From 58b13ea3162fbfabd0c2f80cb10dfbcd13879bbf Mon Sep 17 00:00:00 2001
From: iainbrighton <iainbrighton@hotmail.com>
Date: Fri, 20 Nov 2015 22:49:36 +0000
Subject: [PATCH] Initial implementation of #44 that also fixes #11 Adds
 additional user property support and test coverage

---
 DSCResources/MSFT_xADUser/MSFT_xADUser.psm1   | 1033 ++++++++++++++---
 .../MSFT_xADUser/MSFT_xADUser.schema.mof      |   48 +-
 README.md                                     |   71 +-
 Tests/xADUser.Tests.ps1                       |  467 ++++++++
 4 files changed, 1461 insertions(+), 158 deletions(-)
 create mode 100644 Tests/xADUser.Tests.ps1

diff --git a/DSCResources/MSFT_xADUser/MSFT_xADUser.psm1 b/DSCResources/MSFT_xADUser/MSFT_xADUser.psm1
index 6a763c927..2f2b92278 100644
--- a/DSCResources/MSFT_xADUser/MSFT_xADUser.psm1
+++ b/DSCResources/MSFT_xADUser/MSFT_xADUser.psm1
@@ -1,229 +1,964 @@
-#
-# xADUser: DSC resource to create a new Active Directory user.
-#
+# Localized messages
+data LocalizedData
+{
+    # culture="en-US"
+    ConvertFrom-StringData @'
+        RoleNotFoundError              = Please ensure that the PowerShell module for role '{0}' is installed.
+        RetrievingADUserError          = Error looking up Active Directory user '{0}' ({0}@{1}).
+        PasswordParameterConflictError = Parameter '{0}' cannot be set to '{1}' when the '{2}' parameter is specified.
+        
+        RetrievingADUser               = Retrieving Active Directory user '{0}' ({0}@{1}) ...
+        CreatingADDomainConnection     = Creating connection to Active Directory domain '{0}' ...
+        CheckingADUserPassword         = Checking Active Directory user '{0}' password ...
+        ADUserIsPresent                = Active Directory user '{0}' ({0}@{1}) is present.
+        ADUserNotPresent               = Active Directory user '{0}' ({0}@{1}) was NOT present.
+        ADUserNotDesiredPropertyState  = User '{0}' property is NOT in the desired state. Expected '{1}', actual '{2}'.
+        
+        AddingADUser                   = Adding Active Directory user '{0}'.
+        RemovingADUser                 = Removing Active Directory user '{0}'.
+        UpdatingADUser                 = Updating Active Directory user '{0}'.
+        SettingADUserPassword          = Setting Active Directory user password.
+        UpdatingADUserProperty         = Updating user property '{0}' with/to '{1}'.
+        RemovingADUserProperty         = Removing user property '{0}' with '{1}'.
+        MovingADUser                   = Moving user from '{0}' to '{1}'.
+        RenamingADUser                 = Renaming user from '{0}' to '{1}'.
+'@
+}
+
+## Create a property map that maps the DSC resource parameters to the
+## Active Directory user attributes.
+$adPropertyMap = @(
+    @{ Parameter = 'CommonName'; ADProperty = 'cn'; }
+    @{ Parameter = 'UserPrincipalName'; }
+    @{ Parameter = 'DisplayName'; }
+    @{ Parameter = 'Path'; ADProperty = 'distinguishedName'; }
+    @{ Parameter = 'GivenName'; }
+    @{ Parameter = 'Initials'; }
+    @{ Parameter = 'Surname'; ADProperty = 'sn'; }
+    @{ Parameter = 'Description'; }
+    @{ Parameter = 'StreetAddress'; }
+    @{ Parameter = 'POBox'; }
+    @{ Parameter = 'City'; ADProperty = 'l'; }
+    @{ Parameter = 'State'; ADProperty = 'st'; }
+    @{ Parameter = 'PostalCode'; }
+    @{ Parameter = 'Country'; ADProperty = 'c'; }
+    @{ Parameter = 'Department'; }
+    @{ Parameter = 'Division'; }
+    @{ Parameter = 'Company'; }
+    @{ Parameter = 'Office'; ADProperty = 'physicalDeliveryOfficeName'; }
+    @{ Parameter = 'JobTitle'; ADProperty = 'title'; }
+    @{ Parameter = 'EmailAddress'; ADProperty = 'mail'; }
+    @{ Parameter = 'EmployeeID'; }
+    @{ Parameter = 'EmployeeNumber'; }
+    @{ Parameter = 'HomeDirectory'; }
+    @{ Parameter = 'HomeDrive'; }
+    @{ Parameter = 'HomePage'; ADProperty = 'wWWHomePage'; }
+    @{ Parameter = 'ProfilePath'; }
+    @{ Parameter = 'LogonScript'; ADProperty = 'scriptPath'; }
+    @{ Parameter = 'Notes'; ADProperty = 'info'; }
+    @{ Parameter = 'OfficePhone'; ADProperty = 'telephoneNumber'; }
+    @{ Parameter = 'MobilePhone'; ADProperty = 'mobile'; }
+    @{ Parameter = 'Fax'; ADProperty = 'facsimileTelephoneNumber'; }
+    @{ Parameter = 'Pager'; }
+    @{ Parameter = 'IPPhone'; }
+    @{ Parameter = 'HomePhone'; }
+    @{ Parameter = 'Enabled'; }
+    @{ Parameter = 'Manager'; }
+    @{ Parameter = 'PasswordNeverExpires'; UseCmdletParameter = $true; }
+    @{ Parameter = 'CannotChangePassword'; UseCmdletParameter = $true; }
+)
 
 function Get-TargetResource
 {
     [OutputType([System.Collections.Hashtable])]
     param
     (
+        ## Only used if password is managed.
         [Parameter(Mandatory)]
-        [string]$DomainName,
-
+        [System.String] $DomainName,
+        
+        # SamAccountName
         [Parameter(Mandatory)]
-        [string]$UserName,
+        [System.String] $UserName,
+        
+        [ValidateNotNull()]
+        [System.Management.Automation.PSCredential] $Password,
 
-        [Parameter(Mandatory)]
-        [PSCredential]$DomainAdministratorCredential,
+        [ValidateSet('Present', 'Absent')]
+        [System.String] $Ensure = 'Present',
+        
+        # Common name (CN)
+        [ValidateNotNull()]
+        [System.String] $CommonName = $UserName,
+
+        [ValidateNotNull()]
+        [System.String] $UserPrincipalName,
+        
+        [ValidateNotNull()]
+        [System.String] $DisplayName,
+        
+        [ValidateNotNull()]
+        [System.String] $Path,
+        
+        [ValidateNotNull()]
+        [System.String] $GivenName,
+        
+        [ValidateNotNull()]
+        [System.String] $Initials,
+        
+        [ValidateNotNull()]
+        [System.String] $Surname,
+        
+        [ValidateNotNull()]
+        [System.String] $Description,
+
+        [ValidateNotNull()]
+        [System.String] $StreetAddress,
+
+        [ValidateNotNull()]
+        [System.String] $POBox,
+
+        [ValidateNotNull()]
+        [System.String] $City,
+
+        [ValidateNotNull()]
+        [System.String] $State,
+
+        [ValidateNotNull()]
+        [System.String] $PostalCode,
+
+        [ValidateNotNull()]
+        [System.String] $Country,
+
+        [ValidateNotNull()]
+        [System.String] $Department,
+
+        [ValidateNotNull()]
+        [System.String] $Division,
+
+        [ValidateNotNull()]
+        [System.String] $Company,
+
+        [ValidateNotNull()]
+        [System.String] $Office,
+
+        [ValidateNotNull()]
+        [System.String] $JobTitle,
+
+        [ValidateNotNull()]
+        [System.String] $EmailAddress,
+        
+        [ValidateNotNull()]
+        [System.String] $EmployeeID,
+
+        [ValidateNotNull()]
+        [System.String] $EmployeeNumber,
+
+        [ValidateNotNull()]
+        [System.String] $HomeDirectory,
+
+        [ValidateNotNull()]
+        [System.String] $HomeDrive,
+
+        [ValidateNotNull()]
+        [System.String] $HomePage,
+        
+        [ValidateNotNull()]
+        [System.String] $ProfilePath,
+        
+        [ValidateNotNull()]
+        [System.String] $LogonScript,
+        
+        [ValidateNotNull()]
+        [System.String] $Notes,
+        
+        [ValidateNotNull()]
+        [System.String] $OfficePhone,
+        
+        [ValidateNotNull()]
+        [System.String] $MobilePhone,
+
+        [ValidateNotNull()]
+        [System.String] $Fax,
+
+        [ValidateNotNull()]
+        [System.String] $HomePhone,
+
+        [ValidateNotNull()]
+        [System.String] $Pager,
+
+        [ValidateNotNull()]
+        [System.String] $IPPhone,
+
+        ## User's manager specified as a Distinguished Name (DN)
+        [ValidateNotNull()]
+        [System.String] $Manager,
         
