SharedResources/Src/CreateADPDC/xActiveDirectory/DSCResources/MSFT_xADComputer/MSFT_xADComputer.psm1 (844 lines of code) (raw):
$script:resourceModulePath = Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent
$script:modulesFolderPath = Join-Path -Path $script:resourceModulePath -ChildPath 'Modules'
$script:localizationModulePath = Join-Path -Path $script:modulesFolderPath -ChildPath 'xActiveDirectory.Common'
Import-Module -Name (Join-Path -Path $script:localizationModulePath -ChildPath 'xActiveDirectory.Common.psm1')
$script:localizedData = Get-LocalizedData -ResourceName 'MSFT_xADComputer'
<#
A property map that maps the resource parameters to the corresponding
Active Directory computer account object attribute.
#>
$script:computerObjectPropertyMap = @(
@{
ParameterName = 'ComputerName'
PropertyName = 'CN'
},
@{
ParameterName = 'Location'
},
@{
ParameterName = 'DnsHostName'
},
@{
ParameterName = 'ServicePrincipalNames'
PropertyName = 'ServicePrincipalName'
},
@{
ParameterName = 'UserPrincipalName'
},
@{
ParameterName = 'DisplayName'
},
@{
ParameterName = 'Path'
PropertyName = 'DistinguishedName'
},
@{
ParameterName = 'Description'
},
@{
ParameterName = 'Enabled'
},
@{
ParameterName = 'Manager'
PropertyName = 'ManagedBy'
},
@{
ParameterName = 'DistinguishedName'
ParameterType = 'Read'
PropertyName = 'DistinguishedName'
},
@{
ParameterName = 'SID'
ParameterType = 'Read'
}
)
<#
.SYNOPSIS
Returns the current state of the Active Directory computer account.
.PARAMETER ComputerName
Specifies the name of the Active Directory computer account to manage.
You can identify a computer by its distinguished name, GUID, security
identifier (SID) or Security Accounts Manager (SAM) account name.
.PARAMETER RequestFile
Specifies the full path to the Offline Domain Join Request file to create.
.PARAMETER Enabled
DEPRECATED - DO NOT USE.
It is a parameter in Get-TargetResource to write the deprecated message.
.PARAMETER EnabledOnCreation
Specifies if the computer account is created enabled or disabled.
By default the Enabled property of the computer account will be set to
the default value of the cmdlet New-ADComputer. This property is ignored
if the parameter RequestFile is specified in the same configuration.
This parameter does not enforce the property `Enabled`. To enforce the
property `Enabled` see the resource xADObjectEnabledState.
.PARAMETER DomainController
Specifies the Active Directory Domain Services instance to connect to perform the task.
Used by Get-ADCommonParameters and is returned as a common parameter.
.PARAMETER DomainAdministratorCredential
Specifies the user account credentials to use to perform the task.
Used by Get-ADCommonParameters and is returned as a common parameter.
.PARAMETER RestoreFromRecycleBin
Try to restore the organizational unit from the recycle bin before
creating a new one.
#>
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$ComputerName,
[Parameter()]
[ValidateNotNull()]
[System.String]
$RequestFile,
[Parameter()]
[ValidateNotNull()]
[System.Boolean]
$Enabled,
[Parameter()]
[ValidateNotNull()]
[System.String]
$DomainController,
[Parameter()]
[ValidateNotNull()]
[System.Management.Automation.PSCredential]
[System.Management.Automation.CredentialAttribute()]
$DomainAdministratorCredential,
[Parameter()]
[ValidateNotNull()]
[System.Boolean]
$RestoreFromRecycleBin,
[Parameter()]
[ValidateNotNull()]
[System.Boolean]
$EnabledOnCreation
)
<#
We have the deprecated message in Get-TargetResource so that it is
shown when using Get-DscConfiguration or Invoke-DscResource.
#>
if ($PSBoundParameters.ContainsKey('Enabled'))
{
Write-Warning -Message $script:localizedData.EnabledDeprecatedMessage
}
Assert-Module -ModuleName 'ActiveDirectory' -ImportModule
<#
These are properties that have no corresponding property in a
Computer account object.
