dsccommunity · johlju · Jul 30, 2019 · Jul 29, 2019 · Jul 29, 2019 · Jul 29, 2019
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,6 +41,10 @@
       [new helper functions for localization](https://github.com/PowerShell/DscResources/blob/master/StyleGuidelines.md#helper-functions-for-localization)
       ([issue #316](https://github.com/PowerShell/ActiveDirectoryDsc/issues/316),
       [issue #317](https://github.com/PowerShell/ActiveDirectoryDsc/issues/317)).
+    - Removed the alias `DomainAdministratorCredential` from the parameter
+      `Credential` in the function `Restore-ADCommonObject`
+    - Removed the alias `DomainAdministratorCredential` from the parameter
+      `Credential` in the function `Get-ADCommonParameters`
   - Updated all the examples files to be prefixed with the resource
     name so they are more easily discovered in PowerShell Gallery and
     Azure Automation ([issue #416](https://github.com/PowerShell/ActiveDirectoryDsc/issues/416)).
@@ -52,6 +56,9 @@
   - BREAKING CHANGE: The previously made obsolete parameter `Enabled` has
     been removed and is now a read-only property. See resource documentation
     how to enforce the `Enabled` property.
+  - BREAKING CHANGE: Renamed the parameter `DomainAdministratorCredential`
+    to `Credential` to better indicate that it is possible to impersonate
+    any credential with enough permission to perform the task ([issue #269](https://github.com/PowerShell/ActiveDirectoryDsc/issues/269)).
   - Fixed the GUID in Example 3-AddComputerAccountSpecificPath_Config
     ([issue #410](https://github.com/PowerShell/ActiveDirectoryDsc/issues/410)).
 - Changes to ADOrganizationalUnit
@@ -74,6 +81,9 @@
    distinguished name and parameter Credential is used ([issue #451](https://github.com/PowerShell/ActiveDirectoryDsc/issues/451)).
   - Added integration tests ([issue #359](https://github.com/PowerShell/ActiveDirectoryDsc/issues/359)).
 - Changes to ADDomain
+  - BREAKING CHANGE: Renamed the parameter `DomainAdministratorCredential`
+    to `Credential` to better indicate that it is possible to impersonate
+    any credential with enough permission to perform the task ([issue #269](https://github.com/PowerShell/ActiveDirectoryDsc/issues/269)).
   - Updated tests and replaced `Write-Error` with `throw`
     ([issue #332](https://github.com/PowerShell/ActiveDirectoryDsc/pull/332)).
   - Added comment-based help ([issue #335](https://github.com/PowerShell/ActiveDirectoryDsc/issues/335)).
@@ -86,6 +96,9 @@
   - Minor change to the unit tests that did not correct assert the localized
     string when an account is not found.
 - Changes to ADDomainTrust
+  - BREAKING CHANGE: Renamed the parameter `TargetDomainAdministratorCredential`
+    to `TargetCredential` to better indicate that it is possible to impersonate
+    any credential with enough permission to perform the task ([issue #269](https://github.com/PowerShell/ActiveDirectoryDsc/issues/269)).
   - Refactored the resource to enable unit tests, and at the same time changed
     it to use the same code pattern as the resource xADObjectEnabledState.
   - Added unit tests ([issue #324](https://github.com/PowerShell/ActiveDirectoryDsc/issues/324)).
@@ -94,6 +107,9 @@
 - Changes to WaitForADDomain
   - Added comment-based help ([issue #341](https://github.com/PowerShell/ActiveDirectoryDsc/issues/341))
 - Changes to ADDomainController
+  - BREAKING CHANGE: Renamed the parameter `DomainAdministratorCredential`
+    to `Credential` to better indicate that it is possible to impersonate
+    any credential with enough permission to perform the task ([issue #269](https://github.com/PowerShell/ActiveDirectoryDsc/issues/269)).
   - Add support for creating Read-Only Domain Controller (RODC)
     ([issue #40](https://github.com/PowerShell/ActiveDirectoryDsc/issues/40)).
     [Svilen @SSvilen](https://github.com/SSvilen)

diff --git a/DSCResources/MSFT_ADComputer/MSFT_ADComputer.psm1 b/DSCResources/MSFT_ADComputer/MSFT_ADComputer.psm1
@@ -81,7 +81,7 @@ $script:computerObjectPropertyMap = @(
 
         Used by Get-ADCommonParameters and is returned as a common parameter.
 
-    .PARAMETER DomainAdministratorCredential
+    .PARAMETER Credential
         Specifies the user account credentials to use to perform the task.
 