-        [PSCredential]$Password,
+        [ValidateNotNull()]
+        [System.Boolean] $Enabled = $true,
 
-        [ValidateSet("Present","Absent")]
-        [string]$Ensure = "Present"
+        [ValidateNotNull()]
+        [System.Boolean] $CannotChangePassword,
+        
+        [ValidateNotNull()]
+        [System.Boolean] $PasswordNeverExpires,
+        
+        [ValidateNotNull()]
+        [System.String] $DomainController,
+        
+        ## Ideally this should just be called 'Credential' but is here for backwards compatibility
+        [ValidateNotNull()]
+        [System.Management.Automation.PSCredential] $DomainAdministratorCredential
     )
+    
+    Assert-Module -ModuleName 'ActiveDirectory';
 
     try
     {
-        Write-Verbose -Message "Checking if the user '$($UserName)' in domain '$($DomainName)' is present ..."
-        $user = Get-AdUser -Identity $UserName -Credential $DomainAdministratorCredential
-        Write-Verbose -Message "Found '$($UserName)' in domain '$($DomainName)'."
-        $Ensure = "Present"
+        $adCommonParameters = Get-ADCommonParameters @PSBoundParameters;
+        
+        $adProperties = @();
+        ## Create an array of the AD propertie names to retrieve from the property map
+        foreach ($property in $adPropertyMap)
+        {
+            if ($property.ADProperty)
+            {
+                $adProperties += $property.ADProperty;
+            }
+            else 
+            {
+                $adProperties += $property.Parameter;
+            }
+        }
+
+        Write-Verbose -Message ($LocalizedData.RetrievingADUser -f $UserName, $DomainName);
+        $adUser = Get-ADUser @adCommonParameters -Properties $adProperties;
+        Write-Verbose -Message ($LocalizedData.ADUserIsPresent -f $UserName, $DomainName);
+        $Ensure = 'Present';
     }
     catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]
     {
-        Write-Verbose -Message "User '$($UserName)' in domain '$($DomainName)' is NOT present."
-        $Ensure = "Absent"
+        Write-Verbose -Message ($LocalizedData.ADUserNotPresent -f $UserName, $DomainName);
+        $Ensure = 'Absent';
     }
     catch
     {
-        Write-Error -Message "Error looking up user '$($UserName)' in domain '$($DomainName)'."
-        throw $_
+        Write-Error -Message ($LocalizedData.RetrievingADUserError -f $UserName, $DomainName);
+        throw $_;
     }
 
-    @{
-        DomainName = $DomainName
-        UserName = $UserName
-        Ensure = $Ensure
+    $targetResource = @{
+        DomainName        = $DomainName;
+        Password          = $Password;
+        UserName          = $UserName;
+        DistinguishedName = $adUser.DistinguishedName; ## Read-only property
+        Ensure            = $Ensure;
+        DomainController  = $DomainController;
     }
-}
 
-function Set-TargetResource
-{
-    param
-    (
-        [Parameter(Mandatory)]
-        [string]$DomainName,
-
-        [Parameter(Mandatory)]
-        [string]$UserName,
-        
-        [Parameter(Mandatory)]
-        [PSCredential]$DomainAdministratorCredential,
-
-        [PSCredential]$Password,
-
-        [ValidateSet("Present","Absent")]
-        [string]$Ensure = "Present"
-    )
-    try
+    ## Retrieve each property from the ADPropertyMap and add to the hashtable
+    foreach ($property in $adPropertyMap)
     {
-        ValidateProperties @PSBoundParameters -Apply
-    }
-    catch
-    {
-        Write-Error -Message "Error configuring user '$($UserName)' in domain '$($DomainName)'."
-        throw $_
+        if ($property.Parameter -eq 'Path') {
+            ## The path returned is not the parent container
+            if (-not [System.String]::IsNullOrEmpty($adUser.DistinguishedName))
+            {
+                $targetResource['Path'] = Get-ADObjectParentDN -DN $adUser.DistinguishedName;
+            }
+        }
+        elseif ($property.ADProperty)
+        {
+            ## The AD property name is different to the function parameter to use this
+            $targetResource[$property.Parameter] = $adUser.($property.ADProperty);
+        }
+        else
+        {
+            ## The AD property name matches the function parameter
+            $targetResource[$property.Parameter] = $adUser.($property.Parameter);
+        }
     }
-}
+    return $targetResource;
+
+} #end function Get-TargetResource
 
 function Test-TargetResource
 {
     [OutputType([System.Boolean])]
     param
     (
+        ## Only used if password is managed.
         [Parameter(Mandatory)]
-        [string]$DomainName,
-
-        [Parameter(Mandatory)]
-        [string]$UserName,
+        [System.String] $DomainName,
         
+        # SamAccountName
         [Parameter(Mandatory)]
-        [PSCredential]$DomainAdministratorCredential,
+        [System.String] $UserName,
+        
+        [ValidateNotNull()]
+        [System.Management.Automation.PSCredential] $Password,
+
+        [ValidateSet('Present', 'Absent')]
+        [System.String] $Ensure = 'Present',
+        
+        # Common name (CN)
+        [ValidateNotNull()]
+        [System.String] $CommonName = $UserName,
+        
+        [ValidateNotNull()]
+        [System.String] $UserPrincipalName,
+        
+        [ValidateNotNull()]
+        [System.String] $DisplayName,
+        
+        [ValidateNotNull()]
+        [System.String] $Path,
+        
+        [ValidateNotNull()]
+        [System.String] $GivenName,
+        
+        [ValidateNotNull()]
+        [System.String] $Initials,
+        
+        [ValidateNotNull()]
+        [System.String] $Surname,
+        
+        [ValidateNotNull()]
+        [System.String] $Description,
+
+        [ValidateNotNull()]
+        [System.String] $StreetAddress,
+
+        [ValidateNotNull()]
+        [System.String] $POBox,
+
+        [ValidateNotNull()]
+        [System.String] $City,
+
+        [ValidateNotNull()]
+        [System.String] $State,
+
+        [ValidateNotNull()]
+        [System.String] $PostalCode,
+
+        [ValidateNotNull()]
+        [System.String] $Country,
+
+        [ValidateNotNull()]
+        [System.String] $Department,
+
+        [ValidateNotNull()]
+        [System.String] $Division,
+
+        [ValidateNotNull()]
+        [System.String] $Company,
+
+        [ValidateNotNull()]
+        [System.String] $Office,
+
+        [ValidateNotNull()]
+        [System.String] $JobTitle,
+
+        [ValidateNotNull()]
+        [System.String] $EmailAddress,
+        
+        [ValidateNotNull()]
+        [System.String] $EmployeeID,
+
+        [ValidateNotNull()]
+        [System.String] $EmployeeNumber,
+
+        [ValidateNotNull()]
+        [System.String] $HomeDirectory,
+
+        [ValidateNotNull()]
+        [System.String] $HomeDrive,
+
+        [ValidateNotNull()]
+        [System.String] $HomePage,
+        
+        [ValidateNotNull()]
+        [System.String] $ProfilePath,
+        
+        [ValidateNotNull()]
+        [System.String] $LogonScript,
+        
+        [ValidateNotNull()]
+        [System.String] $Notes,
+        
+        [ValidateNotNull()]
+        [System.String] $OfficePhone,
+        
+        [ValidateNotNull()]
+        [System.String] $MobilePhone,
+
+        [ValidateNotNull()]
+        [System.String] $Fax,
 
-        [PSCredential]$Password,
+        [ValidateNotNull()]
+        [System.String] $HomePhone,
 
-        [ValidateSet("Present","Absent")]
-        [string]$Ensure = "Present"
+        [ValidateNotNull()]
+        [System.String] $Pager,
+
+        [ValidateNotNull()]
+        [System.String] $IPPhone,
+
+        ## User's manager specified as a Distinguished Name (DN)
+        [ValidateNotNull()]
+        [System.String] $Manager,
+        
+        [ValidateNotNull()]
+        [System.Boolean] $Enabled = $true,
+
+        [ValidateNotNull()]
+        [System.Boolean] $CannotChangePassword,
+        
+        [ValidateNotNull()]
+        [System.Boolean] $PasswordNeverExpires,
+        
+        [ValidateNotNull()]
+        [System.String] $DomainController,
+        
+        [ValidateNotNull()]
+        [System.Management.Automation.PSCredential] $DomainAdministratorCredential
     )
 
