples/Resources/ADObjectEnabledState/1-ADObjectEnabledState_EnabledComputerAccount_Config.ps1 @@ -1,6 +1,6 @@ <#PSScriptInfo .VERSION 1.0.0 -.GUID b4d414dc-e230-4055-bdc3-fae268493881 +.GUID d2dfbf17-b113-42f7-9abe-f6c6dc5ea086 .AUTHOR Microsoft Corporation .COMPANYNAME Microsoft Corporation .COPYRIGHT (c) Microsoft Corporation. All rights reserved. diff --git a/Examples/Resources/ADObjectEnabledState/3-ADObjectEnabledState_EnabledPrestagedClusterComputerAccount_Config.ps1 b/Examples/Resources/ADObjectEnabledState/3-ADObjectEnabledState_EnabledPrestagedClusterComputerAccount_Config.ps1 index 9f40aa0f3..49bc26028 100644 --- a/Examples/Resources/ADObjectEnabledState/3-ADObjectEnabledState_EnabledPrestagedClusterComputerAccount_Config.ps1 +++ b/Examples/Resources/ADObjectEnabledState/3-ADObjectEnabledState_EnabledPrestagedClusterComputerAccount_Config.ps1 @@ -1,6 +1,6 @@ <#PSScriptInfo .VERSION 1.0.0 -.GUID b4d414dc-e230-4055-bdc3-fae268493881 +.GUID 1da557bb-07a1-4461-8f64-df0d62b30305 .AUTHOR Microsoft Corporation .COMPANYNAME Microsoft Corporation .COPYRIGHT (c) Microsoft Corporation. All rights reserved. diff --git a/Examples/Resources/ADUser/2-ADUser_CreateUserAndIgnorePasswordChanges_Config.ps1 b/Examples/Resources/ADUser/2-ADUser_CreateUserAndIgnorePasswordChanges_Config.ps1 index 6a1bd37f3..a43d1a917 100644 --- a/Examples/Resources/ADUser/2-ADUser_CreateUserAndIgnorePasswordChanges_Config.ps1 +++ b/Examples/Resources/ADUser/2-ADUser_CreateUserAndIgnorePasswordChanges_Config.ps1 @@ -1,6 +1,6 @@ <#PSScriptInfo .VERSION 1.0 -.GUID b293f599-2660-424d-8200-61d399e44257 +.GUID 3bf5100b-238e-435a-8a98-67d756c5cdeb .AUTHOR Microsoft Corporation .COMPANYNAME Microsoft Corporation .COPYRIGHT (c) Microsoft Corporation. All rights reserved. diff --git a/Examples/Resources/WaitForADDomain/2-WaitForADDomain_WaitForDomainControllerUsingBuiltInCredential_Config.ps1 b/Examples/Resources/WaitForADDomain/2-WaitForADDomain_WaitForDomainControllerUsingBuiltInCredential_Config.ps1 index 1ef977615..9e4674318 100644 --- a/Examples/Resources/WaitForADDomain/2-WaitForADDomain_WaitForDomainControllerUsingBuiltInCredential_Config.ps1 +++ b/Examples/Resources/WaitForADDomain/2-WaitForADDomain_WaitForDomainControllerUsingBuiltInCredential_Config.ps1 @@ -1,6 +1,6 @@ <#PSScriptInfo .VERSION 1.0 -.GUID 5f105122-a318-46f4-a7e9-7dc745c57878 +.GUID ef167bdf-7f25-4d28-8ef3-68918eb2702c .AUTHOR Microsoft Corporation .COMPANYNAME Microsoft Corporation .COPYRIGHT (c) Microsoft Corporation. All rights reserved. diff --git a/Examples/Resources/WaitForADDomain/3-WaitForADDomain_WaitForDomainControllerUsingCredential_Config.ps1 b/Examples/Resources/WaitForADDomain/3-WaitForADDomain_WaitForDomainControllerUsingCredential_Config.ps1 index 7833077a5..d0b72d3e0 100644 --- a/Examples/Resources/WaitForADDomain/3-WaitForADDomain_WaitForDomainControllerUsingCredential_Config.ps1 +++ b/Examples/Resources/WaitForADDomain/3-WaitForADDomain_WaitForDomainControllerUsingCredential_Config.ps1 @@ -1,6 +1,6 @@ <#PSScriptInfo .VERSION 1.0 -.GUID 5f105122-a318-46f4-a7e9-7dc745c57878 +.GUID d0713e4e-274b-4510-949e-39bce2ef2158 .AUTHOR Microsoft Corporation .COMPANYNAME Microsoft Corporation .COPYRIGHT (c) Microsoft Corporation. All rights reserved. diff --git a/Examples/Resources/WaitForADDomain/4-WaitForADDomain_WaitForDomainControllerInSite_Config.ps1 b/Examples/Resources/WaitForADDomain/4-WaitForADDomain_WaitForDomainControllerInSite_Config.ps1 index a5e6ca722..78facaac8 100644 --- a/Examples/Resources/WaitForADDomain/4-WaitForADDomain_WaitForDomainControllerInSite_Config.ps1 +++ b/Examples/Resources/WaitForADDomain/4-WaitForADDomain_WaitForDomainControllerInSite_Config.ps1 @@ -1,6 +1,6 @@ <#PSScriptInfo .VERSION 1.0 -.GUID 5f105122-a318-46f4-a7e9-7dc745c57878 +.GUID 20e1a154-1197-44e3-9c81-d1b9cc67defd .AUTHOR Microsoft Corporation .COMPANYNAME Microsoft Corporation .COPYRIGHT (c) Microsoft Corporation. All rights reserved. diff --git a/Examples/Resources/WaitForADDomain/5-WaitForADDomain_WaitForDomainControllerWithReboot_Config.ps1 