From 4c28db52a579c5220ef9cea246649956c48ddf97 Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sun, 28 Jul 2019 10:08:28 +0200 Subject: [PATCH 1/5] Add integration test for ADUser --- .../MSFT_ADUser.Integration.Tests.ps1 | 93 +++++++++++++++++++ Tests/Integration/MSFT_ADUser.config.ps1 | 75 +++++++++++++++ 2 files changed, 168 insertions(+) create mode 100644 Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 create mode 100644 Tests/Integration/MSFT_ADUser.config.ps1 diff --git a/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 b/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 new file mode 100644 index 000000000..55d6a2068 --- /dev/null +++ b/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 @@ -0,0 +1,93 @@ +if ($env:APPVEYOR -eq $true) +{ + Write-Warning -Message 'Integration test is not supported in AppVeyor.' + return +} + +$script:dscModuleName = 'ActiveDirectoryDsc' +$script:dscResourceFriendlyName = 'ADUser' +$script:dscResourceName = "MSFT_$($script:dscResourceFriendlyName)" + +#region HEADER +# Integration Test Template Version: 1.3.3 +[System.String] $script:moduleRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot) +if ( (-not (Test-Path -Path (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests'))) -or ` + (-not (Test-Path -Path (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests\TestHelper.psm1'))) ) +{ + & git @('clone', 'https://github.com/PowerShell/DscResource.Tests.git', (Join-Path -Path $script:moduleRoot -ChildPath 'DscResource.Tests')) +} + +Import-Module -Name (Join-Path -Path $script:moduleRoot -ChildPath (Join-Path -Path 'DSCResource.Tests' -ChildPath 'TestHelper.psm1')) -Force +$TestEnvironment = Initialize-TestEnvironment ` + -DSCModuleName $script:dscModuleName ` + -DSCResourceName $script:dscResourceName ` + -TestType Integration +#endregion + +try +{ + $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:dscResourceName).config.ps1" + . $configFile + + Describe "$($script:dscResourceName)_Integration" { + BeforeAll { + $resourceId = "[$($script:dscResourceFriendlyName)]Integration_Test" + } + + $configurationName = "$($script:dscResourceName)_CreateUser1_Config" + + Context ('When using configuration {0}' -f $configurationName) { + It 'Should compile and apply the MOF without throwing' { + { + $configurationParameters = @{ + OutputPath = $TestDrive + # The variable $ConfigurationData was dot-sourced above. + ConfigurationData = $ConfigurationData + } + + & $configurationName @configurationParameters + + $startDscConfigurationParameters = @{ + Path = $TestDrive + ComputerName = 'localhost' + Wait = $true + Verbose = $true + Force = $true + ErrorAction = 'Stop' + } + + Start-DscConfiguration @startDscConfigurationParameters + } | Should -Not -Throw + } + + It 'Should be able to call Get-DscConfiguration without throwing' { + { + $script:currentConfiguration = Get-DscConfiguration -Verbose -ErrorAction Stop + } | Should -Not -Throw + } + + It 'Should have set the resource and all the parameters should match' { + $resourceCurrentState = $script:currentConfiguration | Where-Object -FilterScript { + $_.ConfigurationName -eq $configurationName ` + -and $_.ResourceId -eq $resourceId + } + + $resourceCurrentState.Ensure | Should -Be 'Present' + $resourceCurrentState.UserName | Should -Be 'DscUser1' + $resourceCurrentState.UserPrincipalName | Should -Be 'DscUser1' + $resourceCurrentState.DisplayName | Should -Be 'Dsc User 1' + $resourceCurrentState.DomainAdministratorCredential | Should -BeNullOrEmpty + } + + It 'Should return $true when Test-DscConfiguration is run' { + Test-DscConfiguration -Verbose | Should -BeTrue + } + } + } +} +finally +{ + #region FOOTER + Restore-TestEnvironment -TestEnvironment $TestEnvironment + #endregion +} diff --git a/Tests/Integration/MSFT_ADUser.config.ps1 b/Tests/Integration/MSFT_ADUser.config.ps1 new file mode 100644 index 000000000..b42e2f8f5 --- /dev/null +++ b/Tests/Integration/MSFT_ADUser.config.ps1 @@ -0,0 +1,75 @@ +#region HEADER +# Integration Test Config Template Version: 1.2.0 +#endregion + +$configFile = [System.IO.Path]::ChangeExtension($MyInvocation.MyCommand.Path, 'json') +if (Test-Path -Path $configFile) +{ + <# + Allows reading the configuration data from a JSON file, for real testing + scenarios outside of the CI. + #> + $ConfigurationData = Get-Content -Path $configFile | ConvertFrom-Json +} +else +{ + $computersContainerDistinguishedName = (Get-ADDomain).ComputersContainer + if ($computersContainerDistinguishedName -match 'DC=.+') + { + $domainDistinguishedName = $matches[0] + } + + $ConfigurationData = @{ + AllNodes = @( + @{ + NodeName = 'localhost' + CertificateFile = $env:DscPublicCertificatePath + + DomainDistinguishedName = $domainDistinguishedName + UserNamePrefix = 'DscUser' + DisplayNamePrefix = 'Dsc User' + + Password = New-Object ` + -TypeName System.Management.Automation.PSCredential ` + -ArgumentList @( + 'AnyName', + (ConvertTo-SecureString -String 'P@ssW0rd1' -AsPlainText -Force) + ) + + AdministratorUserName = ('{0}\Administrator' -f $domainDistinguishedName) + AdministratorPassword = 'P@ssw0rd1' + } + ) + } +} + +<# + .SYNOPSIS + Creates a user account with a password that never expires. +#> +Configuration MSFT_ADUser_CreateUser1_Config +{ + Import-DscResource -ModuleName 'ActiveDirectoryDsc' + + node $AllNodes.NodeName + { + ADUser 'Integration_Test' + { + DomainName = $Node.DomainDistinguishedName + UserName = '{0}1' -f $Node.UserNamePrefix + UserPrincipalName = '{0}1' -f $Node.UserNamePrefix + DisplayName = '{0} 1' -f $Node.DisplayNamePrefix + PasswordNeverExpires = $true + Password = $Node.Password + + PasswordNeverResets = $true + + DomainAdministratorCredential = New-Object ` + -TypeName System.Management.Automation.PSCredential ` + -ArgumentList @( + $Node.AdministratorUserName, + (ConvertTo-SecureString -String $Node.AdministratorPassword -AsPlainText -Force) + ) + } + } +} From bb3e110000477dd13fdd51b47f9da49f2dee823a Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sun, 28 Jul 2019 17:52:40 +0200 Subject: [PATCH 2/5] Chanegs to ADUser - BREAKING CHANGE: Rename parameter DomainAdministrorCredential (issue #269) --- CHANGELOG.md | 6 + DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 | 223 +++--------------- .../MSFT_ADUser/MSFT_ADUser.schema.mof | 2 +- .../en-US/MSFT_ADUser.strings.psd1 | 1 + .../MSFT_ADUser.Integration.Tests.ps1 | 56 ++++- Tests/Integration/MSFT_ADUser.config.ps1 | 68 ++++-- 6 files changed, 140 insertions(+), 216 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 04bd33225..2521e9497 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,9 @@ - The unit tests are using the stub classes so the tests can be run locally. - Added comment-based help ([issue #339](https://github.com/PowerShell/ActiveDirectoryDsc/issues/339)). - Changes to ADUser + - BREAKING CHANGE: Renamed the parameter `DomainAdministratorCredential` + to `Credential` to better indicate that it is possible to impersonate + any credential with enough permission to perform the task ([issue #269](https://github.com/PowerShell/ActiveDirectoryDsc/issues/269)). - Fixes exception when creating a user with an empty string property ([issue #407](https://github.com/PowerShell/ActiveDirectoryDsc/issues/407)). - Fixes exception when updating `CommonName` and `Path` concurrently @@ -60,6 +63,9 @@ - Fixes ChangePasswordAtLogon Property to be only set to `true` at User Creation ([issue #414](https://github.com/PowerShell/ActiveDirectoryDsc/issues/414)). - Added comment-based help ([issue #340](https://github.com/PowerShell/ActiveDirectoryDsc/issues/340)). + - Now it correctly tests passwords when parameter DomainName is set to + distinguished name and parameter Credential is used ([issue #451](https://github.com/PowerShell/ActiveDirectoryDsc/issues/451)). + - Added integration tests ([issue #359](https://github.com/PowerShell/ActiveDirectoryDsc/issues/359)). - Changes to ADDomain - Updated tests and replaced `Write-Error` with `throw` ([issue #332](https://github.com/PowerShell/ActiveDirectoryDsc/pull/332)). diff --git a/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 b/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 index 4b608e01b..7eb9011ee 100644 --- a/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 +++ b/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 @@ -410,7 +410,7 @@ $adPropertyMap = @( Specifies the Active Directory Domain Services instance to use to perform the task. - .PARAMETER DomainAdministratorCredential + .PARAMETER Credential Specifies the user account credentials to use to perform this task. .PARAMETER PasswordAuthentication @@ -438,355 +438,296 @@ function Get-TargetResource [OutputType([System.Collections.Hashtable])] param ( - # Name of the domain where the user account is located (only used if password is managed) [Parameter(Mandatory = $true)] [System.String] $DomainName, - # Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName') [Parameter(Mandatory = $true)] [System.String] $UserName, - # Specifies a new password value for an account [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Password, - # Specifies whether the user account is created or deleted [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', - # Specifies the common name assigned to the user account (ldapDisplayName 'cn') [Parameter()] [ValidateNotNull()] [System.String] $CommonName = $UserName, - # Specifies the UPN assigned to the user account (ldapDisplayName 'userPrincipalName') [Parameter()] [ValidateNotNull()] [System.String] $UserPrincipalName, - # Specifies