-    try
+    Validate-Parameters @PSBoundParameters;
+    $targetResource = Get-TargetResource @PSBoundParameters;
+    $isCompliant = $true;
+
+    if ($Ensure -eq 'Absent')
     {
-        $parameters = $PSBoundParameters.Remove("Debug");
-        ValidateProperties @PSBoundParameters
+        if ($targetResource.Ensure -eq 'Present')
+        {
+            Write-Verbose -Message ($LocalizedData.ADUserNotDesiredPropertyState -f 'Ensure', $PSBoundParameters.Ensure, $targetResource.Ensure);
+            $isCompliant = $false;
+        }
     }
-    catch
+    else
     {
-        Write-Error -Message "Error testing user '$($UserName)' in domain '$($DomainName)'."
-        throw $_
+        ## Add common name, ensure and enabled as they may not be explicitly passed and we want to enumerate them
+        $PSBoundParameters['Name'] = $Name;
+        $PSBoundParameters['Ensure'] = $Ensure;
+        $PSBoundParameters['Enabled'] = $Enabled;
+    
+        foreach ($parameter in $PSBoundParameters.Keys)
+        {
+            if ($parameter -eq 'Password')
+            {
+                $testPasswordParams = @{
+                    Username = $UserName;
+                    Password = $Password;
+                    DomainName = $DomainName;
+                }
+                if ($DomainAdministratorCredential)
+                {
+                    $testPasswordParams['DomainAdministratorCredential'] = $DomainAdministratorCredential;
+                }
+                if (-not (Test-Password @testPasswordParams))
+                {
+                    Write-Verbose -Message ($LocalizedData.ADUserNotDesiredPropertyState -f 'Password', '<Password>', '<Password>');
+                    $isCompliant = $false;
+                }
+            }
+            # Only check properties that are returned by Get-TargetResource
+            elseif ($targetResource.ContainsKey($parameter))
+            {
+                ## This check is required to be able to explicitly remove values with an empty string, if required
+                if (([System.String]::IsNullOrEmpty($PSBoundParameters.$parameter)) -and ([System.String]::IsNullOrEmpty($targetResource.$parameter)))
+                {
+                    # Both values are null/empty and therefore we are compliant
+                }
+                elseif ($PSBoundParameters.$parameter -ne $targetResource.$parameter)
+                {
+                    Write-Verbose -Message ($LocalizedData.ADUserNotDesiredPropertyState -f $parameter, $PSBoundParameters.$parameter, $targetResource.$parameter);
+                    $isCompliant = $false;
+                }
+            }
+        } #end foreach PSBoundParameter
     }
-}
 
-function ValidateProperties
+    return $isCompliant;
+
+} #end function Test-TargetResource
+
+function Set-TargetResource
 {
     param
     (
+        ## Only used if password is managed.
         [Parameter(Mandatory)]
-        [string]$DomainName,
-
+        [System.String] $DomainName,
+        
+        # SamAccountName
         [Parameter(Mandatory)]
-        [string]$UserName,
+        [System.String] $UserName,
+        
+        [ValidateNotNull()]
+        [System.Management.Automation.PSCredential] $Password,
 
-        [Parameter(Mandatory)]
-        [PSCredential]$DomainAdministratorCredential,
+        [ValidateSet('Present', 'Absent')]
+        [System.String] $Ensure = 'Present',
+        
+        [ValidateNotNull()]
+        [System.String] $CommonName = $UserName,
+
+        [ValidateNotNull()]
+        [System.String] $UserPrincipalName,
+        
+        [ValidateNotNull()]
+        [System.String] $DisplayName,
+        
+        [ValidateNotNull()]
+        [System.String] $Path,
+        
+        [ValidateNotNull()]
+        [System.String] $GivenName,
+        
+        [ValidateNotNull()]
+        [System.String] $Initials,
+        
+        [ValidateNotNull()]
+        [System.String] $Surname,
+        
+        [ValidateNotNull()]
+        [System.String] $Description,
 
-        [PSCredential]$Password,
+        [ValidateNotNull()]
+        [System.String] $StreetAddress,
 
-        [ValidateSet("Present","Absent")]
-        [string]$Ensure = "Present",
+        [ValidateNotNull()]
+        [System.String] $POBox,
 
-        [Switch]$Apply
-    )
+        [ValidateNotNull()]
+        [System.String] $City,
 
-    $result = $true
-    try
-    {
-        Write-Verbose -Message "Checking if the user '$($UserName)' in domain '$($DomainName)' is present ..."
-        $user = Get-AdUser -Identity $UserName -Credential $DomainAdministratorCredential
-        Write-Verbose -Message "Found '$($UserName)' in domain '$($DomainName)'."
+        [ValidateNotNull()]
+        [System.String] $State,
+
+        [ValidateNotNull()]
+        [System.String] $PostalCode,
+
+        [ValidateNotNull()]
+        [System.String] $Country,
+
+        [ValidateNotNull()]
+        [System.String] $Department,
+
+        [ValidateNotNull()]
+        [System.String] $Division,
+
+        [ValidateNotNull()]
+        [System.String] $Company,
+
+        [ValidateNotNull()]
+        [System.String] $Office,
+
+        [ValidateNotNull()]
+        [System.String] $JobTitle,
+
+        [ValidateNotNull()]
+        [System.String] $EmailAddress,
         
-        if ($Ensure -eq "Absent")
-        {
-            if ($Apply)
-            {
-                Remove-ADUser -Identity $UserName -Credential $DomainAdministratorCredential -Confirm:$false
-                return
-            }
-            else
-            {
-                return $false
-            }
-        }
+        [ValidateNotNull()]
+        [System.String] $EmployeeID,
+
+        [ValidateNotNull()]
+        [System.String] $EmployeeNumber,
+
+        [ValidateNotNull()]
+        [System.String] $HomeDirectory,
+
+        [ValidateNotNull()]
+        [System.String] $HomeDrive,
+
+        [ValidateNotNull()]
+        [System.String] $HomePage,
         
-        if ($Apply)
-        {
-            # We need to enable the account for password validation.
-            if (!($user.Enabled))
-            {
-                Set-AdUser -Identity $UserName -Enabled $true -Credential $DomainAdministratorCredential
-                Write-Verbose -Message "Enabled user account '$($UserName)' in domain '$($DomainName)'."
-            }
-        }
+        [ValidateNotNull()]
+        [System.String] $ProfilePath,
         
-        if ($Password)
-        {
-            Write-Verbose -Message "Checking if the password specified for user '$($UserName)' is valid ..."
-            Add-Type -AssemblyName "System.DirectoryServices.AccountManagement"
-            
-            Write-Verbose -Message "Creating connection to the domain '$($DomainName)' ..."
-            $prnContext = new-object System.DirectoryServices.AccountManagement.PrincipalContext(
-                            "Domain", $DomainName, $DomainAdministratorCredential.UserName, `
-                            $DomainAdministratorCredential.GetNetworkCredential().Password)
+        [ValidateNotNull()]
+        [System.String] $LogonScript,
+        
+        [ValidateNotNull()]
+        [System.String] $Notes,
+        
+        [ValidateNotNull()]
+        [System.String] $OfficePhone,
+        
+        [ValidateNotNull()]
+        [System.String] $MobilePhone,
+
+        [ValidateNotNull()]
+        [System.String] $Fax,
+
+        [ValidateNotNull()]
+        [System.String] $HomePhone,
+
+        [ValidateNotNull()]
+        [System.String] $Pager,
+
+        [ValidateNotNull()]
+        [System.String] $IPPhone,
+
+        ## User's manager specified as a Distinguished Name (DN)
+        [ValidateNotNull()]
+        [System.String] $Manager,
+        
+        [ValidateNotNull()]
+        [System.Boolean] $Enabled = $true,
+        
+        [ValidateNotNull()]
+        [System.Boolean] $CannotChangePassword,
+        
+        [ValidateNotNull()]
+        [System.Boolean] $PasswordNeverExpires,
+        
+        [ValidateNotNull()]
+        [System.String] $DomainController,
+        
+        [ValidateNotNull()]
+        [System.Management.Automation.PSCredential] $DomainAdministratorCredential
+    )
+
+    Validate-Parameters @PSBoundParameters;
+    $targetResource = Get-TargetResource @PSBoundParameters;
+
+    ## Add common name, ensure and enabled as they may not be explicitly passed
+    $PSBoundParameters['Name'] = $Name;
+    $PSBoundParameters['Ensure'] = $Ensure;
+    $PSBoundParameters['Enabled'] = $Enabled;
 
