Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIX for Issue #152 #174

Closed
wants to merge 9 commits into from
31 changes: 31 additions & 0 deletions DSCResources/MSFT_xADCommon/MSFT_xADCommon.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,37 @@ function Test-ADDomain
return ($null -ne $domain);
}

<#
.Synopsis
Author: Robert D. Biddle (https://github.com/RobBiddle)
Created: December.20.2017
.DESCRIPTION
Takes an Active Directory DistinguishedName as input, returns the domain FQDN
.EXAMPLE
Get-ADDomainNameFromDistinguishedName 'CN=ExampleObject,OU=ExampleOU,DC=example,DC=com'
#>
function Get-ADDomainNameFromDistinguishedName
{
[CmdletBinding()]
param
(
[Parameter(
Mandatory = $false,
ValueFromPipeline = $false)]
[string]$DN
)

$SplitDN = ($DN -split 'DC=');
$DomainDNSplitParts = $SplitDN[1..$SplitDN.Length];
$DomainDN = "";
foreach($part in $DomainDNSplitParts) {
$DomainDN += "DC=$part"
};
$DomainName = (($DomainDN -replace 'DC=', '') -replace ',', '.');
return $DomainName;

} #end function Get-ADDomainNameFromDistinguishedName

# Internal function to get an Active Directory object's parent Distinguished Name
function Get-ADObjectParentDN
{
Expand Down
115 changes: 111 additions & 4 deletions DSCResources/MSFT_xADGroup/MSFT_xADGroup.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,13 @@ data LocalizedData
# culture="en-US"
ConvertFrom-StringData @'
RetrievingGroupMembers = Retrieving group membership based on '{0}' property.
GroupMembershipMultipleDomains = Group membership objects are in '{0}' different AD Domains.
GroupMembershipInDesiredState = Group membership is in the desired state.
GroupMembershipNotDesiredState = Group membership is NOT in the desired state.

AddingGroupMembers = Adding '{0}' member(s) to AD group '{1}'.
RemovingGroupMembers = Removing '{0}' member(s) from AD group '{1}'.
AddingGroupMember = Adding member '{0}' from domain '{1}' to AD group '{2}'.
AddingGroup = Adding AD Group '{0}'
UpdatingGroup = Updating AD Group '{0}'
RemovingGroup = Removing AD Group '{0}'
Expand Down Expand Up @@ -335,6 +337,23 @@ function Set-TargetResource
$adGroupParams = Get-ADCommonParameters @PSBoundParameters;

try {

if ($MembershipAttribute -eq 'DistinguishedName')
{
$AllMembers = $Members + $MembersToInclude + $MembersToExclude
$GroupMemberDomains = @();
foreach($member in $AllMembers)
{
$GroupMemberDomains += Get-ADDomainNameFromDistinguishedName -DN $member
}
$GroupMemberDomainCount = ($GroupMemberDomains | Select-Object -Unique).count
if( ($GroupMemberDomainCount -gt 1) -or ($GroupMemberDomains -ine (Get-DomainName)).count -gt 0 )
{
Write-Verbose ($LocalizedData.GroupMembershipMultipleDomains -f $GroupMemberDomainCount);
$MembersInMultipleDomains = $true
}
}

$adGroup = Get-ADGroup @adGroupParams -Property Name,GroupScope,GroupCategory,DistinguishedName,Description,DisplayName,ManagedBy,Info;