the display name of the object (ldapDisplayName 'displayName') [Parameter()] [ValidateNotNull()] [System.String] $DisplayName, - # Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created [Parameter()] [ValidateNotNull()] [System.String] $Path, - # Specifies the user's given name (ldapDisplayName 'givenName') [Parameter()] [ValidateNotNull()] [System.String] $GivenName, - # Specifies the initials that represent part of a user's name (ldapDisplayName 'initials') [Parameter()] [ValidateNotNull()] [System.String] $Initials, - # Specifies the user's last name or surname (ldapDisplayName 'sn') [Parameter()] [ValidateNotNull()] [System.String] $Surname, - # Specifies a description of the object (ldapDisplayName 'description') [Parameter()] [ValidateNotNull()] [System.String] $Description, - # Specifies the user's street address (ldapDisplayName 'streetAddress') [Parameter()] [ValidateNotNull()] [System.String] $StreetAddress, - # Specifies the user's post office box number (ldapDisplayName 'postOfficeBox') [Parameter()] [ValidateNotNull()] [System.String] $POBox, - # Specifies the user's town or city (ldapDisplayName 'l') [Parameter()] [ValidateNotNull()] [System.String] $City, - # Specifies the user's or Organizational Unit's state or province (ldapDisplayName 'st') [Parameter()] [ValidateNotNull()] [System.String] $State, - # Specifies the user's postal code or zip code (ldapDisplayName 'postalCode') [Parameter()] [ValidateNotNull()] [System.String] $PostalCode, - # Specifies the country or region code for the user's language of choice (ldapDisplayName 'c') [Parameter()] [ValidateNotNull()] [System.String] $Country, - # Specifies the user's department (ldapDisplayName 'department') [Parameter()] [ValidateNotNull()] [System.String] $Department, - # Specifies the user's division (ldapDisplayName 'division') [Parameter()] [ValidateNotNull()] [System.String] $Division, - # Specifies the user's company (ldapDisplayName 'company') [Parameter()] [ValidateNotNull()] [System.String] $Company, - # Specifies the location of the user's office or place of business (ldapDisplayName 'physicalDeliveryOfficeName') [Parameter()] [ValidateNotNull()] [System.String] $Office, - # Specifies the user's title (ldapDisplayName 'title') [Parameter()] [ValidateNotNull()] [System.String] $JobTitle, - # Specifies the user's e-mail address (ldapDisplayName 'mail') [Parameter()] [ValidateNotNull()] [System.String] $EmailAddress, - # Specifies the user's employee ID (ldapDisplayName 'employeeID') [Parameter()] [ValidateNotNull()] [System.String] $EmployeeID, - # Specifies the user's employee number (ldapDisplayName 'employeeNumber') [Parameter()] [ValidateNotNull()] [System.String] $EmployeeNumber, - # Specifies a user's home directory path (ldapDisplayName 'homeDirectory') [Parameter()] [ValidateNotNull()] [System.String] $HomeDirectory, - # Specifies a drive that is associated with the UNC path defined by the HomeDirectory property (ldapDisplayName 'homeDrive') [Parameter()] [ValidateNotNull()] [System.String] $HomeDrive, - # Specifies the URL of the home page of the object (ldapDisplayName 'wWWHomePage') [Parameter()] [ValidateNotNull()] [System.String] $HomePage, - # Specifies a path to the user's profile (ldapDisplayName 'profilePath') [Parameter()] [ValidateNotNull()] [System.String] $ProfilePath, - # Specifies a path to the user's log on script (ldapDisplayName 'scriptPath') [Parameter()] [ValidateNotNull()] [System.String] $LogonScript, - # Specifies the notes attached to the user's account (ldapDisplayName 'info') [Parameter()] [ValidateNotNull()] [System.String] $Notes, - # Specifies the user's office telephone number (ldapDisplayName 'telephoneNumber') [Parameter()] [ValidateNotNull()] [System.String] $OfficePhone, - # Specifies the user's mobile phone number (ldapDisplayName 'mobile') [Parameter()] [ValidateNotNull()] [System.String] $MobilePhone, - # Specifies the user's fax phone number (ldapDisplayName 'facsimileTelephoneNumber') [Parameter()] [ValidateNotNull()] [System.String] $Fax, - # Specifies the user's home telephone number (ldapDisplayName 'homePhone') [Parameter()] [ValidateNotNull()] [System.String] $HomePhone, - # Specifies the user's pager number (ldapDisplayName 'pager') [Parameter()] [ValidateNotNull()] [System.String] $Pager, - # Specifies the user's IP telephony phone number (ldapDisplayName 'ipPhone') [Parameter()] [ValidateNotNull()] [System.String] $IPPhone, - # Specifies the user's manager specified as a Distinguished Name (ldapDisplayName 'manager') [Parameter()] [ValidateNotNull()] [System.String] $Manager, - # Specifies the computers that the user can access. (ldapDisplayName 'userWorkStations') [Parameter()] [ValidateNotNull()] [System.String] $LogonWorkstations, - # Specifies the user's organization (ldapDisplayName 'o') [Parameter()] [ValidateNotNull()] [System.String] $Organization, - # Specifies a name in addition to a user's given name and surname (ldaDisplayName 'middleName') [Parameter()] [ValidateNotNull()] [System.String] $OtherName, - # Specifies if the account is enabled (default True) [Parameter()] [ValidateNotNull()] [System.Boolean] $Enabled = $true, - # Specifies whether the account password can be changed [Parameter()] [ValidateNotNull()] [System.Boolean] $CannotChangePassword, - # Specifies whether the account password must be changed during the next logon attempt [Parameter()] [ValidateNotNull()] [System.Boolean] $ChangePasswordAtLogon, - # Specifies whether the password of an account can expire [Parameter()] [ValidateNotNull()] [System.Boolean] $PasswordNeverExpires, - # Specifies whether an account is trusted for Kerberos delegation [Parameter()] [ValidateNotNull()] [System.Boolean] $TrustedForDelegation, - # Indicates whether the security context of the user is delegated to a service. [Parameter()] [ValidateNotNull()] [System.Boolean] $AccountNotDelegated, - # Indicates whether reversible password encryption is allowed for the account. [Parameter()] [ValidateNotNull()] [System.Boolean] $AllowReversiblePasswordEncryption, - # Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. [Parameter()] [ValidateNotNull()] [System.Boolean] $CompoundIdentitySupported, - # Specifies whether the account requires a password. A password is not required for a new account. [Parameter()] [ValidateNotNull()] [System.Boolean] $PasswordNotRequired, - # Specifies whether a smart card is required to logon. [Parameter()] [ValidateNotNull()] [System.Boolean] $SmartcardLogonRequired, - # Specifies the Active Directory Domain Services instance to use to perform the task. [Parameter()] [ValidateNotNull()] [System.String] $DomainController, - # Specifies the user account credentials to use to perform this task. Ideally this should just be called 'Credential' but is here for backwards compatibility [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] - $DomainAdministratorCredential, + $Credential, - # Specifies the authentication context type when testing user passwords #61 [Parameter()] [ValidateSet('Default', 'Negotiate')] [System.String] $PasswordAuthentication = 'Default', - # Specifies whether an existing user's password should be reset (default $false). [Parameter()] [ValidateNotNull()] [System.Boolean] $PasswordNeverResets = $false, - # Try to restore the organizational unit from the recycle bin before creating a new one. [Parameter()] [ValidateNotNull()] [System.Boolean] $RestoreFromRecycleBin, - # Specifies the service principal names registered on the user account [Parameter()] [ValidateNotNull()] [System.String[]] $ServicePrincipalNames, - # Specifies the Proxy Addresses registered on the user account [Parameter()] [ValidateNotNull()] [System.String[]] @@ -1116,7 +1057,7 @@ function Get-TargetResource Specifies the Active Directory Domain Services instance to use to perform the task. - .PARAMETER DomainAdministratorCredential + .PARAMETER Credential Specifies the user account credentials to use to perform this task. .PARAMETER PasswordAuthentication @@ -1144,355 +1085,296 @@ function Test-TargetResource [OutputType([System.Boolean])] param ( - # Name of the domain where the user account is located (only used if password is managed) [Parameter(Mandatory = $true)] [System.String] $DomainName, - # Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName') [Parameter(Mandatory = $true)] [System.String] $UserName, - # Specifies a new password value for an account [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Password, - # Specifies whether the user account is created or deleted [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', - # Specifies the common name assigned to the user account (ldapDisplayName 'cn') [Parameter()] [ValidateNotNull()] [System.String] $CommonName = $UserName, - # Specifies the UPN assigned to the user account (ldapDisplayName 'userPrincipalName') [Parameter()] [ValidateNotNull()] [System.String] $UserPrincipalName, - # Specifies the display name of the object (ldapDisplayName 'displayName') [Parameter()] [ValidateNotNull()] [System.String] $DisplayName, - # Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created [Parameter()] [ValidateNotNull()] [System.String] $Path, - # Specifies the user's given name (ldapDisplayName 'givenName') [Parameter()] [ValidateNotNull()] [System.String] $GivenName, - # Specifies the initials that represent part of a user's name (ldapDisplayName 'initials') [Parameter()] [ValidateNotNull()] [System.String] $Initials, - # Specifies the user's last name or surname (ldapDisplayName 'sn') [Parameter()] [ValidateNotNull()] [System.String] $Surname, - # Specifies a description of the object (ldapDisplayName 'description') [Parameter()] [ValidateNotNull()] [System.String] $Description, - # Specifies the user's street address (ldapDisplayName 'streetAddress') [Parameter()] [ValidateNotNull()] [System.String] $StreetAddress, - # Specifies the user's post office box number (ldapDisplayName 'postOfficeBox') [Parameter()] [ValidateNotNull()] [System.String] $POBox, - # Specifies the user's town or city (ldapDisplayName 'l') [Parameter()] [ValidateNotNull()] [System.String] $City, - # Specifies the user's or Organizational Unit's state or province (ldapDisplayName 'st') [Parameter()] [ValidateNotNull()] [System.String] $State, - # Specifies the user's postal code or zip code (ldapDisplayName 'postalCode') [Parameter()] [ValidateNotNull()] [System.String] $PostalCode, - # Specifies the country or region code for the user's language of choice (ldapDisplayName 'c') [Parameter()] [ValidateNotNull()] [System.String] $Country, - # Specifies the user's department (ldapDisplayName 'department') [Parameter()] [ValidateNotNull()] [System.String] $Department, - # Specifies the user's division (ldapDisplayName 'division') [Parameter()] [ValidateNotNull()] [System.String] $Division, - # Specifies the user's company (ldapDisplayName 'company') [Parameter()] [ValidateNotNull()] [System.String] $Company, - # Specifies the location of the user's office or place of business (ldapDisplayName 'physicalDeliveryOfficeName') [Parameter()] [ValidateNotNull()] [System.String] $Office, - # Specifies the user's title (ldapDisplayName 'title') [Parameter()] [ValidateNotNull()] [System.String] $JobTitle, - # Specifies the user's e-mail address (ldapDisplayName 'mail') [Parameter()] [ValidateNotNull()] [System.String] $EmailAddress, - # Specifies the user's employee ID (ldapDisplayName 'employeeID') [Parameter()] [ValidateNotNull()] [System.String] $EmployeeID, - # Specifies the user's employee number (ldapDisplayName 'employeeNumber') [Parameter()] [ValidateNotNull()] [System.String] $EmployeeNumber, - # Specifies a user's home directory path (ldapDisplayName 'homeDirectory') [Parameter()] [ValidateNotNull()] [System.String] $HomeDirectory, - # Specifies a drive that is associated with the UNC path defined by the HomeDirectory property (ldapDisplayName 'homeDrive') [Parameter()] [ValidateNotNull()] [System.String] $HomeDrive, - # Specifies the URL of the home page of the object (ldapDisplayName 'wWWHomePage') [Parameter()] [ValidateNotNull()] [System.String] $HomePage, - # Specifies a path to the user's profile (ldapDisplayName 'profilePath') [Parameter()] [ValidateNotNull()] [System.String] $ProfilePath, - # Specifies a path to the user's log on script (ldapDisplayName 'scriptPath') [Parameter()] [ValidateNotNull()] [System.String] $LogonScript, - # Specifies the notes attached to the user's account (ldapDisplayName 'info') [Parameter()] [ValidateNotNull()] [System.String] $Notes, - # Specifies the user's office telephone number (ldapDisplayName 'telephoneNumber') [Parameter()] [ValidateNotNull()] [System.String] $OfficePhone, - # Specifies the user's mobile phone number (ldapDisplayName 'mobile') [Parameter()] [ValidateNotNull()] [System.String] $MobilePhone, - # Specifies the user's fax phone number (ldapDisplayName 'facsimileTelephoneNumber') [Parameter()] [ValidateNotNull()] [System.String] $Fax, - # Specifies the user's home telephone number (ldapDisplayName 'homePhone') [Parameter()] [ValidateNotNull()] [System.String] $HomePhone, - # Specifies the user's pager number (ldapDisplayName 'pager') [Parameter()] [ValidateNotNull()] [System.String] $Pager, - # Specifies the user's IP telephony phone number (ldapDisplayName 'ipPhone') [Parameter()] [ValidateNotNull()] [System.String] $IPPhone, - # Specifies the user's manager specified as a Distinguished Name (ldapDisplayName 'manager') [Parameter()] [ValidateNotNull()] [System.String] $Manager, - # Specifies the computers that the user can access. (ldapDisplayName 'userWorkStations') [Parameter()] [ValidateNotNull()] [System.String] $LogonWorkstations, - # Specifies the user's organization (ldapDisplayName 'o') [Parameter()] [ValidateNotNull()] [System.String] $Organization, - # Specifies a name in addition to a user's given name and surname (ldaDisplayName 'middleName') [Parameter()] [ValidateNotNull()] [System.String] $OtherName, - # Specifies if the account is enabled (default True) [Parameter()] [ValidateNotNull()] [System.Boolean] $Enabled = $true, - # Specifies whether the account password can be changed [Parameter()] [ValidateNotNull()] [System.Boolean] $CannotChangePassword, - # Specifies whether the account password must be changed during the next logon attempt [Parameter()] [ValidateNotNull()] [System.Boolean] $ChangePasswordAtLogon, - # Specifies whether the password of an account can expire [Parameter()] [ValidateNotNull()] [System.Boolean] $PasswordNeverExpires, - # Specifies whether an account is trusted for Kerberos delegation [Parameter()] [ValidateNotNull()] [System.Boolean] $TrustedForDelegation, - # Indicates whether the security context of the user is delegated to a service. [Parameter()] [ValidateNotNull()] [System.Boolean] $AccountNotDelegated, - # Indicates whether reversible password encryption is allowed for the account. [Parameter()] [ValidateNotNull()] [System.Boolean] $AllowReversiblePasswordEncryption, - # Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. [Parameter()] [ValidateNotNull()] [System.Boolean] $CompoundIdentitySupported, - # Specifies whether the account requires a password. A password is not required for a new account. [Parameter()] [ValidateNotNull()] [System.Boolean] $PasswordNotRequired, - # Specifies whether a smart card is required to logon. [Parameter()] [ValidateNotNull()] [System.Boolean] $SmartcardLogonRequired, - # Specifies the Active Directory Domain Services instance to use to perform the task. [Parameter()] [ValidateNotNull()] [System.String] $DomainController, - # Specifies the user account credentials to use to perform this task. Ideally this should just be called 'Credential' but is here for backwards compatibility [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] - $DomainAdministratorCredential, + $Credential, - # Specifies the authentication context type when testing user passwords #61 [Parameter()] [ValidateSet('Default', 'Negotiate')] [System.String] $PasswordAuthentication = 'Default', - # Specifies whether an existing user's password should be reset (default $false). [Parameter()] [ValidateNotNull()] [System.Boolean] $PasswordNeverResets = $false, - # Try to restore the organizational unit from the recycle bin before creating a new one. [Parameter()] [ValidateNotNull()] [System.Boolean] $RestoreFromRecycleBin, - # Specifies the service principal names registered on the user account [Parameter()] [ValidateNotNull()] [System.String[]] $ServicePrincipalNames, - # Specifies the Proxy Addresses registered on the user account [Parameter()] [ValidateNotNull()] [System.String[]] @@ -1530,9 +1412,9 @@ function Test-TargetResource PasswordAuthentication = $PasswordAuthentication } - if ($DomainAdministratorCredential) + if ($Credential) { - $testPasswordParams['DomainAdministratorCredential'] = $DomainAdministratorCredential + $testPasswordParams['Credential'] = $Credential } if (-not (Test-Password @testPasswordParams)) @@ -1792,7 +1674,7 @@ function Test-TargetResource Specifies the Active Directory Domain Services instance to use to perform the task. - .PARAMETER DomainAdministratorCredential + .PARAMETER Credential Specifies the user account credentials to use to perform this task. .PARAMETER PasswordAuthentication @@ -1819,355 +1701,296 @@ function Set-TargetResource [CmdletBinding()] param ( - # Name of the domain where the user account is located (only used if password is managed) [Parameter(Mandatory = $true)] [System.String] $DomainName, - # Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName') [Parameter(Mandatory = $true)] [System.String] $UserName, - # Specifies a new password value for an account [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Password, - # Specifies whether the user account is created or deleted [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', - # Specifies the common name assigned to the user account (ldapDisplayName 'cn') [Parameter()] [ValidateNotNull()] [System.String] $CommonName = $UserName, - # Specifies the UPN assigned to the user account (ldapDisplayName 'userPrincipalName') [Parameter()] [ValidateNotNull()] [System.String] $UserPrincipalName, - # Specifies the display name of the object (ldapDisplayName 'displayName') [Parameter()] [ValidateNotNull()] [System.String] $DisplayName, - # Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created [Parameter()] [ValidateNotNull()] [System.String] $Path, - # Specifies the user's given name (ldapDisplayName 'givenName') [Parameter()] [ValidateNotNull()] [System.String] $GivenName, - # Specifies the initials that represent part of a user's name (ldapDisplayName 'initials') [Parameter()] [ValidateNotNull()] [System.String] $Initials, - # Specifies the user's last name or surname (ldapDisplayName 'sn') [Parameter()] [ValidateNotNull()] [System.String] $Surname, - # Specifies a description of the object (ldapDisplayName 'description') [Parameter()] [ValidateNotNull()] [System.String] $Description, - # Specifies the user's street address (ldapDisplayName 