         Used by Get-ADCommonParameters and is returned as a common parameter.
@@ -114,7 +114,7 @@ function Get-TargetResource
         [ValidateNotNull()]
         [System.Management.Automation.PSCredential]
         [System.Management.Automation.CredentialAttribute()]
-        $DomainAdministratorCredential,
+        $Credential,
 
         [Parameter()]
         [ValidateNotNull()]
@@ -134,25 +134,25 @@ function Get-TargetResource
         Computer account object.
     #>
     $getTargetResourceReturnValue = @{
-        Ensure                        = 'Absent'
-        ComputerName                  = $null
-        Location                      = $null
-        DnsHostName                   = $null
-        ServicePrincipalNames         = $null
-        UserPrincipalName             = $null
-        DisplayName                   = $null
-        Path                          = $null
-        Description                   = $null
-        Enabled                       = $false
-        Manager                       = $null
-        DomainController              = $DomainController
-        DomainAdministratorCredential = $DomainAdministratorCredential
-        RequestFile                   = $RequestFile
-        RestoreFromRecycleBin         = $RestoreFromRecycleBin
-        EnabledOnCreation             = $EnabledOnCreation
-        DistinguishedName             = $null
-        SID                           = $null
-        SamAccountName                = $null
+        Ensure                = 'Absent'
+        ComputerName          = $null
+        Location              = $null
+        DnsHostName           = $null
+        ServicePrincipalNames = $null
+        UserPrincipalName     = $null
+        DisplayName           = $null
+        Path                  = $null
+        Description           = $null
+        Enabled               = $false
+        Manager               = $null
+        DomainController      = $DomainController
+        Credential            = $Credential
+        RequestFile           = $RequestFile
+        RestoreFromRecycleBin = $RestoreFromRecycleBin
+        EnabledOnCreation     = $EnabledOnCreation
+        DistinguishedName     = $null
+        SID                   = $null
+        SamAccountName        = $null
     }
 
     $getADComputerResult = $null
@@ -200,7 +200,7 @@ function Get-TargetResource
         $getTargetResourceReturnValue['Enabled'] = $getADComputerResult.Enabled
         $getTargetResourceReturnValue['Manager'] = $getADComputerResult.ManagedBy
         $getTargetResourceReturnValue['DomainController'] = $DomainController
-        $getTargetResourceReturnValue['DomainAdministratorCredential'] = $DomainAdministratorCredential
+        $getTargetResourceReturnValue['Credential'] = $Credential
         $getTargetResourceReturnValue['RequestFile'] = $RequestFile
         $getTargetResourceReturnValue['RestoreFromRecycleBin'] = $RestoreFromRecycleBin
         $getTargetResourceReturnValue['EnabledOnCreation'] = $EnabledOnCreation
@@ -266,7 +266,7 @@ function Get-TargetResource
     .PARAMETER DomainController
         Specifies the Active Directory Domain Services instance to connect to perform the task.
 
-    .PARAMETER DomainAdministratorCredential
+    .PARAMETER Credential
         Specifies the user account credentials to use to perform the task.
 
     .PARAMETER RestoreFromRecycleBin
@@ -351,7 +351,7 @@ function Test-TargetResource
         [ValidateNotNull()]
         [System.Management.Automation.PSCredential]
         [System.Management.Automation.CredentialAttribute()]
-        $DomainAdministratorCredential,
+        $Credential,
 
         [Parameter()]
         [ValidateNotNull()]
@@ -369,12 +369,12 @@ function Test-TargetResource
     )
 
     $getTargetResourceParameters = @{
-        ComputerName                  = $ComputerName
-        RequestFile                   = $RequestFile
-        DomainController              = $DomainController
-        DomainAdministratorCredential = $DomainAdministratorCredential
-        RestoreFromRecycleBin         = $RestoreFromRecycleBin
-        EnabledOnCreation             = $EnabledOnCreation
+        ComputerName          = $ComputerName
+        RequestFile           = $RequestFile
+        DomainController      = $DomainController
+        Credential            = $Credential
+        RestoreFromRecycleBin = $RestoreFromRecycleBin
+        EnabledOnCreation     = $EnabledOnCreation
     }
 
     # Need the @() around this to get a new array to enumerate.
@@ -512,7 +512,7 @@ function Test-TargetResource
     .PARAMETER DomainController
         Specifies the Active Directory Domain Services instance to connect to perform the task.
 
-    .PARAMETER DomainAdministratorCredential
+    .PARAMETER Credential
         Specifies the user account credentials to use to perform the task.
 