#>
$getTargetResourceReturnValue = @{
Ensure = 'Absent'
ComputerName = $null
Location = $null
DnsHostName = $null
ServicePrincipalNames = $null
UserPrincipalName = $null
DisplayName = $null
Path = $null
Description = $null
Enabled = $false
Manager = $null
DomainController = $DomainController
DomainAdministratorCredential = $DomainAdministratorCredential
RequestFile = $RequestFile
RestoreFromRecycleBin = $RestoreFromRecycleBin
EnabledOnCreation = $EnabledOnCreation
DistinguishedName = $null
SID = $null
SamAccountName = $null
}
$getADComputerResult = $null
try
{
<#
Create an array of the Active Directory Computer object property
names to retrieve from the Computer object.
#>
$computerObjectProperties = Convert-PropertyMapToObjectProperties -PropertyMap $script:computerObjectPropertyMap
<#
When the property ServicePrincipalName is read with Get-ADComputer
the property name must be 'ServicePrincipalNames', but when it is
written with Set-ADComputer the property name must be
'ServicePrincipalName'. This difference is handled here.
#>
$computerObjectProperties = @($computerObjectProperties |
Where-Object -FilterScript {
$_ -ne 'ServicePrincipalName'
})
$computerObjectProperties += @('ServicePrincipalNames')
Write-Verbose -Message ($script:localizedData.RetrievingComputerAccount -f $ComputerName)
$getADComputerParameters = Get-ADCommonParameters @PSBoundParameters
$getADComputerParameters['Properties'] = $computerObjectProperties
# If the computer account is not found Get-ADComputer will throw an error.
$getADComputerResult = Get-ADComputer @getADComputerParameters
Write-Verbose -Message ($script:localizedData.ComputerAccountIsPresent -f $ComputerName)
$getTargetResourceReturnValue['Ensure'] = 'Present'
$getTargetResourceReturnValue['ComputerName'] = $getADComputerResult.CN
$getTargetResourceReturnValue['Location'] = $getADComputerResult.Location
$getTargetResourceReturnValue['DnsHostName'] = $getADComputerResult.DnsHostName
$getTargetResourceReturnValue['ServicePrincipalNames'] = [System.String[]] $getADComputerResult.ServicePrincipalNames
$getTargetResourceReturnValue['UserPrincipalName'] = $getADComputerResult.UserPrincipalName
$getTargetResourceReturnValue['DisplayName'] = $getADComputerResult.DisplayName
$getTargetResourceReturnValue['Path'] = Get-ADObjectParentDN -DN $getADComputerResult.DistinguishedName
$getTargetResourceReturnValue['Description'] = $getADComputerResult.Description
$getTargetResourceReturnValue['Enabled'] = $getADComputerResult.Enabled
$getTargetResourceReturnValue['Manager'] = $getADComputerResult.ManagedBy
$getTargetResourceReturnValue['DomainController'] = $DomainController
$getTargetResourceReturnValue['DomainAdministratorCredential'] = $DomainAdministratorCredential
$getTargetResourceReturnValue['RequestFile'] = $RequestFile
$getTargetResourceReturnValue['RestoreFromRecycleBin'] = $RestoreFromRecycleBin
$getTargetResourceReturnValue['EnabledOnCreation'] = $EnabledOnCreation
$getTargetResourceReturnValue['DistinguishedName'] = $getADComputerResult.DistinguishedName
$getTargetResourceReturnValue['SID'] = $getADComputerResult.SID
$getTargetResourceReturnValue['SamAccountName'] = $getADComputerResult.SamAccountName
}
catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]
{
Write-Verbose -Message ($script:localizedData.ComputerAccountIsAbsent -f $ComputerName)
}
catch
{
$errorMessage = $script:localizedData.FailedToRetrieveComputerAccount -f $ComputerName
New-InvalidOperationException -Message $errorMessage -ErrorRecord $_
}
return $getTargetResourceReturnValue
}
<#
.SYNOPSIS
Determines if the Active Directory computer account is in the desired state.
.PARAMETER ComputerName
Specifies the name of the Active Directory computer account to manage.
You can identify a computer by its distinguished name, GUID, security
identifier (SID) or Security Accounts Manager (SAM) account name.
.PARAMETER Ensure
Specifies whether the computer account is present or absent.
Valid values are 'Present' and 'Absent'. The default is 'Present'.
.PARAMETER UserPrincipalName
Specifies the UPN assigned to the computer account.
.PARAMETER DisplayName
Specifies the display name of the computer.
.PARAMETER Path
Specifies the X.500 path of the container where the computer is located.
.PARAMETER Location
Specifies the location of the computer, such as an office number.
.PARAMETER DnsHostName
Specifies the fully qualified domain name (FQDN) of the computer.
.PARAMETER ServicePrincipalNames
Specifies the service principal names for the computer account.