'streetAddress') [Parameter()] [ValidateNotNull()] [System.String] $StreetAddress, - # Specifies the user's post office box number (ldapDisplayName 'postOfficeBox') [Parameter()] [ValidateNotNull()] [System.String] $POBox, - # Specifies the user's town or city (ldapDisplayName 'l') [Parameter()] [ValidateNotNull()] [System.String] $City, - # Specifies the user's or Organizational Unit's state or province (ldapDisplayName 'st') [Parameter()] [ValidateNotNull()] [System.String] $State, - # Specifies the user's postal code or zip code (ldapDisplayName 'postalCode') [Parameter()] [ValidateNotNull()] [System.String] $PostalCode, - # Specifies the country or region code for the user's language of choice (ldapDisplayName 'c') [Parameter()] [ValidateNotNull()] [System.String] $Country, - # Specifies the user's department (ldapDisplayName 'department') [Parameter()] [ValidateNotNull()] [System.String] $Department, - # Specifies the user's division (ldapDisplayName 'division') [Parameter()] [ValidateNotNull()] [System.String] $Division, - # Specifies the user's company (ldapDisplayName 'company') [Parameter()] [ValidateNotNull()] [System.String] $Company, - # Specifies the location of the user's office or place of business (ldapDisplayName 'physicalDeliveryOfficeName') [Parameter()] [ValidateNotNull()] [System.String] $Office, - # Specifies the user's title (ldapDisplayName 'title') [Parameter()] [ValidateNotNull()] [System.String] $JobTitle, - # Specifies the user's e-mail address (ldapDisplayName 'mail') [Parameter()] [ValidateNotNull()] [System.String] $EmailAddress, - # Specifies the user's employee ID (ldapDisplayName 'employeeID') [Parameter()] [ValidateNotNull()] [System.String] $EmployeeID, - # Specifies the user's employee number (ldapDisplayName 'employeeNumber') [Parameter()] [ValidateNotNull()] [System.String] $EmployeeNumber, - # Specifies a user's home directory path (ldapDisplayName 'homeDirectory') [Parameter()] [ValidateNotNull()] [System.String] $HomeDirectory, - # Specifies a drive that is associated with the UNC path defined by the HomeDirectory property (ldapDisplayName 'homeDrive') [Parameter()] [ValidateNotNull()] [System.String] $HomeDrive, - # Specifies the URL of the home page of the object (ldapDisplayName 'wWWHomePage') [Parameter()] [ValidateNotNull()] [System.String] $HomePage, - # Specifies a path to the user's profile (ldapDisplayName 'profilePath') [Parameter()] [ValidateNotNull()] [System.String] $ProfilePath, - # Specifies a path to the user's log on script (ldapDisplayName 'scriptPath') [Parameter()] [ValidateNotNull()] [System.String] $LogonScript, - # Specifies the notes attached to the user's account (ldapDisplayName 'info') [Parameter()] [ValidateNotNull()] [System.String] $Notes, - # Specifies the user's office telephone number (ldapDisplayName 'telephoneNumber') [Parameter()] [ValidateNotNull()] [System.String] $OfficePhone, - # Specifies the user's mobile phone number (ldapDisplayName 'mobile') [Parameter()] [ValidateNotNull()] [System.String] $MobilePhone, - # Specifies the user's fax phone number (ldapDisplayName 'facsimileTelephoneNumber') [Parameter()] [ValidateNotNull()] [System.String] $Fax, - # Specifies the user's home telephone number (ldapDisplayName 'homePhone') [Parameter()] [ValidateNotNull()] [System.String] $HomePhone, - # Specifies the user's pager number (ldapDisplayName 'pager') [Parameter()] [ValidateNotNull()] [System.String] $Pager, - # Specifies the user's IP telephony phone number (ldapDisplayName 'ipPhone') [Parameter()] [ValidateNotNull()] [System.String] $IPPhone, - # Specifies the user's manager specified as a Distinguished Name (ldapDisplayName 'manager') [Parameter()] [ValidateNotNull()] [System.String] $Manager, - # Specifies the computers that the user can access. (ldapDisplayName 'userWorkStations') [Parameter()] [ValidateNotNull()] [System.String] $LogonWorkstations, - # Specifies the user's organization (ldapDisplayName 'o') [Parameter()] [ValidateNotNull()] [System.String] $Organization, - # Specifies a name in addition to a user's given name and surname (ldaDisplayName 'middleName') [Parameter()] [ValidateNotNull()] [System.String] $OtherName, - # Specifies if the account is enabled (default True) [Parameter()] [ValidateNotNull()] [System.Boolean] $Enabled = $true, - # Specifies whether the account password can be changed [Parameter()] [ValidateNotNull()] [System.Boolean] $CannotChangePassword, - # Specifies whether the account password must be changed during the next logon attempt [Parameter()] [ValidateNotNull()] [System.Boolean] $ChangePasswordAtLogon, - # Specifies whether the password of an account can expire [Parameter()] [ValidateNotNull()] [System.Boolean] $PasswordNeverExpires, - # Specifies whether an account is trusted for Kerberos delegation [Parameter()] [ValidateNotNull()] [System.Boolean] $TrustedForDelegation, - # Indicates whether the security context of the user is delegated to a service. [Parameter()] [ValidateNotNull()] [System.Boolean] $AccountNotDelegated, - # Indicates whether reversible password encryption is allowed for the account. [Parameter()] [ValidateNotNull()] [System.Boolean] $AllowReversiblePasswordEncryption, - # Specifies whether an account supports Kerberos service tickets which includes the authorization data for the user's device. [Parameter()] [ValidateNotNull()] [System.Boolean] $CompoundIdentitySupported, - # Specifies whether the account requires a password. A password is not required for a new account. [Parameter()] [ValidateNotNull()] [System.Boolean] $PasswordNotRequired, - # Specifies whether a smart card is required to logon. [Parameter()] [ValidateNotNull()] [System.Boolean] $SmartcardLogonRequired, - # Specifies the Active Directory Domain Services instance to use to perform the task. [Parameter()] [ValidateNotNull()] [System.String] $DomainController, - # Specifies the user account credentials to use to perform this task. Ideally this should just be called 'Credential' but is here for backwards compatibility [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] - $DomainAdministratorCredential, + $Credential, - # Specifies the authentication context type when testing user passwords #61 [Parameter()] [ValidateSet('Default', 'Negotiate')] [System.String] $PasswordAuthentication = 'Default', - # Specifies whether an existing user's password should be reset (default $false). [Parameter()] [ValidateNotNull()] [System.Boolean] $PasswordNeverResets = $false, - # Try to restore the organizational unit from the recycle bin before creating a new one. [Parameter()] [ValidateNotNull()] [System.Boolean] $RestoreFromRecycleBin, - # Specifies the service principal names registered on the user account [Parameter()] [ValidateNotNull()] [System.String[]] $ServicePrincipalNames, - # Specifies the Proxy Addresses registered on the user account [Parameter()] [ValidateNotNull()] [System.String[]] @@ -2255,9 +2078,9 @@ function Set-TargetResource PasswordAuthentication = $PasswordAuthentication } - if ($DomainAdministratorCredential) + if ($Credential) { - $testPasswordParams['DomainAdministratorCredential'] = $DomainAdministratorCredential + $testPasswordParams['Credential'] = $Credential } if (-not (Test-Password @testPasswordParams)) @@ -2486,7 +2309,7 @@ function Assert-Parameters .PARAMETER Password Specifies a new password value for the account. - .PARAMETER DomainAdministratorCredential + .PARAMETER Credential Specifies the user account credentials to use to perform this task. .PARAMETER PasswordAuthentication @@ -2516,7 +2339,7 @@ function Test-Password [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] - $DomainAdministratorCredential, + $Credential, # Specifies the authentication context type when testing user passwords #61 [Parameter(Mandatory = $true)] @@ -2529,13 +2352,29 @@ function Test-Password Add-Type -AssemblyName 'System.DirectoryServices.AccountManagement' - if ($DomainAdministratorCredential) + <# + If the domain name contains a distinguished name, set it to the fully + qualified domain name (FQDN) instead. + If the $DomainName does not contain a distinguished name the function + Get-ADDomainNameFromDistinguishedName returns $null. + #> + $fullyQualifiedDomainName = Get-ADDomainNameFromDistinguishedName -DistinguishedName $DomainName + if ($fullyQualifiedDomainName) + { + $DomainName = $fullyQualifiedDomainName + } + + if ($Credential) { + Write-Verbose -Message ( + $script:localizedData.CheckingADUserPassword -f $Credential.UserName, $UserName + ) + $principalContext = New-Object -TypeName 'System.DirectoryServices.AccountManagement.PrincipalContext' -ArgumentList @( [System.DirectoryServices.AccountManagement.ContextType]::Domain, $DomainName, - $DomainAdministratorCredential.UserName, - $DomainAdministratorCredential.GetNetworkCredential().Password + $Credential.UserName, + $Credential.GetNetworkCredential().Password ) } else diff --git a/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof b/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof index acfc84aec..d2c7766ec 100644 --- a/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof +++ b/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof @@ -48,7 +48,7 @@ class MSFT_ADUser : OMI_BaseResource [Write, Description("Specifies whether the account password must be changed during the next logon attempt. This will only be enabled when the user is initially created. This parameter cannot be set to $true if the parameter PasswordNeverExpires is also set to $true.")] Boolean