     .PARAMETER RestoreFromRecycleBin
@@ -595,7 +595,7 @@ function Set-TargetResource
         [ValidateNotNull()]
         [System.Management.Automation.PSCredential]
         [System.Management.Automation.CredentialAttribute()]
-        $DomainAdministratorCredential,
+        $Credential,
 
         [Parameter()]
         [ValidateNotNull()]
@@ -609,12 +609,12 @@ function Set-TargetResource
     )
 
     $getTargetResourceParameters = @{
-        ComputerName                  = $ComputerName
-        RequestFile                   = $RequestFile
-        DomainController              = $DomainController
-        DomainAdministratorCredential = $DomainAdministratorCredential
-        RestoreFromRecycleBin         = $RestoreFromRecycleBin
-        EnabledOnCreation             = $EnabledOnCreation
+        ComputerName          = $ComputerName
+        RequestFile           = $RequestFile
+        DomainController      = $DomainController
+        Credential            = $Credential
+        RestoreFromRecycleBin = $RestoreFromRecycleBin
+        EnabledOnCreation     = $EnabledOnCreation
     }
 
     # Need the @() around this to get a new array to enumerate.

diff --git a/DSCResources/MSFT_ADComputer/MSFT_ADComputer.schema.mof b/DSCResources/MSFT_ADComputer/MSFT_ADComputer.schema.mof
@@ -11,7 +11,7 @@ class MSFT_ADComputer : OMI_BaseResource
     [Write, Description("Specifies a description of the computer account.")] String Description;
     [Write, Description("Specifies the user or group Distinguished Name that manages the computer account. Valid values are the user's or group's DistinguishedName, ObjectGUID, SID or SamAccountName.")] String Manager;
     [Write, Description("Specifies the Active Directory Domain Services instance to connect to perform the task.")] String DomainController;
-    [Write, Description("Specifies the user account credentials to use to perform the task."), EmbeddedInstance("MSFT_Credential")] String DomainAdministratorCredential;
+    [Write, Description("Specifies the user account credentials to use to perform the task."), EmbeddedInstance("MSFT_Credential")] String Credential;
     [Write, Description("Specifies the full path to the Offline Domain Join Request file to create.")] String RequestFile;
     [Write, Description("Specifies whether the computer account is present or absent. Default value is 'Present'."), ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] String Ensure;
     [Write, Description("Try to restore the computer account from the recycle bin before creating a new one.")] Boolean RestoreFromRecycleBin;

diff --git a/DSCResources/MSFT_ADComputer/en-US/about_ADComputer.help.txt b/DSCResources/MSFT_ADComputer/en-US/about_ADComputer.help.txt
@@ -1,4 +1,4 @@
-.NAME
+.NAME
     ADComputer
 
 .DESCRIPTION
@@ -57,7 +57,7 @@
     Write - String
     Specifies the Active Directory Domain Services instance to connect to perform the task.
 
-.PARAMETER DomainAdministratorCredential
+.PARAMETER Credential
     Write - String
     Specifies the user account credentials to use to perform the task.
 
@@ -106,7 +106,7 @@ Configuration ADComputer_AddComputerAccount_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential
+        $Credential
     )
 
     Import-DscResource -ModuleName ActiveDirectoryDsc
@@ -116,12 +116,16 @@ Configuration ADComputer_AddComputerAccount_Config
         ADComputer 'CreateEnabled_SQL01'
         {
             ComputerName = 'SQL01'
+
+            PsDscRunAsCredential = $Credential
         }
 
         ADComputer 'CreateEnabled_SQL02'
         {
             ComputerName      = 'SQL02'
             EnabledOnCreation = $true
+
+            PsDscRunAsCredential = $Credential
         }
     }
 }
@@ -138,7 +142,7 @@ Configuration ADComputer_AddComputerAccountDisabled_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential
+        $Credential
     )
 
     Import-DscResource -ModuleName ActiveDirectoryDsc
@@ -149,6 +153,8 @@ Configuration ADComputer_AddComputerAccountDisabled_Config
         {
             ComputerName      = 'CLU_CNO01'
             EnabledOnCreation = $false
+
+            PsDscRunAsCredential = $Credential
         }
     }
 }
@@ -166,7 +172,7 @@ Configuration ADComputer_AddComputerAccountSpecificPath_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential
+        $Credential
     )
 