b/Examples/Resources/WaitForADDomain/5-WaitForADDomain_WaitForDomainControllerWithReboot_Config.ps1 index d2f7c7d4e..717796968 100644 --- a/Examples/Resources/WaitForADDomain/5-WaitForADDomain_WaitForDomainControllerWithReboot_Config.ps1 +++ b/Examples/Resources/WaitForADDomain/5-WaitForADDomain_WaitForDomainControllerWithReboot_Config.ps1 @@ -1,6 +1,6 @@ <#PSScriptInfo .VERSION 1.0 -.GUID 5f105122-a318-46f4-a7e9-7dc745c57878 +.GUID 2ada2ead-8736-4d5e-9587-e14bacc28761 .AUTHOR Microsoft Corporation .COMPANYNAME Microsoft Corporation .COPYRIGHT (c) Microsoft Corporation. All rights reserved. diff --git a/Examples/Resources/WaitForADDomain/6-WaitForADDomain_WaitForDomainControllerWithLongerDelay_Config.ps1 b/Examples/Resources/WaitForADDomain/6-WaitForADDomain_WaitForDomainControllerWithLongerDelay_Config.ps1 index 700f6896a..fdc8b3395 100644 --- a/Examples/Resources/WaitForADDomain/6-WaitForADDomain_WaitForDomainControllerWithLongerDelay_Config.ps1 +++ b/Examples/Resources/WaitForADDomain/6-WaitForADDomain_WaitForDomainControllerWithLongerDelay_Config.ps1 @@ -1,6 +1,6 @@ <#PSScriptInfo .VERSION 1.0 -.GUID 5f105122-a318-46f4-a7e9-7dc745c57878 +.GUID 0d9d34c3-c750-45f8-8611-74087e958fe1 .AUTHOR Microsoft Corporation .COMPANYNAME Microsoft Corporation .COPYRIGHT (c) Microsoft Corporation. All rights reserved. From 50197b4ab73b30f6b50b72cba656c7bb18e61154 Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sat, 3 Aug 2019 11:09:00 +0200 Subject: [PATCH 2/6] ADUser: Update the default value logic for CommonName (#460) - Changes to ADUser - Update the logic for setting the default value for the parameter `CommonName`. This is due to an how LCM handles parameters when a default value is derived from another parameter (issue #427). --- CHANGELOG.md | 3 +++ DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 | 33 ++++++++++++++++++++--- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d54167546..68fcffa2e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -90,6 +90,9 @@ - Now it correctly tests passwords when parameter DomainName is set to distinguished name and parameter Credential is used ([issue #451](https://github.com/PowerShell/ActiveDirectoryDsc/issues/451)). - Added integration tests ([issue #359](https://github.com/PowerShell/ActiveDirectoryDsc/issues/359)). + - Update the logic for setting the default value for the parameter + `CommonName`. This is due to an how LCM handles parameters when a + default value is derived from another parameter ([issue #427](https://github.com/PowerShell/ActiveDirectoryDsc/issues/427)). - Changes to ADDomain - BREAKING CHANGE: Renamed the parameter `DomainAdministratorCredential` to `Credential` to better indicate that it is possible to impersonate diff --git a/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 b/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 index 6a9817a60..d6fc72061 100644 --- a/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 +++ b/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 @@ -460,7 +460,7 @@ function Get-TargetResource [Parameter()] [ValidateNotNull()] [System.String] - $CommonName = $UserName, + $CommonName, [Parameter()] [ValidateNotNull()] @@ -734,6 +734,15 @@ function Get-TargetResource $ProxyAddresses ) + <# + This is a workaround to make the resource able to enter debug mode. + For more information see issue https://github.com/PowerShell/ActiveDirectoryDsc/issues/427. + #> + if (-not $PSBoundParameters.ContainsKey('CommonName')) + { + $CommonName = $UserName + } + Assert-Module -ModuleName 'ActiveDirectory' try @@ -1107,7 +1116,7 @@ function Test-TargetResource [Parameter()] [ValidateNotNull()] [System.String] - $CommonName = $UserName, + $CommonName, [Parameter()] [ValidateNotNull()] @@ -1381,6 +1390,15 @@ function Test-TargetResource $ProxyAddresses ) + <# + This is a workaround to make the resource able to enter debug mode. + For more information see issue https://github.com/PowerShell/ActiveDirectoryDsc/issues/427. + #> + if (-not $PSBoundParameters.ContainsKey('CommonName')) + { + $CommonName = $UserName + } + Assert-Parameters @PSBoundParameters $targetResource = Get-TargetResource @PSBoundParameters @@ -1723,7 +1741,7 @@ function Set-TargetResource [Parameter()] [ValidateNotNull()] [System.String] - $CommonName = $UserName, + $CommonName, [Parameter()] [ValidateNotNull()] @@ -1997,6 +2015,15 @@ function Set-TargetResource $ProxyAddresses ) + <# + This is a workaround to make the resource able to enter debug mode. + For more information see issue https://github.com/PowerShell/ActiveDirectoryDsc/issues/427. + #> + if (-not $PSBoundParameters.ContainsKey('CommonName')) + { + $CommonName = $UserName + } + Assert-Parameters @PSBoundParameters $targetResource = Get-TargetResource @PSBoundParameters From 3a4b75feb7dd13014fb2cd7033f438fc7a808731 Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sat, 3 Aug 2019 11:44:02 +0200 Subject: [PATCH 3/6] Changes to ActiveDirectoryDsc (#459) - Changes to ActiveDirectoryDsc - Integration tests are now correctly evaluates the value from `Test-DscConfiguration` (issue #434). --- CHANGELOG.md | 2 ++ .../MSFT_ADComputer.Integration.Tests.ps1 | 14 +++++++------- .../MSFT_ADDomainTrust.Integration.Tests.ps1 | 12 ++++++------ .../Integration/MSFT_ADUser.Integration.Tests.ps1 | 4 ++-- 4 files changed, 17 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68fcffa2e..6dab6cf23 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -57,6 +57,8 @@ Azure Automation ([issue #416](https://github.com/PowerShell/ActiveDirectoryDsc/issues/416)). - Fix examples that had duplicate guid that would have prevented them to be published. + - Integration tests are now correctly evaluates the value from `Test-DscConfiguration` + ([issue #434](https://github.com/PowerShell/ActiveDirectoryDsc/issues/434)). - Changes to ADManagedServiceAccount - Added a requirement to README stating "Group Managed Service Accounts need at least one Windows Server 2012 Domain Controller" diff --git a/Tests/Integration/MSFT_ADComputer.Integration.Tests.ps1 b/Tests/Integration/MSFT_ADComputer.Integration.Tests.ps1 index e8825cf58..8343b038d 100644 --- a/Tests/Integration/MSFT_ADComputer.Integration.Tests.ps1 +++ b/Tests/Integration/MSFT_ADComputer.Integration.Tests.ps1 @@ -93,7 +93,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -140,7 +140,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -187,7 +187,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -234,7 +234,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -285,7 +285,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -349,7 +349,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -380,7 +380,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } } diff --git a/Tests/Integration/MSFT_ADDomainTrust.Integration.Tests.ps1 b/Tests/Integration/MSFT_ADDomainTrust.Integration.Tests.ps1 index ea56fc1a8..81ed43ae3 100644 --- a/Tests/Integration/MSFT_ADDomainTrust.Integration.Tests.ps1 +++ b/Tests/Integration/MSFT_ADDomainTrust.Integration.Tests.ps1 @@ -81,7 +81,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -132,7 +132,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -183,7 +183,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -234,7 +234,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -285,7 +285,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -336,7 +336,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } } diff --git a/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 b/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 index 60201247e..5ce86bc1f 100644 --- a/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 +++ b/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 @@ -80,7 +80,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } @@ -130,7 +130,7 @@ try } It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -BeTrue + Test-DscConfiguration -Verbose | Should -Be 'True' } } } From c2c504ffd670426651e1abde1cce4052fcbc68d7 Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sat, 3 Aug 2019 12:41:08 +0200 Subject: [PATCH 4/6] ADUser: Uses helper function Add-TypeAssembly (#458) - Changes to ADUser - Now uses the helper function `Add-TypeAssembly` which have some benefit