ChangePasswordAtLogon; [Write, Description("Specifies whether the password of an account can expire.")] Boolean PasswordNeverExpires; [Write, Description("Specifies the Active Directory Domain Services instance to use to perform the task.")] String DomainController; - [Write, Description("Specifies the user account credentials to use to perform this task."), EmbeddedInstance("MSFT_Credential")] String DomainAdministratorCredential; + [Write, Description("Specifies the user account credentials to use to perform this task."), EmbeddedInstance("MSFT_Credential")] String Credential; [Write, Description("Specifies the authentication context type used when testing passwords. Default value is 'Default'."), ValueMap{"Default","Negotiate"},Values{"Default","Negotiate"}] String PasswordAuthentication; [Write, Description("Specifies whether existing user's password should be reset. Default value is $false.")] Boolean PasswordNeverResets; [Write, Description("Specifies whether an account is trusted for Kerberos delegation. Default value is $false.")] Boolean TrustedForDelegation; diff --git a/DSCResources/MSFT_ADUser/en-US/MSFT_ADUser.strings.psd1 b/DSCResources/MSFT_ADUser/en-US/MSFT_ADUser.strings.psd1 index e9f3a8d94..1bdd43482 100644 --- a/DSCResources/MSFT_ADUser/en-US/MSFT_ADUser.strings.psd1 +++ b/DSCResources/MSFT_ADUser/en-US/MSFT_ADUser.strings.psd1 @@ -18,4 +18,5 @@ ConvertFrom-StringData @' MovingADUser = Moving user from '{0}' to '{1}'. (ADU0016) RenamingADUser = Renaming user from '{0}' to '{1}'. (ADU0017) RestoringUser = Attempting to restore the user object {0} from the recycle bin. (ADU0018) + TestPasswordUsingImpersonation = Impersonating the credentials ''{0}'' to test password for user ''{1}''. '@ diff --git a/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 b/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 index 55d6a2068..34f055d87 100644 --- a/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 +++ b/Tests/Integration/MSFT_ADUser.Integration.Tests.ps1 @@ -73,9 +73,59 @@ try } $resourceCurrentState.Ensure | Should -Be 'Present' - $resourceCurrentState.UserName | Should -Be 'DscUser1' - $resourceCurrentState.UserPrincipalName | Should -Be 'DscUser1' - $resourceCurrentState.DisplayName | Should -Be 'Dsc User 1' + $resourceCurrentState.UserName | Should -Be $ConfigurationData.AllNodes.UserName1 + $resourceCurrentState.UserPrincipalName | Should -Be $ConfigurationData.AllNodes.UserName1 + $resourceCurrentState.DisplayName | Should -Be $ConfigurationData.AllNodes.DisplayName1 + $resourceCurrentState.DomainAdministratorCredential | Should -BeNullOrEmpty + } + + It 'Should return $true when Test-DscConfiguration is run' { + Test-DscConfiguration -Verbose | Should -BeTrue + } + } + + $configurationName = "$($script:dscResourceName)_RemoveUser1_Config" + + Context ('When using configuration {0}' -f $configurationName) { + It 'Should compile and apply the MOF without throwing' { + { + $configurationParameters = @{ + OutputPath = $TestDrive + # The variable $ConfigurationData was dot-sourced above. + ConfigurationData = $ConfigurationData + } + + & $configurationName @configurationParameters + + $startDscConfigurationParameters = @{ + Path = $TestDrive + ComputerName = 'localhost' + Wait = $true + Verbose = $true + Force = $true + ErrorAction = 'Stop' + } + + Start-DscConfiguration @startDscConfigurationParameters + } | Should -Not -Throw + } + + It 'Should be able to call Get-DscConfiguration without throwing' { + { + $script:currentConfiguration = Get-DscConfiguration -Verbose -ErrorAction Stop + } | Should -Not -Throw + } + + It 'Should have set the resource and all the parameters should match' { + $resourceCurrentState = $script:currentConfiguration | Where-Object -FilterScript { + $_.ConfigurationName -eq $configurationName ` + -and $_.ResourceId -eq $resourceId + } + + $resourceCurrentState.Ensure | Should -Be 'Absent' + $resourceCurrentState.UserName | Should -Be $ConfigurationData.AllNodes.UserName1 + $resourceCurrentState.UserPrincipalName | Should -BeNullOrEmpty + $resourceCurrentState.DisplayName | Should -BeNullOrEmpty $resourceCurrentState.DomainAdministratorCredential | Should -BeNullOrEmpty } diff --git a/Tests/Integration/MSFT_ADUser.config.ps1 b/Tests/Integration/MSFT_ADUser.config.ps1 index b42e2f8f5..94f056442 100644 --- a/Tests/Integration/MSFT_ADUser.config.ps1 +++ b/Tests/Integration/MSFT_ADUser.config.ps1 @@ -13,8 +13,9 @@ if (Test-Path -Path $configFile) } else { - $computersContainerDistinguishedName = (Get-ADDomain).ComputersContainer - if ($computersContainerDistinguishedName -match 'DC=.+') + $currentDomain = Get-ADDomain + $netBiosDomainName = $currentDomain.NetBIOSName + if ($currentDomain.ComputersContainer -match 'DC=.+') { $domainDistinguishedName = $matches[0] } @@ -26,18 +27,20 @@ else CertificateFile = $env:DscPublicCertificatePath DomainDistinguishedName = $domainDistinguishedName - UserNamePrefix = 'DscUser' - DisplayNamePrefix = 'Dsc User' + NetBIOSName = $netBiosDomainName + + UserName1 = 'DscTestUser1' + DisplayName1 = 'Dsc Test User 1' Password = New-Object ` -TypeName System.Management.Automation.PSCredential ` -ArgumentList @( - 'AnyName', - (ConvertTo-SecureString -String 'P@ssW0rd1' -AsPlainText -Force) - ) + 'AnyName', + (ConvertTo-SecureString -String 'P@ssW0rd1' -AsPlainText -Force) + ) - AdministratorUserName = ('{0}\Administrator' -f $domainDistinguishedName) - AdministratorPassword = 'P@ssw0rd1' + AdministratorUserName = ('{0}\Administrator' -f $netBiosDomainName) + AdministratorPassword = 'P@ssw0rd1' } ) } @@ -45,7 +48,7 @@ else <# .SYNOPSIS - Creates a user account with a password that never expires. + Removes a user account. #> Configuration MSFT_ADUser_CreateUser1_Config { @@ -55,21 +58,46 @@ Configuration MSFT_ADUser_CreateUser1_Config { ADUser 'Integration_Test' { - DomainName = $Node.DomainDistinguishedName - UserName = '{0}1' -f $Node.UserNamePrefix - UserPrincipalName = '{0}1' -f $Node.UserNamePrefix - DisplayName = '{0} 1' -f $Node.DisplayNamePrefix + # Using distinguished name for DomainName - Regression test for issue #451. + DomainName = $Node.DomainDistinguishedName + UserName = $Node.UserName1 + UserPrincipalName = $Node.UserName1 + DisplayName = $Node.DisplayName1 PasswordNeverExpires = $true - Password = $Node.Password + Password = $Node.Password - PasswordNeverResets = $true + Credential = New-Object ` + -TypeName System.Management.Automation.PSCredential ` + -ArgumentList @( + $Node.AdministratorUserName, + (ConvertTo-SecureString -String $Node.AdministratorPassword -AsPlainText -Force) + ) + } + } +} - DomainAdministratorCredential = New-Object ` +<# + .SYNOPSIS + Creates a user account with a password that never expires. +#> +Configuration MSFT_ADUser_RemoveUser1_Config +{ + Import-DscResource -ModuleName 'ActiveDirectoryDsc' + + node $AllNodes.NodeName + { + ADUser 'Integration_Test' + { + Ensure = 'Absent' + DomainName = $Node.DomainDistinguishedName + UserName = $Node.UserName1 + + Credential = New-Object ` -TypeName System.Management.Automation.PSCredential ` -ArgumentList @( - $Node.AdministratorUserName, - (ConvertTo-SecureString -String $Node.AdministratorPassword -AsPlainText -Force) - ) + $Node.AdministratorUserName, + (ConvertTo-SecureString -String $Node.AdministratorPassword -AsPlainText -Force) + ) } } } From 7bd82dc840e50acce915902cf825fb38eb31cc46 Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sun, 28 Jul 2019 18:23:46 +0200 Subject: [PATCH 3/5] Fix examples --- .../1-AddComputerAccount_Config.ps1 | 1 - .../2-AddComputerAccountDisabled_Config.ps1 | 1 - ...-AddComputerAccountSpecificPath_Config.ps1 | 1 - ...puterAccountAndCreateODJRequest_Config.ps1 | 1 - .../Resources/ADDomain/1-NewForest_Config.ps1 | 1 - .../ADDomain/2-NewChildDomain_Config.ps1 | 1 - ...wForestwithParentAndChildDomain_Config.ps1 | 63 +++++++++---------- .../ADDomain/4-NewDomainWithTwoDCs_Config.ps1 | 61 +++++++++--------- ...DomainControllerToDomainMinimal_Config.ps1 | 1 - ...ControllerToDomainAllProperties_Config.ps1 | 1 - ...omainControllerToDomainUsingIFM_Config.ps1 | 1 - ...-ConfigureDefaultPasswordPolicy_Config.ps1 | 1 - .../ADDomainTrust/1-NewOneWayTrust_Config.ps1 | 1 - .../1-ReplaceForestProperties_Config.ps1 | 1 - .../2-AddRemoveForestProperties_Config.ps1 | 1 - .../Resources/ADGroup/1-NewGroup_Config.ps1 | 1 - .../ADGroup/2-NewGroupWithMembers_Config.ps1 | 1 - .../3-NewGroupMultidomainMembers_Config.ps1 | 1 - .../ADKDSKey/1-CreateKDSRootKey_Config.ps1 | 1 - .../2-CreateKDSRootKeyInPast_Config.ps1 | 1 - ...3-CreateKDSRootKeyRemoveLastKey_Config.ps1 | 1 - .../1-CreateManagedServiceAccount_Config.ps1 | 1 - ...reateGroupManagedServiceAccount_Config.ps1 | 1 - ...anagedServiceAccountWithMembers_Config.ps1 | 1 - .../1-DelegateFullControl_Config.ps1 | 1 - .../2-CreateDeleteComputerObject_Config.ps1 | 1 - ...adWriteComputerObjectProperties_Config.ps1 | 1 - .../1-CreateADOU_Config.ps1 | 1 - .../1-EnableADRecycleBin_Config.ps1 | 1 - .../1-CreateADReplicationSite_Config.ps1 | 1 - ...eADReplicationSiteRenameDefault_Config.ps1 | 1 - .../3-RemoveADReplicationSite_Config.ps1 | 1 - .../1-CreateReplicationSiteLink_Config.ps1 | 1 - ...difyExistingReplicationSiteLink_Config.ps1 | 1 - .../1-CreateReplicationSubnet_Config.ps1 | 1 - .../1-AddUserServicePrincipalName_Config.ps1 | 1 - ...AddComputerServicePrincipalName_Config.ps1 | 1 - .../1-CreateUserAndManagePassword_Config.ps1 | 1 - ...ateUserAndIgnorePasswordChanges_Config.ps1 | 1 - .../1-WaitForADDomain_Config.ps1 | 1 - 40 files changed, 61 insertions(+), 101 