     Import-DscResource -ModuleName ActiveDirectoryDsc
@@ -175,10 +181,10 @@ Configuration ADComputer_AddComputerAccountSpecificPath_Config
     {
         ADComputer 'CreateComputerAccount'
         {
-            DomainController              = 'DC01'
-            ComputerName                  = 'SQL01'
-            Path                          = 'OU=Servers,DC=contoso,DC=com'
-            DomainAdministratorCredential = $DomainAdministratorCredential
+            DomainController = 'DC01'
+            ComputerName     = 'SQL01'
+            Path             = 'OU=Servers,DC=contoso,DC=com'
+            Credential       = $Credential
         }
     }
 }
@@ -197,7 +203,7 @@ Configuration ADComputer_AddComputerAccountAndCreateODJRequest_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential
+        $Credential
     )
 
     Import-DscResource -ModuleName ActiveDirectoryDsc
@@ -206,11 +212,11 @@ Configuration ADComputer_AddComputerAccountAndCreateODJRequest_Config
     {
         ADComputer 'CreateComputerAccount'
         {
-            DomainController              = 'DC01'
-            ComputerName                  = 'NANO-200'
-            Path                          = 'OU=Servers,DC=contoso,DC=com'
-            RequestFile                   = 'D:\ODJFiles\NANO-200.txt'
-            DomainAdministratorCredential = $DomainAdministratorCredential
+            DomainController = 'DC01'
+            ComputerName     = 'NANO-200'
+            Path             = 'OU=Servers,DC=contoso,DC=com'
+            RequestFile      = 'D:\ODJFiles\NANO-200.txt'
+            Credential       = $Credential
         }
     }
 }

diff --git a/DSCResources/MSFT_ADDomain/MSFT_ADDomain.psm1 b/DSCResources/MSFT_ADDomain/MSFT_ADDomain.psm1
@@ -53,8 +53,9 @@ function Get-TrackingFilename
     .PARAMETER DomainName
         The fully qualified domain name (FQDN) of the new domain.
 
-    .PARAMETER DomainAdministratorCredential
-        Credentials used to query for domain existence.
+    .PARAMETER Credential
+        Specifies the user name and password that corresponds to the account
+        used to install the domain controller.
 
     .PARAMETER SafemodeAdministratorPassword
         Password for the administrator account when the computer is started in Safe Mode.
@@ -95,7 +96,7 @@ function Get-TargetResource
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential,
+        $Credential,
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
@@ -164,8 +165,8 @@ function Get-TargetResource
             else
             {
                 Write-Verbose ($script:localizedData.QueryDomainWithCredential -f $domainFQDN)
-                $domain = Get-ADDomain -Identity $domainFQDN -Credential $DomainAdministratorCredential -ErrorAction Stop
-                $forest = Get-ADForest -Identity $domain.Forest -Credential $DomainAdministratorCredential -ErrorAction Stop
+                $domain = Get-ADDomain -Identity $domainFQDN -Credential $Credential -ErrorAction Stop
+                $forest = Get-ADForest -Identity $domain.Forest -Credential $Credential -ErrorAction Stop
             }
 
             <#
@@ -237,8 +238,9 @@ function Get-TargetResource
     .PARAMETER DomainName
         The fully qualified domain name (FQDN) of the new domain.
 
-    .PARAMETER DomainAdministratorCredential
-        Credentials used to query for domain existence.
+    .PARAMETER Credential
+        Specifies the user name and password that corresponds to the account
+        used to install the domain controller.
 
     .PARAMETER SafemodeAdministratorPassword
         Password for the administrator account when the computer is started in Safe Mode.
@@ -279,7 +281,7 @@ function Test-TargetResource
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential,
+        $Credential,
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
@@ -376,8 +378,9 @@ function Test-TargetResource
     .PARAMETER DomainName
         The fully qualified domain name (FQDN) of the new domain.
 
-    .PARAMETER DomainAdministratorCredential
-        Credentials used to query for domain existence.
+    .PARAMETER Credential
+        Specifies the user name and password that corresponds to the account
+        used to install the domain controller.
 
     .PARAMETER SafemodeAdministratorPassword
         Password for the administrator account when the computer is started in Safe Mode.
@@ -429,7 +432,7 @@ function Set-TargetResource
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential,
+        $Credential,
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
@@ -517,7 +520,7 @@ function Set-TargetResource
     if ($PSBoundParameters.ContainsKey('ParentDomainName'))
     {
         Write-Verbose -Message ($script:localizedData.CreatingChildDomain -f $DomainName, $ParentDomainName)
-        $installADDSParams['Credential'] = $DomainAdministratorCredential
+        $installADDSParams['Credential'] = $Credential
         $installADDSParams['NewDomainName'] = $DomainName
         $installADDSParams['ParentDomainName'] = $ParentDomainName
         $installADDSParams['DomainType'] = 'ChildDomain'