instead of directly using `Add-Type`, like verbose logging (issue #431). --- CHANGELOG.md | 2 ++ DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 | 8 +++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6dab6cf23..70f78c387 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -95,6 +95,8 @@ - Update the logic for setting the default value for the parameter `CommonName`. This is due to an how LCM handles parameters when a default value is derived from another parameter ([issue #427](https://github.com/PowerShell/ActiveDirectoryDsc/issues/427)). + - Now uses the helper function `Add-TypeAssembly` which have some benefit + instead of directly using `Add-Type`, like verbose logging ([issue #431](https://github.com/PowerShell/ActiveDirectoryDsc/issues/431)). - Changes to ADDomain - BREAKING CHANGE: Renamed the parameter `DomainAdministratorCredential` to `Credential` to better indicate that it is possible to impersonate diff --git a/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 b/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 index d6fc72061..17ff18657 100644 --- a/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 +++ b/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 @@ -2377,7 +2377,9 @@ function Test-Password Write-Verbose -Message ($script:localizedData.CreatingADDomainConnection -f $DomainName) - Add-Type -AssemblyName 'System.DirectoryServices.AccountManagement' + $typeName = 'System.DirectoryServices.AccountManagement.PrincipalContext' + + Add-TypeAssembly -AssemblyName 'System.DirectoryServices.AccountManagement' -TypeName $typeName <# If the domain name contains a distinguished name, set it to the fully @@ -2397,7 +2399,7 @@ function Test-Password $script:localizedData.TestPasswordUsingImpersonation -f $Credential.UserName, $UserName ) - $principalContext = New-Object -TypeName 'System.DirectoryServices.AccountManagement.PrincipalContext' -ArgumentList @( + $principalContext = New-Object -TypeName $typeName -ArgumentList @( [System.DirectoryServices.AccountManagement.ContextType]::Domain, $DomainName, $Credential.UserName, @@ -2406,7 +2408,7 @@ function Test-Password } else { - $principalContext = New-Object -TypeName 'System.DirectoryServices.AccountManagement.PrincipalContext' -ArgumentList @( + $principalContext = New-Object -TypeName $typeName -ArgumentList @( [System.DirectoryServices.AccountManagement.ContextType]::Domain, $DomainName, $null, From 91d9cb646dd5f536dc100a34540168e12bd29a3d Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sat, 3 Aug 2019 17:07:45 +0200 Subject: [PATCH 5/6] Update PULL_REQUEST_TEMPLATE.md (#465) - Add task item for *.help.txt file. --- .github/PULL_REQUEST_TEMPLATE.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 0f99d262a..a4d5afb36 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -40,6 +40,7 @@ - [ ] Resource parameter descriptions added/updated in schema.mof and comment-based help. - [ ] Comment-based help added/updated. +- [ ] Conceptual help topic added/updated (cultureFolder\about_ResourceName.help.txt). - [ ] Localization strings added/updated in all localization files as appropriate. - [ ] Examples appropriately added/updated. - [ ] Unit tests added/updated. See [DSC Resource Testing Guidelines](https://github.com/PowerShell/DscResources/blob/master/TestsGuidelines.md). From 4b6ed53b0d0fcb493afc4fd595fe988c4b1c55a0 Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sat, 3 Aug 2019 17:27:14 +0200 Subject: [PATCH 6/6] ActiveDirectoryDsc: Fix comment based help (#464) - Changes to ADGroup - Added comment-based help (issue #338). - Update the documentation with the correct default value for the parameter GroupScope. - Changes to ADDomainDefaultPasswordPolicy - Added comment-based help (issue #336). --- CHANGELOG.md | 6 + .../MSFT_ADComputer/MSFT_ADComputer.psm1 | 2 +- .../MSFT_ADDomainDefaultPasswordPolicy.psm1 | 95 ++++++++++ DSCResources/MSFT_ADGroup/MSFT_ADGroup.psm1 | 162 ++++++++++++++++++ .../MSFT_ADGroup/MSFT_ADGroup.schema.mof | 2 +- .../MSFT_ADGroup/en-US/about_ADGroup.help.txt | 2 +- 6 files changed, 266 