deletions(-) diff --git a/Examples/Resources/ADComputer/1-AddComputerAccount_Config.ps1 b/Examples/Resources/ADComputer/1-AddComputerAccount_Config.ps1 index 05eec617b..f29d5cd8e 100644 --- a/Examples/Resources/ADComputer/1-AddComputerAccount_Config.ps1 +++ b/Examples/Resources/ADComputer/1-AddComputerAccount_Config.ps1 @@ -22,7 +22,6 @@ This configuration will create two Active Directory computer accounts enabled. The property Enabled will not be enforced in either case. #> - Configuration AddComputerAccount_Config { param diff --git a/Examples/Resources/ADComputer/2-AddComputerAccountDisabled_Config.ps1 b/Examples/Resources/ADComputer/2-AddComputerAccountDisabled_Config.ps1 index c25bdf426..8f9ec4437 100644 --- a/Examples/Resources/ADComputer/2-AddComputerAccountDisabled_Config.ps1 +++ b/Examples/Resources/ADComputer/2-AddComputerAccountDisabled_Config.ps1 @@ -22,7 +22,6 @@ This configuration will create an Active Directory computer account disabled. The property Enabled will not be enforced. #> - Configuration AddComputerAccountDisabled_Config { param diff --git a/Examples/Resources/ADComputer/3-AddComputerAccountSpecificPath_Config.ps1 b/Examples/Resources/ADComputer/3-AddComputerAccountSpecificPath_Config.ps1 index e34d1bdc5..d3c43ebc9 100644 --- a/Examples/Resources/ADComputer/3-AddComputerAccountSpecificPath_Config.ps1 +++ b/Examples/Resources/ADComputer/3-AddComputerAccountSpecificPath_Config.ps1 @@ -23,7 +23,6 @@ on the specified domain controller and in the specific organizational unit. #> - Configuration AddComputerAccountSpecificPath_Config { param diff --git a/Examples/Resources/ADComputer/4-AddComputerAccountAndCreateODJRequest_Config.ps1 b/Examples/Resources/ADComputer/4-AddComputerAccountAndCreateODJRequest_Config.ps1 index fb46f3682..41a538e41 100644 --- a/Examples/Resources/ADComputer/4-AddComputerAccountAndCreateODJRequest_Config.ps1 +++ b/Examples/Resources/ADComputer/4-AddComputerAccountAndCreateODJRequest_Config.ps1 @@ -24,7 +24,6 @@ unit. After the account is create an Offline Domain Join Request file is created to the specified path. #> - Configuration AddComputerAccountAndCreateODJRequest_Config { param diff --git a/Examples/Resources/ADDomain/1-NewForest_Config.ps1 b/Examples/Resources/ADDomain/1-NewForest_Config.ps1 index bab1dc4b6..c0b655c49 100644 --- a/Examples/Resources/ADDomain/1-NewForest_Config.ps1 +++ b/Examples/Resources/ADDomain/1-NewForest_Config.ps1 @@ -22,7 +22,6 @@ This configuration will create a new domain with a new forest and a forest functional level of Server 2016. #> - Configuration NewForest_Config { param diff --git a/Examples/Resources/ADDomain/2-NewChildDomain_Config.ps1 b/Examples/Resources/ADDomain/2-NewChildDomain_Config.ps1 index c8020268f..37e0bc3f1 100644 --- a/Examples/Resources/ADDomain/2-NewChildDomain_Config.ps1 +++ b/Examples/Resources/ADDomain/2-NewChildDomain_Config.ps1 @@ -22,7 +22,6 @@ This configuration will create a new child domain in an existing forest with a Domain Functional Level of Windows Server 2012R2. #> - Configuration NewChildDomain_Config { param diff --git a/Examples/Resources/ADDomain/3-NewForestwithParentAndChildDomain_Config.ps1 b/Examples/Resources/ADDomain/3-NewForestwithParentAndChildDomain_Config.ps1 index 0038b8ea6..09bd950f2 100644 --- a/Examples/Resources/ADDomain/3-NewForestwithParentAndChildDomain_Config.ps1 +++ b/Examples/Resources/ADDomain/3-NewForestwithParentAndChildDomain_Config.ps1 @@ -17,12 +17,36 @@ #Requires -module ActiveDirectoryDsc +$ConfigurationData = @{ + AllNodes = @( + @{ + NodeName = 'dsc-testNode1' + Role = 'Parent DC' + DomainName = 'dsc-test.contoso.com' + CertificateFile = 'C:\publicKeys\targetNode.cer' + Thumbprint = 'AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8' + RetryCount = 50 + RetryIntervalSec = 30 + }, + + @{ + NodeName = 'dsc-testNode2' + Role = 'Child DC' + DomainName = 'dsc-child' + ParentDomainName = 'dsc-test.contoso.com' + CertificateFile = 'C:\publicKeys\targetNode.cer' + Thumbprint = 'AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8' + RetryCount = 50 + RetryIntervalSec = 30 + } + ) +} + <# .DESCRIPTION This configuration will create a domain, and then create a child domain on another node. #> - Configuration NewForestWithParentAndChildDomain_Config { param @@ -74,12 +98,12 @@ Configuration NewForestWithParentAndChildDomain_Config ADUser 'FirstUser' { - DomainName = $Node.DomainName - DomainAdministratorCredential = $domaincred - UserName = 'dummy' - Password = $NewADUserCred - Ensure = 'Present' - DependsOn = '[WaitForADDomain]DscForestWait' + DomainName = $Node.DomainName + Credential = $domaincred + UserName = 'dummy' + Password = $NewADUserCred + Ensure = 'Present' + DependsOn = '[WaitForADDomain]DscForestWait' } } @@ -111,28 +135,3 @@ Configuration NewForestWithParentAndChildDomain_Config } } } - -$ConfigurationData = @{ - AllNodes = @( - @{ - NodeName = 'dsc-testNode1' - Role = 'Parent DC' - DomainName = 'dsc-test.contoso.com' - CertificateFile = 'C:\publicKeys\targetNode.cer' - Thumbprint = 'AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8' - RetryCount = 50 - RetryIntervalSec = 30 - }, - - @{ - NodeName = 'dsc-testNode2' - Role = 'Child DC' - DomainName = 'dsc-child' - ParentDomainName = 'dsc-test.contoso.com' - CertificateFile = 'C:\publicKeys\targetNode.cer' - Thumbprint = 'AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8' - RetryCount = 50 - RetryIntervalSec = 30 - } - ) -} diff --git a/Examples/Resources/ADDomain/4-NewDomainWithTwoDCs_Config.ps1 b/Examples/Resources/ADDomain/4-NewDomainWithTwoDCs_Config.ps1 index f8d4539da..dd8428f7e 100644 --- a/Examples/Resources/ADDomain/4-NewDomainWithTwoDCs_Config.ps1 +++ b/Examples/Resources/ADDomain/4-NewDomainWithTwoDCs_Config.ps1 @@ -17,6 +17,30 @@ #Requires -module ActiveDirectoryDsc +# Configuration Data for AD +$ConfigurationData = @{ + AllNodes = @( + @{ + NodeName = 'dsc-testNode1' + Role = 'Primary DC' + DomainName = 'dsc-test.contoso.com' + CertificateFile = 'C:\publicKeys\targetNode.cer' + Thumbprint = 'AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8' + RetryCount = 20 + RetryIntervalSec = 30 + }, + @{ + NodeName = 'dsc-testNode2' + Role = 'Replica DC' + DomainName = 'dsc-test.contoso.com' + CertificateFile = 'C:\publicKeys\targetNode.cer' + Thumbprint = 'AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8' + RetryCount = 20 + RetryIntervalSec = 30 + } + ) +} + <# .DESCRIPTION This configuration will create a highly available domain by adding @@ -24,7 +48,6 @@ The WaitForDomain resource is used to ensure that the domain is present before the second domain controller is added. #> - Configuration NewDomainWithTwoDCs_Config { param @@ -76,12 +99,12 @@ Configuration NewDomainWithTwoDCs_Config ADUser 'FirstUser' { - DomainName = $Node.DomainName - DomainAdministratorCredential = $domainCred - UserName = 'dummy' - Password = $NewADUserCred - Ensure = 'Present' - DependsOn = '[WaitForADDomain]DscForestWait' + DomainName = $Node.DomainName + Credential = $domainCred + UserName = 'dummy' + Password = $NewADUserCred + Ensure = 'Present' + DependsOn = '[WaitForADDomain]DscForestWait' } } @@ -111,27 +134,3 @@ Configuration NewDomainWithTwoDCs_Config } } } - -# Configuration Data for AD -$ConfigurationData = @{ - AllNodes = @( - @{ - NodeName = 'dsc-testNode1' - Role = 'Primary DC' - DomainName = 'dsc-test.contoso.com' - CertificateFile = 'C:\publicKeys\targetNode.cer' - Thumbprint = 'AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8' - RetryCount = 20 - RetryIntervalSec = 30 - }, - @{ - NodeName = 'dsc-testNode2' - Role = 'Replica DC' - DomainName = 'dsc-test.contoso.com' - CertificateFile = 'C:\publicKeys\targetNode.cer' - Thumbprint = 'AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8' - RetryCount = 20 - RetryIntervalSec = 30 - } - ) -} diff --git a/Examples/Resources/ADDomainController/1-AddDomainControllerToDomainMinimal_Config.ps1 b/Examples/Resources/ADDomainController/1-AddDomainControllerToDomainMinimal_Config.ps1 index f6274c6f2..634b15e88 100644 --- a/Examples/Resources/ADDomainController/1-AddDomainControllerToDomainMinimal_Config.ps1 +++ b/Examples/Resources/ADDomainController/1-AddDomainControllerToDomainMinimal_Config.ps1 @@ -22,7 +22,6 @@ This configuration will add a domain controller to the domain contoso.com. #> - Configuration AddDomainControllerToDomainMinimal_Config { param diff --git a/Examples/Resources/ADDomainController/2-AddDomainControllerToDomainAllProperties_Config.ps1 b/Examples/Resources/ADDomainController/2-AddDomainControllerToDomainAllProperties_Config.ps1 index 6446cb814..f6e492d23 100644 --- a/Examples/Resources/ADDomainController/2-AddDomainControllerToDomainAllProperties_Config.ps1 +++ b/Examples/Resources/ADDomainController/2-AddDomainControllerToDomainAllProperties_Config.ps1 @@ -22,7 +22,6 @@ This configuration will add a domain controller to the domain contoso.com, specifying all properties of the resource. #> - Configuration AddDomainControllerToDomainAllProperties_Config { param diff --git a/Examples/Resources/ADDomainController/3-AddDomainControllerToDomainUsingIFM_Config.ps1 b/Examples/Resources/ADDomainController/3-AddDomainControllerToDomainUsingIFM_Config.ps1 index 630820678..bed9dfd12 100644 --- a/Examples/Resources/ADDomainController/3-AddDomainControllerToDomainUsingIFM_Config.ps1 +++ b/Examples/Resources/ADDomainController/3-AddDomainControllerToDomainUsingIFM_Config.ps1 @@ -22,7 +22,6 @@ This configuration will add a domain controller to the domain contoso.com using the information