.PARAMETER Description
Specifies a description of the computer account.
.PARAMETER Manager
Specifies the user or group Distinguished Name that manages the computer
account. Valid values are the user's or group's DistinguishedName,
ObjectGUID, SID or SamAccountName.
.PARAMETER RequestFile
Specifies the full path to the Offline Domain Join Request file to create.
.PARAMETER Enabled
DEPRECATED - DO NOT USE.
.PARAMETER DomainController
Specifies the Active Directory Domain Services instance to connect to perform the task.
.PARAMETER DomainAdministratorCredential
Specifies the user account credentials to use to perform the task.
.PARAMETER RestoreFromRecycleBin
Try to restore the organizational unit from the recycle bin before
creating a new one.
.PARAMETER EnabledOnCreation
Specifies if the computer account is created enabled or disabled.
By default the Enabled property of the computer account will be set to
the default value of the cmdlet New-ADComputer. This property is ignored
if the parameter RequestFile is specified in the same configuration.
This parameter does not enforce the property `Enabled`. To enforce the
property `Enabled` see the resource xADObjectEnabledState.
#>
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
# Common Name
[Parameter(Mandatory = $true)]
[System.String]
$ComputerName,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[ValidateNotNull()]
[System.String]
$UserPrincipalName,
[Parameter()]
[ValidateNotNull()]
[System.String]
$DisplayName,
[Parameter()]
[ValidateNotNull()]
[System.String]
$Path,
[Parameter()]
[ValidateNotNull()]
[System.String]
$Location,
[Parameter()]
[ValidateNotNull()]
[System.String]
$DnsHostName,
[Parameter()]
[ValidateNotNull()]
[System.String[]]
$ServicePrincipalNames,
[Parameter()]
[ValidateNotNull()]
[System.String]
$Description,
[Parameter()]
[ValidateNotNull()]
[System.String]
$Manager,
[Parameter()]
[ValidateNotNull()]
[System.String]
$RequestFile,
[Parameter()]
[ValidateNotNull()]
[System.Boolean]
$Enabled,
[Parameter()]
[ValidateNotNull()]
[System.String]
$DomainController,
[Parameter()]
[ValidateNotNull()]
[System.Management.Automation.PSCredential]
[System.Management.Automation.CredentialAttribute()]
$DomainAdministratorCredential,
[Parameter()]
[ValidateNotNull()]
[System.Boolean]
$RestoreFromRecycleBin,
[Parameter()]
[ValidateNotNull()]
[System.Boolean]
$EnabledOnCreation
)
Write-Verbose -Message (
$script:localizedData.TestConfiguration -f $ComputerName
)
<#
We have the deprecated message in Test-TargetResource so that it is
shown when using Start-DscConfiguration or Invoke-DscResource.
#>
if ($PSBoundParameters.ContainsKey('Enabled'))
{
Write-Warning -Message $script:localizedData.EnabledDeprecatedMessage
}
$getTargetResourceParameters = @{
ComputerName = $ComputerName
RequestFile = $RequestFile
DomainController = $DomainController
DomainAdministratorCredential = $DomainAdministratorCredential
RestoreFromRecycleBin = $RestoreFromRecycleBin
EnabledOnCreation = $EnabledOnCreation
}
# Need the @() around this to get a new array to enumerate.
@($getTargetResourceParameters.Keys) |
ForEach-Object {
if (-not $PSBoundParameters.ContainsKey($_))
{
$getTargetResourceParameters.Remove($_)
}
}
$getTargetResourceResult = Get-TargetResource @getTargetResourceParameters
$testTargetResourceReturnValue = $true
if ($Ensure -eq 'Absent')
{
if ($getTargetResourceResult.Ensure -eq 'Present')
{
Write-Verbose -Message (
$script:localizedData.ComputerAccountShouldBeAbsent -f $ComputerName
)
$testTargetResourceReturnValue = $false
}
}
else
{
if ($getTargetResourceResult.Ensure -eq 'Absent')
{
Write-Verbose -Message (
$script:localizedData.ComputerAccountShouldBePresent -f $ComputerName
)
$testTargetResourceReturnValue = $false
}
else
{
<#
- Ignores the parameter ComputerName since we are not supporting
renaming a computer account.
- Ignore to compare the parameter ServicePrincipalNames here
because it needs a special comparison, so it is handled
afterwards.
- Ignores the Enabled property because it is DEPRECATED.