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70f78c387..508f1979a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -141,6 +141,12 @@ - Refactored unit tests for Test-TargetResource. - Changes to ADObjectPermissionEntry - Remove remnants of the `SupportsShouldProcess` ([issue #329](https://github.com/PowerShell/ActiveDirectoryDsc/issues/329)). +- Changes to ADGroup + - Added comment-based help ([issue #338](https://github.com/PowerShell/ActiveDirectoryDsc/issues/338)). + - Update the documentation with the correct default value for the parameter + GroupScope. +- Changes to ADDomainDefaultPasswordPolicy + - Added comment-based help ([issue #336](https://github.com/PowerShell/ActiveDirectoryDsc/issues/336)). ## 3.0.0.0 diff --git a/DSCResources/MSFT_ADComputer/MSFT_ADComputer.psm1 b/DSCResources/MSFT_ADComputer/MSFT_ADComputer.psm1 index 8084cbf23..c8442e53f 100644 --- a/DSCResources/MSFT_ADComputer/MSFT_ADComputer.psm1 +++ b/DSCResources/MSFT_ADComputer/MSFT_ADComputer.psm1 @@ -469,7 +469,7 @@ function Test-TargetResource <# .SYNOPSIS - Creates. removes or modifies the Active Directory computer account. + Creates, removes or modifies the Active Directory computer account. .PARAMETER ComputerName Specifies the name of the Active Directory computer account to manage. diff --git a/DSCResources/MSFT_ADDomainDefaultPasswordPolicy/MSFT_ADDomainDefaultPasswordPolicy.psm1 b/DSCResources/MSFT_ADDomainDefaultPasswordPolicy/MSFT_ADDomainDefaultPasswordPolicy.psm1 index a01ee7ec5..d6a6a8cf1 100644 --- a/DSCResources/MSFT_ADDomainDefaultPasswordPolicy/MSFT_ADDomainDefaultPasswordPolicy.psm1 +++ b/DSCResources/MSFT_ADDomainDefaultPasswordPolicy/MSFT_ADDomainDefaultPasswordPolicy.psm1 @@ -41,6 +41,20 @@ $mutablePropertyMap = @( } ) +<# + .SYNOPSIS + Returns the current state of the Active Directory default domain password + policy. + + .PARAMETER DomainName + Name of the domain to which the password policy will be applied. + + .PARAMETER DomainController + Active Directory domain controller to enact the change upon. + + .PARAMETER Credential + Credentials used to access the domain. +#> function Get-TargetResource { [CmdletBinding()] @@ -85,6 +99,47 @@ function Get-TargetResource } } #end Get-TargetResource +<# + .SYNOPSIS + Determines if the Active Directory default domain password policy is in + the desired state + + .PARAMETER DomainName + Name of the domain to which the password policy will be applied. + + .PARAMETER ComplexityEnabled + Whether password complexity is enabled for the default password policy. + + .PARAMETER LockoutDuration + Length of time that an account is locked after the number of failed login attempts (minutes). + + .PARAMETER LockoutObservationWindow + Maximum time between two unsuccessful login attempts before the counter is reset to 0 (minutes). + + .PARAMETER LockoutThreshold + Number of unsuccessful login attempts that are permitted before an account is locked out. + + .PARAMETER MinPasswordAge + Minimum length of time that you can have the same password (minutes). + + .PARAMETER MaxPasswordAge + Maximum length of time that you can have the same password (minutes). + + .PARAMETER MinPasswordLength + Minimum number of characters that a password must contain. + + .PARAMETER PasswordHistoryCount + Number of previous passwords to remember. + + .PARAMETER ReversibleEncryptionEnabled + Whether the directory must store passwords using reversible encryption. + + .PARAMETER DomainController + Active Directory domain controller to enact the change upon. + + .PARAMETER Credential + Credentials used to access the domain. +#> function Test-TargetResource { [CmdletBinding()] @@ -189,6 +244,46 @@ function Test-TargetResource } } #end Test-TargetResource +<# + .SYNOPSIS + Modifies the Active Directory default domain password policy. + + .PARAMETER DomainName + Name of the domain to which the password policy will be applied. + + .PARAMETER ComplexityEnabled + Whether password complexity is enabled for the default password policy. + + .PARAMETER LockoutDuration + Length of time that an account is locked after the