from media. #> - Configuration AddDomainControllerToDomainUsingIFM_Config { param diff --git a/Examples/Resources/ADDomainDefaultPasswordPolicy/1-ConfigureDefaultPasswordPolicy_Config.ps1 b/Examples/Resources/ADDomainDefaultPasswordPolicy/1-ConfigureDefaultPasswordPolicy_Config.ps1 index bbf208a91..14988f7b1 100644 --- a/Examples/Resources/ADDomainDefaultPasswordPolicy/1-ConfigureDefaultPasswordPolicy_Config.ps1 +++ b/Examples/Resources/ADDomainDefaultPasswordPolicy/1-ConfigureDefaultPasswordPolicy_Config.ps1 @@ -22,7 +22,6 @@ This configuration will set an Active Directory domain's default password policy to set the minimum password length and complexity. #> - Configuration ConfigureDefaultPasswordPolicy_Config { Param diff --git a/Examples/Resources/ADDomainTrust/1-NewOneWayTrust_Config.ps1 b/Examples/Resources/ADDomainTrust/1-NewOneWayTrust_Config.ps1 index 1c86c5f0e..678698e5a 100644 --- a/Examples/Resources/ADDomainTrust/1-NewOneWayTrust_Config.ps1 +++ b/Examples/Resources/ADDomainTrust/1-NewOneWayTrust_Config.ps1 @@ -22,7 +22,6 @@ This configuration will create a new one way inbound trust between two domains. #> - Configuration NewOneWayTrust_Config { param diff --git a/Examples/Resources/ADForestProperties/1-ReplaceForestProperties_Config.ps1 b/Examples/Resources/ADForestProperties/1-ReplaceForestProperties_Config.ps1 index fa0f96e70..38d293ece 100644 --- a/Examples/Resources/ADForestProperties/1-ReplaceForestProperties_Config.ps1 +++ b/Examples/Resources/ADForestProperties/1-ReplaceForestProperties_Config.ps1 @@ -23,7 +23,6 @@ in the forest by replacing any existing suffixes with the ones specified in the configuration. #> - Configuration ReplaceForestProperties_Config { Import-DscResource -ModuleName ActiveDirectoryDsc diff --git a/Examples/Resources/ADForestProperties/2-AddRemoveForestProperties_Config.ps1 b/Examples/Resources/ADForestProperties/2-AddRemoveForestProperties_Config.ps1 index 1a1442510..0e641961c 100644 --- a/Examples/Resources/ADForestProperties/2-AddRemoveForestProperties_Config.ps1 +++ b/Examples/Resources/ADForestProperties/2-AddRemoveForestProperties_Config.ps1 @@ -23,7 +23,6 @@ the forest by adding and removing the desired suffixes. This will not overwrite existing suffixes in the forest. #> - Configuration AddRemoveForestProperties_Config { Import-DscResource -ModuleName ActiveDirectoryDsc diff --git a/Examples/Resources/ADGroup/1-NewGroup_Config.ps1 b/Examples/Resources/ADGroup/1-NewGroup_Config.ps1 index c4328d1dd..32a7655d7 100644 --- a/Examples/Resources/ADGroup/1-NewGroup_Config.ps1 +++ b/Examples/Resources/ADGroup/1-NewGroup_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will create a new domain-local group #> - Configuration NewGroup_Config { param diff --git a/Examples/Resources/ADGroup/2-NewGroupWithMembers_Config.ps1 b/Examples/Resources/ADGroup/2-NewGroupWithMembers_Config.ps1 index 21eddb367..f9bb482a9 100644 --- a/Examples/Resources/ADGroup/2-NewGroupWithMembers_Config.ps1 +++ b/Examples/Resources/ADGroup/2-NewGroupWithMembers_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will create a new domain-local group with three members. #> - Configuration NewGroupWithMembers_Config { Import-DscResource -ModuleName ActiveDirectoryDsc diff --git a/Examples/Resources/ADGroup/3-NewGroupMultidomainMembers_Config.ps1 b/Examples/Resources/ADGroup/3-NewGroupMultidomainMembers_Config.ps1 index a2d881bbc..cd8c6a32f 100644 --- a/Examples/Resources/ADGroup/3-NewGroupMultidomainMembers_Config.ps1 +++ b/Examples/Resources/ADGroup/3-NewGroupMultidomainMembers_Config.ps1 @@ -22,7 +22,6 @@ This configuration will create a new domain-local group in contoso with three members in different domains. #> - Configuration NewGroupMultiDomainMembers_Config { Import-DscResource -ModuleName ActiveDirectoryDsc diff --git a/Examples/Resources/ADKDSKey/1-CreateKDSRootKey_Config.ps1 b/Examples/Resources/ADKDSKey/1-CreateKDSRootKey_Config.ps1 index 1567ad5a6..0d73a8789 100644 --- a/Examples/Resources/ADKDSKey/1-CreateKDSRootKey_Config.ps1 +++ b/Examples/Resources/ADKDSKey/1-CreateKDSRootKey_Config.ps1 @@ -23,7 +23,6 @@ slightly ahead in the future, the key won't be usable for at least 10 hours from the creation time. #> - Configuration CreateKDSRootKey_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADKDSKey/2-CreateKDSRootKeyInPast_Config.ps1 b/Examples/Resources/ADKDSKey/2-CreateKDSRootKeyInPast_Config.ps1 index d560aa114..264bd856f 100644 --- a/Examples/Resources/ADKDSKey/2-CreateKDSRootKeyInPast_Config.ps1 +++ b/Examples/Resources/ADKDSKey/2-CreateKDSRootKeyInPast_Config.ps1 @@ -24,7 +24,6 @@ replicated yet, there may be issues when retrieving the gMSA password. Use with caution #> - Configuration CreateKDSRootKeyInPast_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADKDSKey/3-CreateKDSRootKeyRemoveLastKey_Config.ps1 b/Examples/Resources/ADKDSKey/3-CreateKDSRootKeyRemoveLastKey_Config.ps1 index dba2976d0..295e6fc06 100644 --- a/Examples/Resources/ADKDSKey/3-CreateKDSRootKeyRemoveLastKey_Config.ps1 +++ b/Examples/Resources/ADKDSKey/3-CreateKDSRootKeyRemoveLastKey_Config.ps1 @@ -23,7 +23,6 @@ If gMSAs are installed on the network, they will not be able to reset their passwords and it may cause services to fail. #> - Configuration CreateKDSRootKeyRemoveLastKey_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADManagedServiceAccount/1-CreateManagedServiceAccount_Config.ps1 b/Examples/Resources/ADManagedServiceAccount/1-CreateManagedServiceAccount_Config.ps1 index 5e19270b3..e396243dc 100644 --- a/Examples/Resources/ADManagedServiceAccount/1-CreateManagedServiceAccount_Config.ps1 +++ b/Examples/Resources/ADManagedServiceAccount/1-CreateManagedServiceAccount_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will create a managed service account. #> - Configuration CreateManagedServiceAccount_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADManagedServiceAccount/2-CreateGroupManagedServiceAccount_Config.ps1 b/Examples/Resources/ADManagedServiceAccount/2-CreateGroupManagedServiceAccount_Config.ps1 index aaee164ee..ed4d48800 100644 --- a/Examples/Resources/ADManagedServiceAccount/2-CreateGroupManagedServiceAccount_Config.ps1 +++ b/Examples/Resources/ADManagedServiceAccount/2-CreateGroupManagedServiceAccount_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will create a group managed service account. #> - Configuration CreateGroupManagedServiceAccount_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADManagedServiceAccount/3-CreateGroupManagedServiceAccountWithMembers_Config.ps1 b/Examples/Resources/ADManagedServiceAccount/3-CreateGroupManagedServiceAccountWithMembers_Config.ps1 index ad93af96e..a3863adb2 100644 --- a/Examples/Resources/ADManagedServiceAccount/3-CreateGroupManagedServiceAccountWithMembers_Config.ps1 +++ b/Examples/Resources/ADManagedServiceAccount/3-CreateGroupManagedServiceAccountWithMembers_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will create a group managed service account with members. #> - Configuration CreateGroupManagedServiceAccountWithMembers_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADObjectPermissionEntry/1-DelegateFullControl_Config.ps1 b/Examples/Resources/ADObjectPermissionEntry/1-DelegateFullControl_Config.ps1 index 715c293d5..b6d25881f 100644 --- a/Examples/Resources/ADObjectPermissionEntry/1-DelegateFullControl_Config.ps1 +++ b/Examples/Resources/ADObjectPermissionEntry/1-DelegateFullControl_Config.ps1 @@ -24,7 +24,6 @@ CONTOSO\CLUSTER01$. This is used so that the Windows Failover Cluster can control the roles AD objects. #> - Configuration DelegateFullControl_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADObjectPermissionEntry/2-CreateDeleteComputerObject_Config.ps1 b/Examples/Resources/ADObjectPermissionEntry/2-CreateDeleteComputerObject_Config.ps1 index 9a714fdac..9de7a4d93 100644 --- a/Examples/Resources/ADObjectPermissionEntry/2-CreateDeleteComputerObject_Config.ps1 +++ b/Examples/Resources/ADObjectPermissionEntry/2-CreateDeleteComputerObject_Config.ps1 @@ -23,7 +23,6 @@ (CreateChild,DeleteChild) computer objects in an OU and any sub-OUs that may get created. #> - Configuration CreateDeleteComputerObject_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADObjectPermissionEntry/3-ReadWriteComputerObjectProperties_Config.ps1 b/Examples/Resources/ADObjectPermissionEntry/3-ReadWriteComputerObjectProperties_Config.ps1 index c1a7f0242..eebbeb55f 100644 --- a/Examples/Resources/ADObjectPermissionEntry/3-ReadWriteComputerObjectProperties_Config.ps1 +++ b/Examples/Resources/ADObjectPermissionEntry/3-ReadWriteComputerObjectProperties_Config.ps1 @@ -23,7 +23,6 @@ (ReadProperty, WriteProperty) of all properties of computer objects in an OU and any sub-OUs that may get created. #> - Configuration ReadWriteComputerObjectProperties_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADOrganizationalUnit/1-CreateADOU_Config.ps1 b/Examples/Resources/ADOrganizationalUnit/1-CreateADOU_Config.ps1 index 267a6ed98..2c9703111 100644 --- a/Examples/Resources/ADOrganizationalUnit/1-CreateADOU_Config.ps1 +++ b/Examples/Resources/ADOrganizationalUnit/1-CreateADOU_Config.ps1 @@ -22,7 +22,6 @@ This configuration will add an Active Directory organizational unit to the domain. #> - Configuration CreateADOU_Config { param diff --git a/Examples/Resources/ADRecycleBin/1-EnableADRecycleBin_Config.ps1 b/Examples/Resources/ADRecycleBin/1-EnableADRecycleBin_Config.ps1 index 837fbe484..e15a7e0f8 100644 --- a/Examples/Resources/ADRecycleBin/1-EnableADRecycleBin_Config.ps1 +++ b/Examples/Resources/ADRecycleBin/1-EnableADRecycleBin_Config.ps1 @@ -22,7 +22,6 @@ This configuration will enable the Active Directory Recycle Bin for a specified Domain #> - Configuration EnableADRecycleBin_Config { param diff --git a/Examples/Resources/ADReplicationSite/1-CreateADReplicationSite_Config.ps1 b/Examples/Resources/ADReplicationSite/1-CreateADReplicationSite_Config.ps1 index 608087c74..3e947cec0 100644 --- a/Examples/Resources/ADReplicationSite/1-CreateADReplicationSite_Config.ps1 +++ b/Examples/Resources/ADReplicationSite/1-CreateADReplicationSite_Config.ps1 @@ -22,7 +22,6 @@ This configuration will create an Active Directory replication site called 'Seattle'. #> - Configuration CreateADReplicationSite_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADReplicationSite/2-CreateADReplicationSiteRenameDefault_Config.ps1 b/Examples/Resources/ADReplicationSite/2-CreateADReplicationSiteRenameDefault_Config.ps1 index d58a57ee7..5758c31a8 100644 --- a/Examples/Resources/ADReplicationSite/2-CreateADReplicationSiteRenameDefault_Config.ps1 +++ b/Examples/Resources/ADReplicationSite/2-CreateADReplicationSiteRenameDefault_Config.ps1 @@ -23,7 +23,6 @@ 'Seattle'. If the 'Default-First-Site-Name' site exists, it will rename this site instead of create a new one. #> - Configuration CreateADReplicationSiteRenameDefault_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADReplicationSite/3-RemoveADReplicationSite_Config.ps1 b/Examples/Resources/ADReplicationSite/3-RemoveADReplicationSite_Config.ps1 index 122a053b3..a0af75d3d 100644 --- a/Examples/Resources/ADReplicationSite/3-RemoveADReplicationSite_Config.ps1 +++ b/Examples/Resources/ADReplicationSite/3-RemoveADReplicationSite_Config.ps1 @@ -22,7 +22,6 @@ This configuration will remove the Active Directory replication site called 'Cupertino'. #> - Configuration RemoveADReplicationSite_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADReplicationSiteLInk/1-CreateReplicationSiteLink_Config.ps1 b/Examples/Resources/ADReplicationSiteLInk/1-CreateReplicationSiteLink_Config.ps1 index 53f55b50d..f25ef1441 100644 --- a/Examples/Resources/ADReplicationSiteLInk/1-CreateReplicationSiteLink_Config.ps1 +++ b/Examples/Resources/ADReplicationSiteLInk/1-CreateReplicationSiteLink_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will create an AD Replication Site Link. #> - Configuration CreateReplicationSiteLink_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADReplicationSiteLInk/2-ModifyExistingReplicationSiteLink_Config.ps1 b/Examples/Resources/ADReplicationSiteLInk/2-ModifyExistingReplicationSiteLink_Config.ps1 index 4396c995a..c7f52a9c6 100644 --- a/Examples/Resources/ADReplicationSiteLInk/2-ModifyExistingReplicationSiteLink_Config.ps1 +++ b/Examples/Resources/ADReplicationSiteLInk/2-ModifyExistingReplicationSiteLink_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will modify an existing AD Replication Site Link. #> - Configuration ModifyExistingReplicationSiteLink_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADReplicationSubnet/1-CreateReplicationSubnet_Config.ps1 b/Examples/Resources/ADReplicationSubnet/1-CreateReplicationSubnet_Config.ps1 index e881d82de..f43e538a9 100644 --- a/Examples/Resources/ADReplicationSubnet/1-CreateReplicationSubnet_Config.ps1 +++ b/Examples/Resources/ADReplicationSubnet/1-CreateReplicationSubnet_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will create an AD Replication Subnet. #> - Configuration CreateReplicationSubnet_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADServicePrincipalName/1-AddUserServicePrincipalName_Config.ps1 b/Examples/Resources/ADServicePrincipalName/1-AddUserServicePrincipalName_Config.ps1 index aeb342a5c..a523dde17 100644 --- a/Examples/Resources/ADServicePrincipalName/1-AddUserServicePrincipalName_Config.ps1 +++ b/Examples/Resources/ADServicePrincipalName/1-AddUserServicePrincipalName_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will add a Service Principal Name to a user account. #> - Configuration AddUserServicePrincipalName_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADServicePrincipalName/2-AddComputerServicePrincipalName_Config.ps1 b/Examples/Resources/ADServicePrincipalName/2-AddComputerServicePrincipalName_Config.ps1 index 22a83d6b7..59ae8e652 100644 --- a/Examples/Resources/ADServicePrincipalName/2-AddComputerServicePrincipalName_Config.ps1 +++ b/Examples/Resources/ADServicePrincipalName/2-AddComputerServicePrincipalName_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will add a Service Principal Name to a computer account. #> - Configuration AddComputerServicePrincipalName_Config { Import-DscResource -Module ActiveDirectoryDsc diff --git a/Examples/Resources/ADUser/1-CreateUserAndManagePassword_Config.ps1 b/Examples/Resources/ADUser/1-CreateUserAndManagePassword_Config.ps1 index 34681bdaf..bdb15582f 100644 --- a/Examples/Resources/ADUser/1-CreateUserAndManagePassword_Config.ps1 +++ b/Examples/Resources/ADUser/1-CreateUserAndManagePassword_Config.ps1 @@ -22,7 +22,6 @@ This configuration will create a user with a managed password. This might be used to manage the lifecycle of a service account. #> - Configuration CreateUserAndManagePassword_Config { param diff --git a/Examples/Resources/ADUser/2-CreateUserAndIgnorePasswordChanges_Config.ps1 b/Examples/Resources/ADUser/2-CreateUserAndIgnorePasswordChanges_Config.ps1 index e7858c096..172349a6f 100644 --- a/Examples/Resources/ADUser/2-CreateUserAndIgnorePasswordChanges_Config.ps1 +++ b/Examples/Resources/ADUser/2-CreateUserAndIgnorePasswordChanges_Config.ps1 @@ -23,7 +23,6 @@ when the password has changed. This might be used with a traditional user account where a managed password is not desired. #> - Configuration CreateUserAndIgnorePasswordChanges_Config { param diff --git a/Examples/Resources/WaitForADDomain/1-WaitForADDomain_Config.ps1 b/Examples/Resources/WaitForADDomain/1-WaitForADDomain_Config.ps1 index ee5ee82d6..fc832b6bd 100644 --- a/Examples/Resources/WaitForADDomain/1-WaitForADDomain_Config.ps1 +++ b/Examples/Resources/WaitForADDomain/1-WaitForADDomain_Config.ps1 @@ -21,7 +21,6 @@ .DESCRIPTION This configuration will wait for an AD Domain to respond before returning. #> - Configuration WaitForADDomain_Config { Import-DscResource -Module ActiveDirectoryDsc From 0f12881979981cb8a2b251e204d45fd893b14df9 Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sun, 28 Jul 2019 18:25:04 +0200 Subject: [PATCH 4/5] Fix correct localized string --- DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 b/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 index 7eb9011ee..6a9817a60 100644 --- a/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 +++ b/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 @@ -2367,7 +2367,7 @@ function Test-Password if ($Credential) { Write-Verbose -Message ( - $script:localizedData.CheckingADUserPassword -f $Credential.UserName, $UserName + $script:localizedData.TestPasswordUsingImpersonation -f $Credential.UserName, $UserName ) $principalContext = New-Object -TypeName 'System.DirectoryServices.AccountManagement.PrincipalContext' -ArgumentList @( From 8115e9e42b4b6c848b843206e1af77da4b15b666 Mon Sep 17 00:00:00 2001 From: Johan Ljunggren Date: Sun, 28 Jul 2019 18:26:44 +0200 Subject: [PATCH 5/5] Update unit tests --- Tests/Unit/MSFT_ADUser.Tests.ps1 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Tests/Unit/MSFT_ADUser.Tests.ps1 b/Tests/Unit/MSFT_ADUser.Tests.ps1 index b01201840..3032ba6c2 100644 --- a/Tests/Unit/MSFT_ADUser.Tests.ps1 +++ b/Tests/Unit/MSFT_ADUser.Tests.ps1 @@ -113,10 +113,10 @@ try Assert-MockCalled -CommandName Get-ADUser -ParameterFilter { $Server -eq $testDomainController } -Scope It } - It "Calls 'Get-ADUser' with 'Credential' parameter when 'DomainAdministratorCredential' specified" { + It "Calls 'Get-ADUser' with 'Credential' parameter when 'Credential' specified" { Mock -CommandName Get-ADUser -ParameterFilter { $Credential -eq $testCredential } -MockWith { return [PSCustomObject] $fakeADUser } - Get-TargetResource @testPresentParams -DomainAdministratorCredential $testCredential + Get-TargetResource @testPresentParams -Credential $testCredential Assert-MockCalled -CommandName Get-ADUser -ParameterFilter { $Credential -eq $testCredential } -Scope It } @@ -599,15 +599,15 @@ try Assert-MockCalled -CommandName Set-ADAccountPassword -Scope It -Times 0 } - It "Calls 'Test-Password' with the correct parameters when 'DomainAdministratorCredential' is specified" { + It "Calls 'Test-Password' with the correct parameters when 'Credential' is specified" { Mock -CommandName Get-ADUser -MockWith { return $fakeADUser } Mock -CommandName Set-ADUser Mock -CommandName Set-ADAccountPassword -ParameterFilter { $NewPassword -eq $testCredential.Password } - Mock -CommandName Test-Password -ParameterFilter { $DomainAdministratorCredential -eq $testCredential } -MockWith { $true } + Mock -CommandName Test-Password -ParameterFilter { $Credential -eq $testCredential } -MockWith { $true } - Set-TargetResource @testPresentParams -Password $testCredential -DomainAdministratorCredential $testCredential + Set-TargetResource @testPresentParams -Password $testCredential -Credential $testCredential - Assert-MockCalled -CommandName Test-Password -ParameterFilter { $DomainAdministratorCredential -eq $testCredential } -Scope It -Exactly 1 + Assert-MockCalled -CommandName Test-Password -ParameterFilter { $Credential -eq $testCredential } -Scope It -Exactly 1 } It "Should call 'Set-ADUser' with 'Replace' when existing mismatched AD property is null" {