#>
$compareTargetResourceStateParameters = @{
CurrentValues = $getTargetResourceResult
DesiredValues = $PSBoundParameters
# This gives an array of properties to compare.
Properties = $script:computerObjectPropertyMap.ParameterName
# But these properties
IgnoreProperties = @(
'ComputerName'
'ServicePrincipalNames'
'Enabled'
)
}
$compareTargetResourceStateResult = Compare-ResourcePropertyState @compareTargetResourceStateParameters
if ($false -in $compareTargetResourceStateResult.InDesiredState)
{
$testTargetResourceReturnValue = $false
}
if ($PSBoundParameters.ContainsKey('ServicePrincipalNames'))
{
$testServicePrincipalNamesParameters = @{
ExistingServicePrincipalNames = $getTargetResourceResult.ServicePrincipalNames
ServicePrincipalNames = $ServicePrincipalNames
}
$testTargetResourceReturnValue = Test-ServicePrincipalNames @testServicePrincipalNamesParameters
}
}
}
if ($testTargetResourceReturnValue)
{
Write-Verbose -Message ($script:localizedData.ComputerAccountInDesiredState -f $ComputerName)
}
else
{
Write-Verbose -Message ($script:localizedData.ComputerAccountNotInDesiredState -f $ComputerName)
}
return $testTargetResourceReturnValue
}
<#
.SYNOPSIS
Creates. removes or modifies the Active Directory computer account.
.PARAMETER ComputerName
Specifies the name of the Active Directory computer account to manage.
You can identify a computer by its distinguished name, GUID, security
identifier (SID) or Security Accounts Manager (SAM) account name.
.PARAMETER Ensure
Specifies whether the computer account is present or absent.
Valid values are 'Present' and 'Absent'. The default is 'Present'.
.PARAMETER UserPrincipalName
Specifies the UPN assigned to the computer account.
.PARAMETER DisplayName
Specifies the display name of the computer.
.PARAMETER Path
Specifies the X.500 path of the container where the computer is located.
.PARAMETER Location
Specifies the location of the computer, such as an office number.
.PARAMETER DnsHostName
Specifies the fully qualified domain name (FQDN) of the computer.
.PARAMETER ServicePrincipalNames
Specifies the service principal names for the computer account.
.PARAMETER Description
Specifies a description of the computer account.
.PARAMETER Manager
Specifies the user or group Distinguished Name that manages the computer
account. Valid values are the user's or group's DistinguishedName,
ObjectGUID, SID or SamAccountName.
.PARAMETER RequestFile
Specifies the full path to the Offline Domain Join Request file to create.
.PARAMETER Enabled
DEPRECATED - DO NOT USE.
.PARAMETER DomainController
Specifies the Active Directory Domain Services instance to connect to perform the task.
.PARAMETER DomainAdministratorCredential
Specifies the user account credentials to use to perform the task.
.PARAMETER RestoreFromRecycleBin
Try to restore the organizational unit from the recycle bin before
creating a new one.
.PARAMETER EnabledOnCreation
Specifies if the computer account is created enabled or disabled.
By default the Enabled property of the computer account will be set to
the default value of the cmdlet New-ADComputer. This property is ignored
if the parameter RequestFile is specified in the same configuration.
This parameter does not enforce the property `Enabled`. To enforce the
property `Enabled` see the resource xADObjectEnabledState.
#>
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$ComputerName,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[ValidateNotNull()]
[System.String]
$UserPrincipalName,
[Parameter()]
[ValidateNotNull()]
[System.String]
$DisplayName,
[Parameter()]
[ValidateNotNull()]
[System.String]
$Path,
[Parameter()]
[ValidateNotNull()]
[System.String]
$Location,
[Parameter()]
[ValidateNotNull()]
[System.String]
$DnsHostName,
[Parameter()]
[ValidateNotNull()]
[System.String[]]
$ServicePrincipalNames,
[Parameter()]
[ValidateNotNull()]
[System.String]
$Description,
[Parameter()]
[ValidateNotNull()]
[System.String]
$Manager,
[Parameter()]
[ValidateNotNull()]
[System.String]
$RequestFile,
[Parameter()]
[ValidateNotNull()]
[System.Boolean]
$Enabled,
[Parameter()]
[ValidateNotNull()]
[System.String]
$DomainController,
[Parameter()]
[ValidateNotNull()]
[System.Management.Automation.PSCredential]
[System.Management.Automation.CredentialAttribute()]
$DomainAdministratorCredential,
[Parameter()]
[ValidateNotNull()]
[System.Boolean]
$RestoreFromRecycleBin,
[Parameter()]
[ValidateNotNull()]
[System.Boolean]
$EnabledOnCreation
)
<#
We have the deprecated message in Test-TargetResource so that it is
shown when using Start-DscConfiguration or Invoke-DscResource.