-            $result = $prnContext.ValidateCredentials($UserName, $Password.GetNetworkCredential().Password)
-            if($result)
+    if ($Ensure -eq 'Present')
+    {
+        if ($targetResource.Ensure -eq 'Absent') {
+            ## User does not exist and needs creating
+            $newADUserParams = Get-ADCommonParameters @PSBoundParameters -UseNameParameter;
+            if ($PSBoundParameters.ContainsKey('Path'))
             {
-                Write-Verbose -Message "The password for user '$($UserName)' is valid."
-                return $true
+                $newADUserParams['Path'] = $Path;
             }
-            else
+            Write-Verbose -Message ($LocalizedData.AddingADUser -f $UserName);
+            New-ADUser @newADUserParams -SamAccountName $UserName;
+            ## Now retrieve the newly created user
+            $targetResource = Get-TargetResource @PSBoundParameters;
+        }
+
+        $setADUserParams = Get-ADCommonParameters @PSBoundParameters;
+        $replaceUserProperties = @{};
+        $removeUserProperties = @{};
+        foreach ($parameter in $PSBoundParameters.Keys)
+        {
+            ## Only check/action properties specified/declared parameters that match one of the function's
+            ## parameters. This will ignore common parameters such as -Verbose etc.
+            if ($targetResource.ContainsKey($parameter))
             {
-                Write-Verbose -Message "The password for user '$($UserName)' is NOT valid."
-                if ($Apply)
+                if ($parameter -eq 'Path' -and ($PSBoundParameters.Path -ne $targetResource.Path))
                 {
-                    Set-AdAccountPassword -Reset -Identity $UserName -NewPassword $Password.Password -Credential $DomainAdministratorCredential
-                    Write-Verbose -Message "Successfully reset password for user '$($UserName)'."
+                    ## Cannot move users by updating the DistinguishedName property
+                    $adCommonParameters = Get-ADCommonParameters @PSBoundParameters;
+                    ## Using the SamAccountName for identity with Move-ADObject does not work, use the DN instead
+                    $adCommonParameters['Identity'] = $targetResource.DistinguishedName;
+                    Write-Verbose -Message ($LocalizedData.MovingADUser -f $targetResource.Path, $PSBoundParameters.Path);
+                    Move-ADObject @adCommonParameters -TargetPath $PSBoundParameters.Path;
                 }
-                else
+                elseif ($parameter -eq 'CommonName' -and ($PSBoundParameters.CommonName -ne $targetResource.CommonName))
                 {
-                    return $false
+                    ## Cannot rename users by updating the CN property directly
+                    $adCommonParameters = Get-ADCommonParameters @PSBoundParameters;
+                    ## Using the SamAccountName for identity with Rename-ADObject does not work, use the DN instead
+                    $adCommonParameters['Identity'] = $targetResource.DistinguishedName;
+                    Write-Verbose -Message ($LocalizedData.RenamingADUser -f $targetResource.CommonName, $PSBoundParameters.CommonName);
+                    Rename-ADObject @adCommonParameters -NewName $PSBoundParameters.CommonName;
                 }
-            }
+                elseif ($parameter -eq 'Password')
+                {
+                    $adCommonParameters = Get-ADCommonParameters @PSBoundParameters;
+                    Write-Verbose -Message ($LocalizedData.SettingADUserPassword -f $UserName);
+                    Set-ADAccountPassword @adCommonParameters -Reset -NewPassword $Password.Password;
+                }
+                elseif ($parameter -eq 'Enabled' -and ($PSBoundParameters.$parameter -ne $targetResource.$parameter))
+                {
+                    ## We cannot enable/disable an account with -Add or -Replace parameters, but inform that
+                    ## we will change this as it is out of compliance (it always gets set anyway)
+                    Write-Verbose -Message ($LocalizedData.UpdatingADUserProperty -f $parameter, $PSBoundParameters.$parameter);
+                }
+                elseif ($PSBoundParameters.$parameter -ne $targetResource.$parameter)
+                {
+                    ## Find the associated AD property
+                    $adProperty = $adPropertyMap | Where-Object { $_.Parameter -eq $parameter };
+
+                    ## Are we removing properties
+                    if ([System.String]::IsNullOrEmpty($PSBoundParameters.$parameter))
+                    {
+                        ## Only remove if the existing value in not null or empty
+                        if (-not ([System.String]::IsNullOrEmpty($targetResource.$parameter)))
+                        {
+                            Write-Verbose -Message ($LocalizedData.RemovingADUserProperty -f $parameter, $PSBoundParameters.$parameter);
+                            if ($adProperty.UseCmdletParameter -eq $true)
+                            {
+                                ## We need to pass the parameter explicitly to Set-ADUser, not via -Remove
+                                $setADUserParams[$adProperty.Parameter] = $PSBoundParameters.$parameter;
+                            }
+                            elseif ([System.String]::IsNullOrEmpty($adProperty.ADProperty))
+                            {
+                                $removeUserProperties[$adProperty.Parameter] = $targetResource.$parameter;
+                            }
+                            else
+                            {
+                                $removeUserProperties[$adProperty.ADProperty] = $targetResource.$parameter;
+                            }
+                        }
+                    } #end if remove existing value
+                    else
+                    {
+                        ## We are replacing the existing value
+                        Write-Verbose -Message ($LocalizedData.UpdatingADUserProperty -f $parameter, $PSBoundParameters.$parameter);
+                        if ($adProperty.UseCmdletParameter -eq $true)
+                        {
+                            ## We need to pass the parameter explicitly to Set-ADUser, not via -Replace
+                            $setADUserParams[$adProperty.Parameter] = $PSBoundParameters.$parameter;
+                        }
+                        elseif ([System.String]::IsNullOrEmpty($adProperty.ADProperty))
+                        {
+                            $replaceUserProperties[$adProperty.Parameter] = $PSBoundParameters.$parameter;
+                        }
+                        else
+                        {
+                            $replaceUserProperties[$adProperty.ADProperty] = $PSBoundParameters.$parameter;
+                        }
+                    } #end if replace existing value
+                }
+            
+            } #end if TargetResource parameter
+        } #end foreach PSBoundParameter
+        
+        ## Only pass -Remove and/or -Replace if we have something to set/change
+        if ($replaceUserProperties.Count -gt 0)
+        {        
+            $setADUserParams['Replace'] = $replaceUserProperties;
         }
-        else
-        {
-            Write-Verbose -Message "Found user '$($UserName)' in domain '$($DomainName)'."
-            return $true
+        if ($removeUserProperties.Count -gt 0)
+        {        
+            $setADUserParams['Remove'] = $removeUserProperties;
         }
+
+        Write-Verbose -Message ($LocalizedData.UpdatingADUser -f $UserName);
+        Set-ADUser @setADUserParams -Enabled $Enabled;
     }
-    catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]
+    elseif (($Ensure -eq 'Absent') -and ($targetResource.Ensure -eq 'Present'))
     {
-        Write-Verbose -Message "User '$($UserName)' in domain '$($DomainName)' is NOT present."
-        if ($Apply)
+        ## User exists and needs removing
+        Write-Verbose ($LocalizedData.RemovingADUser -f $UserName);
+        $adCommonParameters = Get-ADCommonParameters @PSBoundParameters;
+        Remove-ADUser @adCommonParameters -Confirm:$false;
+    }
+
+} #end function Set-TargetResource
+
+# Internal function to validate unsupported options/configurations
+function Validate-Parameters
+{
+    [CmdletBinding()]
+    param
+    (
+        [ValidateNotNull()]
+        [System.Management.Automation.PSCredential] $Password,
+
+        [ValidateNotNull()]
+        [System.Boolean] $Enabled = $true,
+
+        [Parameter(ValueFromRemainingArguments)]
+        $IgnoredArguments
+    )
+    
+    ## We cannot test/set passwords on disabled AD accounts
+    if (($PSBoundParameters.ContainsKey('Password')) -and ($Enabled -eq $false))
+    {
+        $throwInvalidArgumentErrorParams = @{
+            ErrorId = 'xADUser_DisabledAccountPasswordConflict';
+            ErrorMessage = $LocalizedData.PasswordParameterConflictError -f 'Enabled', $false, 'Password';
+        }
+        ThrowInvalidArgumentError @throwInvalidArgumentErrorParams;
+    }
+
+} #end function Validate-Parameters
+
+# Internal function to test the validity of a user's password.
+function Test-Password
+{
+    [CmdletBinding()]
+    param
+    (
+        [Parameter(Mandatory)]
+        [System.String] $DomainName,
+
+        [Parameter(Mandatory)]
+        [System.String] $UserName,
+    
+        [Parameter(Mandatory)]
+        [System.Management.Automation.PSCredential] $Password,
+        
+        [ValidateNotNull()]
+        [System.Management.Automation.PSCredential] $DomainAdministratorCredential
+    )
+
+    Write-Verbose -Message ($LocalizedData.CreatingADDomainConnection -f $DomainName);
+    Add-Type -AssemblyName 'System.DirectoryServices.AccountManagement';
+            
+    if ($DomainAdministratorCredential)
+    {
+        $principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext(
+                                'Domain', $DomainName, $DomainAdministratorCredential.UserName, `
+                                    $DomainAdministratorCredential.GetNetworkCredential().Password);
+    }
+    else
+    {
+        $principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('Domain', $DomainName, $null, $null);
+    }
+    Write-Verbose -Message ($LocalizedData.CheckingADUserPassword -f $UserName);
+    return $principalContext.ValidateCredentials($UserName, $Password.GetNetworkCredential().Password);
+
+} #end function Test-Password
+
+# Internal function to build common parameters for the Active Directory cmdlets
+function Get-ADCommonParameters
+{
+    [CmdletBinding()]
+    [OutputType([System.Collections.Hashtable])]
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+        [System.String]
+        $UserName,
+
+        [ValidateNotNullOrEmpty()]
+        [System.String]
+        $CommonName,
+
+        [ValidateNotNullOrEmpty()]
+        [System.Management.Automation.PSCredential]
+        $DomainAdministratorCredential,
+
+        [ValidateNotNullOrEmpty()]
+        [System.String]
+        $DomainController,
+
+        [Parameter(ValueFromRemainingArguments)]
+        $IgnoredArguments,
+
+        [System.Management.Automation.SwitchParameter]
+        $UseNameParameter
+    )
+    
+    ## The Get-ADUser, Set-ADUser and Remove-ADUser cmdlets take an -Identity parameter, but the New-ADUser cmdlet uses the -Name parameter
+    if ($UseNameParameter)
+    {
+        if ($PSBoundParameters.ContainsKey('CommonName'))
         {
-            if ($Ensure -ne "Absent")
-            {
-                $params = @{
-                    Name = $UserName
-                    Credential = $DomainAdministratorCredential
-                    Enabled = $true
-                    UserPrincipalName = "$UserName@$DomainName"
-                    PasswordNeverExpires = $true
-                }
-                if ($Password)
-                {
-                    $params.Add( "AccountPassword", $Password.Password )
-                }
-                New-AdUser @params
-                Write-Verbose -Message "Successfully created user account '$($UserName)' in domain '$($DomainName)'."
-            }
+            $adUserParameters = @{ Name = $CommonName; }
         }
         else
         {
-            return ($Ensure -eq "Absent")
+            $adUserParameters = @{ Name = $UserName; }
         }
     }
+    else
+    {
+        $adUserParameters = @{ Identity = $UserName; }
+    }
+
+    if ($DomainAdministratorCredential)
+    {
+        $adUserParameters['Credential'] = $DomainAdministratorCredential;
+    }
+    if ($DomainController)
+    {
+        $adUserParameters['Server'] = $DomainController;
+    }
+    return $adUserParameters;
+
+} #end function Get-ADCommonParameters
+
+# Internal function to assert if the role specific module is installed or not
+function Assert-Module
+{
+    [CmdletBinding()]
+    param
+    (
+        [System.String] $ModuleName = 'ActiveDirectory'
+    )
+
+    if (-not (Get-Module -Name $ModuleName -ListAvailable))
+    {
+        $errorId = 'xADUser_ModuleNotFound';
+        $errorMessage = $LocalizedData.RoleNotFoundError -f $moduleName;
+        ThrowInvalidOperationError -ErrorId $errorId -ErrorMessage $errorMessage;
+    }
+} #end function Assert-Module
+
+# Internal function to get an Active Directory object's parent Distinguished Name
+function Get-ADObjectParentDN
+{
+    # https://www.uvm.edu/~gcd/2012/07/listing-parent-of-ad-object-in-powershell/
+    [CmdletBinding()]
+    param
+    (
+        [Parameter(Mandatory)]
+        [System.String]
+        $DN
+    )
+
+    $distinguishedNameParts = $DN -split '(?<![\\]),';
+    $distinguishedNameParts[1..$($distinguishedNameParts.Count-1)] -join ',';
+
+} #end function Get-ADObjectParentDN
+
+function ThrowInvalidOperationError
+{
+    [CmdletBinding()]
+    param
+    (
+        [Parameter(Mandatory)]
+        [ValidateNotNullOrEmpty()]
+        [System.String]
+        $ErrorId,
+
+        [Parameter(Mandatory)]
+        [ValidateNotNullOrEmpty()]
+        [System.String]
+        $ErrorMessage
+    )
+
+    $exception = New-Object -TypeName System.InvalidOperationException -ArgumentList $ErrorMessage;
+    $errorCategory = [System.Management.Automation.ErrorCategory]::InvalidOperation;
+    $errorRecord = New-Object -TypeName System.Management.Automation.ErrorRecord -ArgumentList $exception, $ErrorId, $errorCategory, $null;
+    throw $errorRecord;
 }
 