if ($Ensure -eq 'Present') {
Expand Down Expand Up @@ -403,13 +422,57 @@ function Set-TargetResource
Remove-ADGroupMember @adGroupParams -Members $adGroupMembers -Confirm:$false;
}
Write-Verbose -Message ($LocalizedData.AddingGroupMembers -f $Members.Count, $GroupName);
Add-ADGroupMember @adGroupParams -Members $Members;
if ($MembersInMultipleDomains)
{
foreach($member in $Members)
{
$memberDomain = Get-ADDomainNameFromDistinguishedName -DN $member;
Write-Verbose -Message ($LocalizedData.AddingGroupMember -f $member, $memberDomain, $GroupName);
$memberObjectClass = (Get-ADObject -Identity $member -Server $memberDomain -Properties ObjectClass).ObjectClass;
if ($memberObjectClass -eq 'computer')
{
$memberObject = Get-ADComputer -Identity $member -Server $memberDomain;
}elseif ($memberObjectClass -eq 'group')
{
$memberObject = Get-ADGroup -Identity $member -Server $memberDomain;
}elseif ($memberObjectClass -eq 'user')
{
$memberObject = Get-ADUser -Identity $member -Server $memberDomain;
}
Add-ADGroupMember @adGroupParams -Members $memberObject;
}
}else
{
Add-ADGroupMember @adGroupParams -Members $Members;
}
}
if ($PSBoundParameters.ContainsKey('MembersToInclude') -and -not [system.string]::IsNullOrEmpty($MembersToInclude))
{
$MembersToInclude = Remove-DuplicateMembers -Members $MembersToInclude;
Write-Verbose -Message ($LocalizedData.AddingGroupMembers -f $MembersToInclude.Count, $GroupName);
Add-ADGroupMember @adGroupParams -Members $MembersToInclude;
if ($MembersInMultipleDomains)
{
foreach($member in $MembersToInclude)
{
$memberDomain = Get-ADDomainNameFromDistinguishedName -DN $member;
Write-Verbose -Message ($LocalizedData.AddingGroupMember -f $member, $memberDomain, $GroupName);
$memberObjectClass = (Get-ADObject -Identity $member -Server $memberDomain -Properties ObjectClass).ObjectClass;
if ($memberObjectClass -eq 'computer')
{
$memberObject = Get-ADComputer -Identity $member -Server $memberDomain;
}elseif ($memberObjectClass -eq 'group')
{
$memberObject = Get-ADGroup -Identity $member -Server $memberDomain;
}elseif ($memberObjectClass -eq 'user')
{
$memberObject = Get-ADUser -Identity $member -Server $memberDomain;
}
Add-ADGroupMember @adGroupParams -Members $memberObject;
}
}else
{
Add-ADGroupMember @adGroupParams -Members $MembersToInclude;
}
}
if ($PSBoundParameters.ContainsKey('MembersToExclude') -and -not [system.string]::IsNullOrEmpty($MembersToExclude))
{
Expand Down Expand Up @@ -472,13 +535,57 @@ function Set-TargetResource
{
$Members = Remove-DuplicateMembers -Members $Members;
Write-Verbose -Message ($LocalizedData.AddingGroupMembers -f $Members.Count, $GroupName);
Add-ADGroupMember @adGroupParams -Members $Members;
if ($MembersInMultipleDomains)
{
foreach($member in $Members)
{
$memberDomain = Get-ADDomainNameFromDistinguishedName -DN $member;
Write-Verbose -Message ($LocalizedData.AddingGroupMember -f $member, $memberDomain, $GroupName);
$memberObjectClass = (Get-ADObject -Identity $member -Server $memberDomain -Properties ObjectClass).ObjectClass;
if ($memberObjectClass -eq 'computer')
{
$memberObject = Get-ADComputer -Identity $member -Server $memberDomain;
}elseif ($memberObjectClass -eq 'group')
{
$memberObject = Get-ADGroup -Identity $member -Server $memberDomain;
}elseif ($memberObjectClass -eq 'user')
{
$memberObject = Get-ADUser -Identity $member -Server $memberDomain;
}
Add-ADGroupMember @adGroupParams -Members $memberObject;
}
}else
{
Add-ADGroupMember @adGroupParams -Members $Members;
}
}
elseif ($PSBoundParameters.ContainsKey('MembersToInclude') -and -not [system.string]::IsNullOrEmpty($MembersToInclude))
{
$MembersToInclude = Remove-DuplicateMembers -Members $MembersToInclude;
Write-Verbose -Message ($LocalizedData.AddingGroupMembers -f $MembersToInclude.Count, $GroupName);
Add-ADGroupMember @adGroupParams -Members $MembersToInclude;
if ($MembersInMultipleDomains)
{
foreach($member in $MembersToInclude)
{
$memberDomain = Get-ADDomainNameFromDistinguishedName -DN $member;
Write-Verbose -Message ($LocalizedData.AddingGroupMember -f $member, $memberDomain, $GroupName);
$memberObjectClass = (Get-ADObject -Identity $member -Server $memberDomain -Properties ObjectClass).ObjectClass;
if ($memberObjectClass -eq 'computer')
{
$memberObject = Get-ADComputer -Identity $member -Server $memberDomain;
}elseif ($memberObjectClass -eq 'group')
{
$memberObject = Get-ADGroup -Identity $member -Server $memberDomain;
}elseif ($memberObjectClass -eq 'user')
{
$memberObject = Get-ADUser -Identity $member -Server $memberDomain;
}
Add-ADGroupMember @adGroupParams -Members $memberObject;
}
}else
{
Add-ADGroupMember @adGroupParams -Members $MembersToInclude;
}
}

}
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,7 @@ Setting an ODJ Request file path for a configuration that creates a computer acc
## Versions

### Unreleased
* xADGroup: Fixes for issue #152 relating to errors when adding Group Members from a different domain. This DSC Resource now supports AD Group membership consisting of AD Objects from multiple AD Domains.

### 2.16.0.0

Expand Down