number of failed login attempts (minutes). + + .PARAMETER LockoutObservationWindow + Maximum time between two unsuccessful login attempts before the counter is reset to 0 (minutes). + + .PARAMETER LockoutThreshold + Number of unsuccessful login attempts that are permitted before an account is locked out. + + .PARAMETER MinPasswordAge + Minimum length of time that you can have the same password (minutes). + + .PARAMETER MaxPasswordAge + Maximum length of time that you can have the same password (minutes). + + .PARAMETER MinPasswordLength + Minimum number of characters that a password must contain. + + .PARAMETER PasswordHistoryCount + Number of previous passwords to remember. + + .PARAMETER ReversibleEncryptionEnabled + Whether the directory must store passwords using reversible encryption. + + .PARAMETER DomainController + Active Directory domain controller to enact the change upon. + + .PARAMETER Credential + Credentials used to access the domain. +#> function Set-TargetResource { [CmdletBinding()] diff --git a/DSCResources/MSFT_ADGroup/MSFT_ADGroup.psm1 b/DSCResources/MSFT_ADGroup/MSFT_ADGroup.psm1 index 6f121e385..44041186b 100644 --- a/DSCResources/MSFT_ADGroup/MSFT_ADGroup.psm1 +++ b/DSCResources/MSFT_ADGroup/MSFT_ADGroup.psm1 @@ -6,6 +6,60 @@ Import-Module -Name (Join-Path -Path $script:localizationModulePath -ChildPath ' $script:localizedData = Get-LocalizedData -ResourceName 'MSFT_ADGroup' +<# + .SYNOPSIS + Returns the current state of the Active Directory group. + + .PARAMETER GroupName + Name of the Active Directory group. + + .PARAMETER GroupScope + Active Directory group scope. Default value is 'Global'. + + .PARAMETER Category + Active Directory group category. Default value is 'Security'. + + .PARAMETER Path + Location of the group within Active Directory expressed as a Distinguished Name. + + .PARAMETER Ensure + Specifies if this Active Directory group should be present or absent. + Default value is 'Present'. + + .PARAMETER Description + Description of the Active Directory group. + + .PARAMETER DisplayName + Display name of the Active Directory group. + + .PARAMETER Credential + Credentials used to enact the change upon. + + .PARAMETER DomainController + Active Directory domain controller to enact the change upon. + + .PARAMETER Members + Active Directory group membership should match membership exactly. + + .PARAMETER MembersToInclude + Active Directory group should include these members. + + .PARAMETER MembersToExclude + Active Directory group should NOT include these members. + + .PARAMETER MembershipAttribute + Active Directory attribute used to perform membership operations. + Default value is 'SamAccountName'. + + .PARAMETER ManagedBy + Active Directory managed by attribute specified as a DistinguishedName. + + .PARAMETER Notes + Active Directory group notes field. + + .PARAMETER RestoreFromRecycleBin + Try to restore the group from the recycle bin before creating a new one. +#> function Get-TargetResource { [CmdletBinding()] @@ -150,6 +204,60 @@ function Get-TargetResource return $targetResource } #end function Get-TargetResource +<# + .SYNOPSIS + Determines if the Active Directory group is in the desired state. + + .PARAMETER GroupName + Name of the Active Directory group. + + .PARAMETER GroupScope + Active Directory group scope. Default value is 'Global'. + + .PARAMETER Category + Active Directory group category. Default value is 'Security'. + + .PARAMETER Path + Location of the group within Active Directory expressed as a Distinguished Name. + + .PARAMETER Ensure + Specifies if this Active Directory group should be present or absent. + Default value is 'Present'. + + .PARAMETER Description + Description of the Active Directory group. + + .PARAMETER DisplayName + Display name of the Active Directory group. + + .PARAMETER Credential + Credentials used to enact the change upon. + + .PARAMETER DomainController + Active Directory domain controller to enact the change upon. + + .PARAMETER Members + Active Directory group membership should match membership exactly. + + .PARAMETER MembersToInclude + Active Directory group should include these members. + + .PARAMETER MembersToExclude + Active Directory group should NOT include these members. + + .PARAMETER MembershipAttribute + Active Directory attribute used to perform membership operations. + Default value is 'SamAccountName'. + + .PARAMETER ManagedBy + Active Directory managed by attribute specified as a DistinguishedName. + + .PARAMETER Notes + Active Directory group notes field. + + .PARAMETER RestoreFromRecycleBin + Try to restore the group from the recycle bin before creating a new one. +#> function Test-TargetResource { [CmdletBinding()] @@ -318,6 +426,60 @@ function Test-TargetResource return $targetResourceInCompliance } #end function Test-TargetResource +<# + .SYNOPSIS + Creates, removes or modifies the Active Directory group. + + .PARAMETER GroupName + Name of the Active Directory group. + + .PARAMETER GroupScope + Active Directory group scope. Default value is 'Global'. + + .PARAMETER Category + Active Directory group category. Default value is 'Security'. + + .PARAMETER Path + Location of the group within Active Directory expressed as a Distinguished Name. + + .PARAMETER Ensure + Specifies if this Active Directory group should be present or absent. + Default value is 'Present'. + + .PARAMETER Description + Description of the Active Directory group. + + .PARAMETER DisplayName + Display name of the Active Directory group. + + .PARAMETER Credential + Credentials used to enact the change upon. + + .PARAMETER DomainController + Active Directory domain controller to enact the change upon. + + .PARAMETER Members + Active Directory group membership should match membership exactly. + + .PARAMETER MembersToInclude + Active Directory group should include these members. + + .PARAMETER MembersToExclude + Active Directory group should NOT include these members. + + .PARAMETER MembershipAttribute + Active Directory attribute used to perform membership operations. + Default value is 'SamAccountName'. + + .PARAMETER ManagedBy + Active Directory managed by attribute specified as a DistinguishedName. + + .PARAMETER Notes + Active Directory group notes field. + + .PARAMETER RestoreFromRecycleBin + Try to restore the group from the recycle bin before creating a new one. +#> function Set-TargetResource { [CmdletBinding()] diff --git a/DSCResources/MSFT_ADGroup/MSFT_ADGroup.schema.mof b/DSCResources/MSFT_ADGroup/MSFT_ADGroup.schema.mof index 56d434be6..3084043dd 100644 --- a/DSCResources/MSFT_ADGroup/MSFT_ADGroup.schema.mof +++ b/DSCResources/MSFT_ADGroup/MSFT_ADGroup.schema.mof @@ -2,7 +2,7 @@ class MSFT_ADGroup : OMI_BaseResource { [Key, Description("Name of the Active Directory group.")] String GroupName; - [Write, Description("Active Directory group scope. Default value is 'Group'."), ValueMap{"DomainLocal","Global","Universal"}, Values{"DomainLocal","Global","Universal"}] String GroupScope; + [Write, Description("Active Directory group scope. Default value is 'Global'."), ValueMap{"DomainLocal","Global","Universal"}, Values{"DomainLocal","Global","Universal"}] String GroupScope; [Write, Description("Active Directory group category. Default value is 'Security'."), ValueMap{"Security","Distribution"}, Values{"Security","Distribution"}] String Category; [Write, Description("Location of the group within Active Directory expressed as a Distinguished Name.")] String Path; [Write, Description("Specifies if this Active Directory group should be present or absent. Default value is 'Present'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; diff --git a/DSCResources/MSFT_ADGroup/en-US/about_ADGroup.help.txt b/DSCResources/MSFT_ADGroup/en-US/about_ADGroup.help.txt index b721b4159..3b17a8446 100644 --- a/DSCResources/MSFT_ADGroup/en-US/about_ADGroup.help.txt +++ b/DSCResources/MSFT_ADGroup/en-US/about_ADGroup.help.txt @@ -15,7 +15,7 @@ .PARAMETER GroupScope Write - String Allowed values: DomainLocal, Global, Universal - Active Directory group scope. Default value is 'Group'. + Active Directory group scope. Default value is 'Global'. .PARAMETER Category Write - String