+function ThrowInvalidArgumentError
+{
+    [CmdletBinding()]
+    param
+    (
+        [Parameter(Mandatory)]
+        [ValidateNotNullOrEmpty()]
+        [System.String]
+        $ErrorId,
 
-Export-ModuleMember -Function *-TargetResource
+        [Parameter(Mandatory)]
+        [ValidateNotNullOrEmpty()]
+        [System.String]
+        $ErrorMessage
+    )
+
+    $exception = New-Object -TypeName System.ArgumentException -ArgumentList $ErrorMessage;
+    $errorCategory = [System.Management.Automation.ErrorCategory]::InvalidArgument;
+    $errorRecord = New-Object -TypeName System.Management.Automation.ErrorRecord -ArgumentList $exception, $ErrorId, $errorCategory, $null;
+    throw $errorRecord;
 
+} #end function ThrowInvalidArgumentError
+
+Export-ModuleMember -Function *-TargetResource
diff --git a/DSCResources/MSFT_xADUser/MSFT_xADUser.schema.mof b/DSCResources/MSFT_xADUser/MSFT_xADUser.schema.mof
index b69cf9efe..17d156483 100644
--- a/DSCResources/MSFT_xADUser/MSFT_xADUser.schema.mof
+++ b/DSCResources/MSFT_xADUser/MSFT_xADUser.schema.mof
@@ -1,9 +1,47 @@
 [ClassVersion("1.0.1.0"), FriendlyName("xADUser")] 
 class MSFT_xADUser : OMI_BaseResource
 {
-    [Key] string DomainName;
-    [Key] string UserName;
-    [write,ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] string Ensure;
-    [write,EmbeddedInstance("MSFT_Credential")] string Password;
-    [required,EmbeddedInstance("MSFT_Credential")] string DomainAdministratorCredential;
+    [Key] String DomainName;
+    [Key] String UserName;
+    [Write, EmbeddedInstance("MSFT_Credential")] String Password;
+    [Write, ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] String Ensure;
+    [Write] String CommonName;
+    [Write] String UserPrincipalName;
+    [Write] String DisplayName;
+    [Write] String Path;
+    [Write] String GivenName;
+    [Write] String Initials;
+    [Write] String Surname;
+    [Write] String Description;
+    [Write] String StreetAddress;
+    [Write] String POBox;
+    [Write] String City;
+    [Write] String State;
+    [Write] String PostalCode;
+    [Write] String Country;
+    [Write] String Department;
+    [Write] String Division;
+    [Write] String Company;
+    [Write] String Office;
+    [Write] String JobTitle;
+    [Write] String EmailAddress;
+    [Write] String EmployeeID;
+    [Write] String EmployeeNumber;
+    [Write] String HomeDirectory;
+    [Write] String HomeDrive;
+    [Write] String HomePage;
+    [Write] String ProfilePath;
+    [Write] String LogonScript;
+    [Write] String Notes;
+    [Write] String OfficePhone;
+    [Write] String MobilePhone;
+    [Write] String Fax;
+    [Write] String HomePhone;
+    [Write] String Manager;
+    [Write] Boolean Enabled;
+    [Write] Boolean CannotChangePassword;
+    [Write] Boolean PasswordNeverExpires;
+    [Write] String DomainController;
+    [Write, EmbeddedInstance("MSFT_Credential")] String DomainAdministratorCredential;
+    [Read, Description("")] String DistinguishedName;
 };
diff --git a/README.md b/README.md
index a6aca6a52..921e9b9ff 100644
--- a/README.md
+++ b/README.md
@@ -41,11 +41,69 @@ Note: These are not used during domain creation.
 
 ### xADUser
 
-* **Ensure**: Specifies whether the given user is present or absent.
 * **DomainName**: Name of the domain to which the user will be added.
-* **UserName**: Name of the user.
-* **Password**: Password value for the account.
-* **DomainAdministratorCredential**: User account credentials used to perform the task.
+ * The Active Directory domain's fully-qualified domain name must be specified, i.e. contoso.com.
+ * This parameter is used to query and set the user's account password.
+* **UserName**: Specifies the Security Account Manager (SAM) account name of the user.
+ * To be compatible with older operating systems, create a SAM account name that is 20 characters or less.
+ * Once created, the user's SamAccountName and CN cannot be changed.
+* **Password**: Password value for the user account.
+ * _If the account is enabled (default behaviour) you must specifiy a password._
+ * _You must ensure that the password meets the domain's complexity requirements._
+* **Ensure**: Specifies whether the given user is present or absent (optional).
+ * If not specified, this value defaults to Present.
+* **DomainController**: Specifies the Active Directory Domain Services instance to connect to (optional).
+ * This is only required if not executing the task on a domain controller. 
+* **DomainAdministratorCredential**: User account credentials used to perform the task (optional).
+ * This is only required if not executing the task on a domain controller or using the -DomainController parameter.
+* **CommonName**: Specifies the user's CN of the user account (optional).
+ * If not specified, this defaults to the ___UserName___ value.
+* **UserPrincipalName**: Each user account has a user principal name (UPN) in the format [user]@[DNS-domain-name] (optional).
+* **DisplayName**: Specifies the display name of the user object (optional).
+* **Path**: (optional).
+* **GivenName**: Specifies the user's first or given name (optional).
+* **Initials**: Specifies the initials that represent part of a user's name (optional).
+* **Surname**: Specifies the user's last name or surname (optional).
+* **Description**: Specifies a description of the user object (optional).
+* **StreetAddress**: Specifies the user's street address (optional).
+* **POBox**: Specifies the user's post office box number (optional).
+* **City**: Specifies the user's town or city (optional).
+* **State**: Specifies the user's state or province (optional).
+* **PostalCode**: Specifies the user's postal code or zip code (optional).
+* **Country**: Specifies the country or region code for the user's language of choice (optional).
+ * This should be specified as the country's two character ISO-3166 code.
+* **Department**: Specifies the user's department (optional).
+* **Division**: Specifies the user's division (optional).
+* **Company**: Specifies the user's company (optional).
+* **Office**: Specifies the location of the user's office or place of business (optional).
+* **JobTitle**: Specifies the user's job title (optional).
+* **EmailAddress**: Specifies the user's e-mail address (optional).
+* **EmployeeID**: Specifies the user's employee ID (optional).
+* **EmployeeNumber**: Specifies the user's employee number (optional).
+* **HomeDirectory**: Specifies a user's home directory path (optional).
+* **HomeDrive**: Specifies a drive that is associated with the UNC path defined by the HomeDirectory property (optional).
+ * The drive letter is specified as "[DriveLetter]:" where [DriveLetter] indicates the letter of the drive to associate.
+ * The [DriveLetter] must be a single, uppercase letter and the colon is required.
+* **HomePage**: Specifies the URL of the home page of the user object (optional).
+* **ProfilePath**: Specifies a path to the user's profile (optional).
+ * This value can be a local absolute path or a Universal Naming Convention (UNC) path.
+* **LogonScript**: Specifies a path to the user's log on script (optional).
+ * This value can be a local absolute path or a Universal Naming Convention (UNC) path.
+* **Notes**: (optional).
+* **OfficePhone**: Specifies the user's office telephone number (optional).
+* **MobilePhone**: Specifies the user's mobile phone number (optional).
+* **Fax**: Specifies the user's fax phone number (optional).
+* **Pager**: Specifies the user's pager number (optional).
+* **IPPhone**: Specifies the user's IP telephony number (optional).
+* **HomePhone**: Specifies the user's home telephone number (optional).
+* **Enabled**: Specifies if an account is enabled (optional).
+ * An enabled account requires a password.
+* **Manager**: Specifies the user's manager (optional).
+ * This value can be specified as a DN, ObjectGUID, SID or SamAccountName.
+* **PasswordNeverExpires**: Specifies whether the password of an account can expire (optional).
+ * If not specified, this value defaults to False.
+* **CannotChangePassword**: Specifies whether the account password can be changed (optional).
+ * If not specified, this value defaults to False.
 
 ### xWaitForADDomain
 
@@ -88,6 +146,11 @@ __Note: This resource does not currently manage group membership.__
 
 ## Versions
 
+### Unreleased
+
+* MSFT_xADUser: Adds additional property settings.
+* MSFT_xADUser: Adds unit test coverage. 
+
 ### 2.7.0.0
 
 * Added DNS flush in retry loop
diff --git a/Tests/xADUser.Tests.ps1 b/Tests/xADUser.Tests.ps1
new file mode 100644
index 000000000..0f84afd6a
--- /dev/null
+++ b/Tests/xADUser.Tests.ps1
@@ -0,0 +1,467 @@
+[CmdletBinding()]
+param()
+
+Set-StrictMode -Version Latest
+
+$RepoRoot = (Resolve-Path $PSScriptRoot\..).Path
+
+$ModuleName = 'MSFT_xADUser'
+Import-Module (Join-Path $RepoRoot "DSCResources\$ModuleName\$ModuleName.psm1") -Force;
+Import-Module -Name ActiveDirectory -Force;
+
+Describe "xADUser" {
+
+    InModuleScope $ModuleName {
+
+        $testPresentParams = @{
+            DomainName = 'contoso.com';
+            UserName = 'TestUser';
+            Ensure = 'Present';
+        }
+        
+        $testAbsentParams = $testPresentParams.Clone();
+        $testAbsentParams['Ensure'] = 'Absent';
+        
+        $fakeADUser = @{
+            DistinguishedName = "CN=$($testPresentParams.UserName),CN=Users,DC=contoso,DC=com";
+            Enabled = $true;
+            GivenName = '';
+            Name = $testPresentParams.UserName;
+            SamAccountName = $testPresentParams.UserName;
+            Surname = '';
+            UserPrincipalName = '';
+        }
+
+        $testDomainController = 'TESTDC';
+        $testCredential = New-Object System.Management.Automation.PSCredential 'DummyUser', (ConvertTo-SecureString 'DummyPassword' -AsPlainText -Force);
+
+        $testStringProperties = @(
+            'UserPrincipalName', 'DisplayName', 'Path',  'GivenName', 'Initials', 'Surname', 'Description', 'StreetAddress',
+            'POBox', 'City', 'State', 'PostalCode', 'Country', 'Department', 'Division', 'Company', 'Office', 'JobTitle',
+            'EmailAddress', 'EmployeeID', 'EmployeeNumber', 'HomeDirectory', 'HomeDrive', 'HomePage', 'ProfilePath',
+            'LogonScript', 'Notes', 'OfficePhone', 'MobilePhone', 'Fax', 'Pager', 'IPPhone', 'HomePhone','CommonName'
+        );
+        $testBooleanProperties = @('PasswordNeverExpires', 'CannotChangePassword','Enabled');
+
+        Context "Validate Assert-Module method" {
+        
+            It "Throws if Active Directory module is not present" {
+                $testModuleName = 'ActiveDirectory';
+                Mock Get-Module -ParameterFilter { $Name -eq $testModuleName } -MockWith { }
+        
+                { Assert-Module -ModuleName $testModuleName } | Should Throw;
+            }
+        
+        } #end context Validate Assert-Module method
+
+        Context "Validate Get-ADCommonParameters method" {
+
+            It "Adds 'Identity' parameter by default" {
+                $adCommonParams = Get-ADCommonParameters @testPresentParams;
+
+                $adCommonParams.Identity | Should Be $testPresentParams.UserName;
+            }
+
+            It "Adds 'Name' parameter when 'UseNameParameter' is specified" {
+                $adCommonParams = Get-ADCommonParameters @testPresentParams -UseNameParameter;
+
+                $adCommonParams.Name | Should Be $testPresentParams.UserName;
+            }
+
+            It "Adds 'Name' parameter when 'UseNameParameter' and 'CommonName' are specified" {
+                $testCommonName = 'Test Common Name';
+                $adCommonParams = Get-ADCommonParameters @testPresentParams -UseNameParameter -CommonName $testCommonName;
+
+                $adCommonParams.Name | Should Be $testCommonName;
+            }
+            
+            It "Adds 'Server' parameter when 'DomainController' parameter is specified" {
+                $adCommonParams = Get-ADCommonParameters @testPresentParams -DomainController $testDomainController;
+                
+                $adCommonParams.Server | Should Be $testDomainController;
+            }
+            
+            It "Adds 'Credential' parameter when 'DomainAdministratorCredential' parameter is specified" {
+                $adCommonParams = Get-ADCommonParameters @testPresentParams -DomainAdministratorCredential $testCredential;
+                
+                $adCommonParams.Credential | Should Be $testCredential;
+            }
+        
+        } #end context Validate Get-ADCommonParameters method
+
+        Context "Validate Get-ADObjectParentDN method" {
+
+            It "Returns CN object parent path" {
+                Get-ADObjectParentDN -DN 'CN=Administrator,CN=Users,DC=contoso,DC=com' | Should Be 'CN=Users,DC=contoso,DC=com';
+            }
+
+            It "Returns OU object parent path" {
+                Get-ADObjectParentDN -DN 'CN=Administrator,OU=Custom Organizational Unit,DC=contoso,DC=com' | Should Be 'OU=Custom Organizational Unit,DC=contoso,DC=com';
+            }
+
+        } #end context Validate Get-ADObjectParentDN method
+
+        Context "Validate Validate-Parameters method" {
+
+            It "Does not throw when 'PasswordNeverExpires' and 'CannotChangePassword' are specified" {
+                { Validate-Parameters -PasswordNeverExpires $true -CannotChangePassword $true } | Should Not Throw;
+            }
+
+            It "Throws when account is disabled and 'Password' is specified" {
+                { Validate-Parameters -Password $testCredential -Enabled $false } | Should Throw;
+            }
+
+        } #end context Validate Validate-PasswordParameters method
+        
+        Context "Validate Get-TargetResource method" {
+        
+            It "Returns a 'System.Collections.Hashtable' object type" {
+                #Mock Get-ADUser -ParameterFilter { $Identity -eq $testPresentParams.UserName } -MockWith { return [PSCustomObject] $fakeADUser; }
+                Mock Get-ADUser { return [PSCustomObject] $fakeADUser; }
+        
+                $adUser = Get-TargetResource @testPresentParams;
+        
+                $adUser -is [System.Collections.Hashtable] | Should Be $true;
+            }
+        
+            It "Returns 'Ensure' is 'Present' when user account exists" {
+                Mock Get-ADUser { return [PSCustomObject] $fakeADUser; }
+        
+                $adUser = Get-TargetResource @testPresentParams;
+        
+                $adUser.Ensure | Should Be 'Present';
+            }
+            
+            It "Returns 'Ensure' is 'Absent' when user account does not exist" {
+                Mock Get-ADUser { throw New-Object Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException }
+                
+                $adUser = Get-TargetResource @testPresentParams;
+                
+                $adUser.Ensure | Should Be 'Absent';
+            }
+            
+            It "Calls 'Get-ADUser' with 'Server' parameter when 'DomainController' specified" {
+                Mock Get-ADUser -ParameterFilter { $Server -eq $testDomainController } -MockWith { return [PSCustomObject] $fakeADUser; }
+                
+                Get-TargetResource @testPresentParams -DomainController $testDomainController;
+                
+                Assert-MockCalled Get-ADUser -ParameterFilter { $Server -eq $testDomainController } -Scope It;
+            }
+            
+            It "Calls 'Get-ADUser' with 'Credential' parameter when 'DomainAdministratorCredential' specified" {
+                Mock Get-ADUser -ParameterFilter { $Credential -eq $testCredential } -MockWith { return [PSCustomObject] $fakeADUser; }
+        
+                Get-TargetResource @testPresentParams -DomainAdministratorCredential $testCredential;
+                
+                Assert-MockCalled Get-ADUser -ParameterFilter { $Credential -eq $testCredential } -Scope It;
+            }
+        
+        } #end context Validate Get-TargetResource method
+         
+        Context "Validate Test-TargetResource method" {
+            
+            It "Passes when user account does not exist and 'Ensure' is 'Absent'" {
+                Mock Get-TargetResource { return $testAbsentParams }
+                
+                Test-TargetResource @testAbsentParams | Should Be $true;
+            }
+        
+            It "Passes when user account exists and 'Ensure' is 'Present'" {
+                Mock Get-TargetResource { return $testPresentParams }
+                
+                Test-TargetResource @testPresentParams | Should Be $true;
+            }
+        
+            It "Passes when user account password matches and 'Password' is specified" {
+                Mock Get-TargetResource { return $testPresentParams }
+                Mock Test-Password { return $true; }
+        
+                Test-TargetResource @testPresentParams -Password $testCredential | Should Be $true;
+            }
+        
+            It "Fails when user account does not exist and 'Ensure' is 'Present'" {
+                Mock Get-TargetResource { return $testAbsentParams }
+                
+                Test-TargetResource @testPresentParams | Should Be $false;
+            }
+            
+            It "Fails when user account exists, and 'Ensure' is 'Absent'" {
+                Mock Get-TargetResource { return $testPresentParams }
+                
+                Test-TargetResource @testAbsentParams | Should Be $false;
+            }
+        
+            It "Fails when user account password is incorrect and 'Password' is specified" {
+                Mock Get-TargetResource { return $testPresentParams }
+                Mock Test-Password { return $false; }
+        
+                Test-TargetResource @testPresentParams -Password $testCredential | Should Be $false;
+            }
+            
+            foreach ($testParameter in $testStringProperties) {
+            
+                It "Passes when user account '$testParameter' matches AD account property" {
+                    $testParameterValue = 'Test Parameter String Value';
+                    $testValidPresentParams = $testPresentParams.Clone();
+                    $testValidPresentParams[$testParameter] = $testParameterValue;
+                    $validADUser = $testPresentParams.Clone();
+                    $invalidADUser = $testPresentParams.Clone();
+                    Mock Get-TargetResource {
+                        $validADUser[$testParameter] = $testParameterValue;
+                        return $validADUser;
+                    }
+            
+                    Test-TargetResource @testValidPresentParams | Should Be $true;
+                }
+            
+                It "Fails when user account '$testParameter' does not match incorrect AD account property value" {
+                    $testParameterValue = 'Test Parameter String Value';
+                    $testValidPresentParams = $testPresentParams.Clone();
+                    $testValidPresentParams[$testParameter] = $testParameterValue;
+                    $validADUser = $testPresentParams.Clone();
+                    $invalidADUser = $testPresentParams.Clone();
+                    Mock Get-TargetResource {
+                        $invalidADUser[$testParameter] = $testParameterValue.Substring(0, ([System.Int32] $testParameterValue.Length/2));
+                        return $invalidADUser;
+                    }
+            
+                    Test-TargetResource @testValidPresentParams | Should Be $false;
+                }
+            
+                It "Fails when user account '$testParameter' does not match empty AD account property value" {
+                    $testParameterValue = 'Test Parameter String Value';
+                    $testValidPresentParams = $testPresentParams.Clone();
+                    $testValidPresentParams[$testParameter] = $testParameterValue;
+                    $validADUser = $testPresentParams.Clone();
+                    $invalidADUser = $testPresentParams.Clone();
+                    Mock Get-TargetResource {
+                        $invalidADUser[$testParameter] = '';
+                        return $invalidADUser;
+                    }
+            
+                    Test-TargetResource @testValidPresentParams | Should Be $false;
+                }
+            
+                It "Fails when user account '$testParameter' does not match null AD account property value" {
+                    $testParameterValue = 'Test Parameter String Value';
+                    $testValidPresentParams = $testPresentParams.Clone();
+                    $testValidPresentParams[$testParameter] = $testParameterValue;
+                    $validADUser = $testPresentParams.Clone();
+                    $invalidADUser = $testPresentParams.Clone();
+                    Mock Get-TargetResource {
+                        $invalidADUser[$testParameter] = $null;
+                        return $invalidADUser;
+                    }
+            
+                    Test-TargetResource @testValidPresentParams | Should Be $false;
+                }
+            
+                It "Passes when empty user account '$testParameter' matches empty AD account property" {
+                    $testValidPresentParams = $testPresentParams.Clone();
+                    $testValidPresentParams[$testParameter] = $testParameterValue;
+                    $validADUser = $testPresentParams.Clone();
+                    Mock Get-TargetResource {
+                        $validADUser[$testParameter] = '';
+                        return $validADUser;
+                    }
+            
+                    Test-TargetResource @testValidPresentParams | Should Be $true;
+                }
+            
+                It "Passes when empty user account '$testParameter' matches null AD account property" {
+                    $testValidPresentParams = $testPresentParams.Clone();
+                    $testValidPresentParams[$testParameter] = $testParameterValue;
+                    $validADUser = $testPresentParams.Clone();
+                    Mock Get-TargetResource {
+                        $validADUser[$testParameter] = $null;
+                        return $validADUser;
+                    }
+            
+                    Test-TargetResource @testValidPresentParams | Should Be $true;
+                }
+            
+            } #end foreach test string property
+            
+            foreach ($testParameter in $testBooleanProperties) {
+                
+                It "Passes when user account '$testParameter' matches AD account property" {
+                    $testParameterValue = $true;
+                    $testValidPresentParams = $testPresentParams.Clone();
+                    $testValidPresentParams[$testParameter] = $testParameterValue;
+                    $validADUser = $testPresentParams.Clone();
+                    $invalidADUser = $testPresentParams.Clone();
+                    Mock Get-TargetResource {
+                        $validADUser[$testParameter] = $testParameterValue;
+                        return $validADUser;
+                    }
+            
+                    Test-TargetResource @testValidPresentParams | Should Be $true;
+                }
+            
+                It "Fails when user account '$testParameter' does not match AD account property value" {
+                    $testParameterValue = $true;
+                    $testValidPresentParams = $testPresentParams.Clone();
+                    $testValidPresentParams[$testParameter] = $testParameterValue;
+                    $validADUser = $testPresentParams.Clone();
+                    $invalidADUser = $testPresentParams.Clone();
+                    Mock Get-TargetResource {
+                        $invalidADUser[$testParameter] = -not $testParameterValue;
+                        return $invalidADUser;
+                    }
+            
+                    Test-TargetResource @testValidPresentParams | Should Be $false;
+                }
+            
+            } #end foreach test boolean property
+            
+        } #end Context Validate Test-TargetResource method
+        
+        Context "Validate Set-TargetResource method" {
+            
+            <# Cannot test account creation as mocking requires throwing an exception and this gets called twice.
+            
+            It "Calls 'New-ADUser' when 'Ensure' is 'Present' and the user account does not exist" {
+                Mock Get-ADUser { throw New-Object Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException }
+                Mock New-ADUser -ParameterFilter { $Name.ToString() -eq $testPresentParams.UserName } -MockWith { }
+                Mock Set-ADUser { }
+                
+                Set-TargetResource @testPresentParams -Description 'sdasdas';
+                
+                Assert-MockCalled New-ADUser -ParameterFilter { $Name.ToString() -eq $testPresentParams.UserName } -Scope It;
+            }
+        
+            #>
+            
+            It "Calls 'Move-ADObject' when 'Ensure' is 'Present', the account exists but Path is incorrect" {
+                $testTargetPath = 'CN=Users,DC=contoso,DC=com';
+                Mock Set-ADUser { }
+                Mock Get-ADUser {
+                    $duffADUser = $fakeADUser.Clone();
+                    $duffADUser['DistinguishedName'] = "CN=$($testPresentParams.UserName),OU=WrongPath,DC=contoso,DC=com";
+                    return $duffADUser;
+                }
+                Mock Move-ADObject -ParameterFilter { $TargetPath -eq $testTargetPath } -MockWith { }
+        
+                Set-TargetResource @testPresentParams -Path $testTargetPath -Enabled $true;
+                
+                Assert-MockCalled Move-ADObject -ParameterFilter { $TargetPath -eq $testTargetPath } -Scope It;
+            }
+
+            It "Calls 'Rename-ADObject' when 'Ensure' is 'Present', the account exists but 'CommonName' is incorrect" {
+                $testCommonName = 'Test Common Name';
+                Mock Set-ADUser { }
+                Mock Get-ADUser { return $fakeADUser; }
+                Mock Rename-ADObject -ParameterFilter { $NewName -eq $testCommonName } -MockWith { }
+        
+                Set-TargetResource @testPresentParams -CommonName $testCommonName -Enabled $true;
+                
+                Assert-MockCalled Rename-ADObject -ParameterFilter { $NewName -eq $testCommonName } -Scope It;
+            }
+        
+            It "Calls 'Set-ADAccountPassword' when 'Password' parameter is specified" {
+                Mock Get-ADUser { return $fakeADUser; }
+                Mock Set-ADUser { }
+                Mock Set-ADAccountPassword -ParameterFilter { $NewPassword -eq $testCredential.Password } -MockWith { }
+        
+                Set-TargetResource @testPresentParams -Password $testCredential;
+        
+                Assert-MockCalled Set-ADAccountPassword -ParameterFilter { $NewPassword -eq $testCredential.Password } -Scope It;
+            }
+        
+            It "Calls 'Set-ADUser' with 'Replace' when existing matching AD property is null" {
+                $testADPropertyName = 'Description';
+                Mock Get-ADUser {
+                    $duffADUser = $fakeADUser.Clone();
+                    $duffADUser[$testADPropertyName] = $null;
+                    return $duffADUser;
+                }
+                Mock Set-ADUser -ParameterFilter { $Replace.ContainsKey($testADPropertyName) } -MockWith { }
+        
+                Set-TargetResource @testPresentParams -Description 'My custom description';
+                
+                Assert-MockCalled Set-ADUser -ParameterFilter { $Replace.ContainsKey($testADPropertyName) } -Scope It -Exactly 1;
+            }
+            
+            It "Calls 'Set-ADUser' with 'Replace' when existing matching AD property is empty" {
+                $testADPropertyName = 'Description';
+                Mock Get-ADUser {
+                    $duffADUser = $fakeADUser.Clone();
+                    $duffADUser[$testADPropertyName] = '';
+                    return $duffADUser;
+                }
+                Mock Set-ADUser -ParameterFilter { $Replace.ContainsKey($testADPropertyName) } -MockWith { }
+        
+                Set-TargetResource @testPresentParams -Description 'My custom description';
+                
+                Assert-MockCalled Set-ADUser -ParameterFilter { $Replace.ContainsKey($testADPropertyName) } -Scope It -Exactly 1;
+            }
+        
+            It "Calls 'Set-ADUser' with 'Remove' when new matching AD property is empty" {
+                $testADPropertyName = 'Description';
+                Mock Get-ADUser {
+                    $duffADUser = $fakeADUser.Clone();
+                    $duffADUser[$testADPropertyName] = 'Incorrect parameter value';
+                    return $duffADUser;
+                }
+                Mock Set-ADUser -ParameterFilter { $Remove.ContainsKey($testADPropertyName) } -MockWith { }
+        
+                Set-TargetResource @testPresentParams -Description '';
+                
+                Assert-MockCalled Set-ADUser -ParameterFilter { $Remove.ContainsKey($testADPropertyName) } -Scope It -Exactly 1;
+            }
+        
+            It "Calls 'Set-ADUser' with 'Replace' when existing mismatched AD property is null" {
+                $testADPropertyName = 'Title';
+                Mock Get-ADUser {
+                    $duffADUser = $fakeADUser.Clone();
+                    $duffADUser[$testADPropertyName] = $null;
+                    return $duffADUser;
+                }
+                Mock Set-ADUser -ParameterFilter { $Replace.ContainsKey($testADPropertyName) } -MockWith { }
+        
+                Set-TargetResource @testPresentParams -JobTitle 'Gaffer';
+                
+                Assert-MockCalled Set-ADUser -ParameterFilter { $Replace.ContainsKey($testADPropertyName) } -Scope It -Exactly 1;
+            }
+        
+            It "Calls 'Set-ADUser' with 'Replace' when existing mismatched AD property is empty" {
+                $testADPropertyName = 'Title';
+                Mock Get-ADUser {
+                    $duffADUser = $fakeADUser.Clone();
+                    $duffADUser[$testADPropertyName] = '';
+                    return $duffADUser;
+                }
+                Mock Set-ADUser -ParameterFilter { $Replace.ContainsKey($testADPropertyName) } -MockWith { }
+        
+                Set-TargetResource @testPresentParams -JobTitle 'Gaffer';
+                
+                Assert-MockCalled Set-ADUser -ParameterFilter { $Replace.ContainsKey($testADPropertyName) } -Scope It -Exactly 1;
+            }
+        
+            It "Calls 'Set-ADUser' with 'Remove' when new mismatched AD property is empty" {
+                $testADPropertyName = 'Title';
+                Mock Get-ADUser {
+                    $duffADUser = $fakeADUser.Clone();
+                    $duffADUser[$testADPropertyName] = 'Incorrect job title';
+                    return $duffADUser;
+                }
+                Mock Set-ADUser -ParameterFilter { $Remove.ContainsKey($testADPropertyName) } -MockWith { }
+        
+                Set-TargetResource @testPresentParams -JobTitle '';
+                
+                Assert-MockCalled Set-ADUser -ParameterFilter { $Remove.ContainsKey($testADPropertyName) } -Scope It -Exactly 1;
+            }
+            
+            It "Calls 'Remove-ADUser' when 'Ensure' is 'Absent' and user account exists" {
+                Mock Get-ADUser { return [PSCustomObject] $fakeADUser; }
+                Mock Remove-ADUser -ParameterFilter { $Identity.ToString() -eq $testAbsentParams.UserName } -MockWith { }
+                
+                Set-TargetResource @testAbsentParams;
+                
+                Assert-MockCalled Remove-ADUser -ParameterFilter { $Identity.ToString() -eq $testAbsentParams.UserName } -Scope It;
+            }
+        
+        } #end context Validate Set-TargetResource method
+    
+    } #end InModuleScope
+}