#>
if ($PSBoundParameters.ContainsKey('Enabled'))
{
Write-Warning -Message $script:localizedData.EnabledDeprecatedMessage
}
$getTargetResourceParameters = @{
ComputerName = $ComputerName
RequestFile = $RequestFile
DomainController = $DomainController
DomainAdministratorCredential = $DomainAdministratorCredential
RestoreFromRecycleBin = $RestoreFromRecycleBin
EnabledOnCreation = $EnabledOnCreation
}
# Need the @() around this to get a new array to enumerate.
@($getTargetResourceParameters.Keys) |
ForEach-Object {
if (-not $PSBoundParameters.ContainsKey($_))
{
$getTargetResourceParameters.Remove($_)
}
}
$getTargetResourceResult = Get-TargetResource @getTargetResourceParameters
if ($Ensure -eq 'Present')
{
if ($getTargetResourceResult.Ensure -eq 'Absent')
{
$restorationSuccessful = $false
# Try to restore computer account from recycle bin if it exists.
if ($RestoreFromRecycleBin)
{
Write-Verbose -Message (
$script:localizedData.RestoringComputerAccount -f $ComputerName
)
$restoreADCommonObjectParameters = Get-ADCommonParameters @PSBoundParameters
$restoreADCommonObjectParameters['ObjectClass'] = 'Computer'
$restoreADCommonObjectParameters['ErrorAction'] = 'Stop'
$restorationSuccessful = Restore-ADCommonObject @restoreADCommonObjectParameters
}
if (-not $RestoreFromRecycleBin -or ($RestoreFromRecycleBin -and -not $restorationSuccessful))
{
<#
The computer account does not exist, or the computer account
was not present in recycle bin, so the computer account needs
to be created.
#>
if ($RequestFile)
{
<#
Use DJOIN to create the computer account as well as the
Offline Domain Join (ODJ) request file.
#>
# This should only be performed on a Domain Member, so detect the Domain Name.
$domainName = Get-DomainName
Write-Verbose -Message (
$script:localizedData.CreateOfflineDomainJoinRequest -f $RequestFile, $ComputerName, $domainName
)
$dJoinArguments = @(
'/PROVISION'
'/DOMAIN',
$domainName
'/MACHINE',
$ComputerName
)
if ($PSBoundParameters.ContainsKey('Path'))
{
$dJoinArguments += @(
'/MACHINEOU',
$Path
)
}
if ($PSBoundParameters.ContainsKey('DomainController'))
{
$dJoinArguments += @(
'/DCNAME',
$DomainController
)
}
$dJoinArguments += @(
'/SAVEFILE',
$RequestFile
)
$startProcessParameters = @{
FilePath = 'djoin.exe'
ArgumentList = $dJoinArguments
Timeout = 300
}
$dJoinProcessExitCode = Start-ProcessWithTimeout @startProcessParameters
if ($dJoinProcessExitCode -ne 0)
{
$errorMessage = $script:localizedData.FailedToCreateOfflineDomainJoinRequest -f $ComputerName, $dJoinProcessExitCode
New-InvalidOperationException -Message $errorMessage
}
else
{
Write-Verbose -Message (
$script:localizedData.CreatedOfflineDomainJoinRequestFile -f $RequestFile
)
}
}
else
{
$newADComputerParameters = Get-ADCommonParameters @PSBoundParameters -UseNameParameter
if ($PSBoundParameters.ContainsKey('Path'))
{
Write-Verbose -Message (
$script:localizedData.CreateComputerAccountInPath -f $ComputerName, $Path
)
$newADComputerParameters['Path'] = $Path
}
else
{
Write-Verbose -Message (
$script:localizedData.CreateComputerAccount -f $ComputerName
)
}
<#
If the parameter EnabledOnCreation is specified, then the
property Enabled is set to that value.
#>
if ($PSBoundParameters.ContainsKey('EnabledOnCreation'))
{
if ($EnabledOnCreation)
{
Write-Verbose -Message ($script:localizedData.EnabledComputerAccount -f $ComputerName)
}
else
{
Write-Verbose -Message ($script:localizedData.DisabledComputerAccount -f $ComputerName)
}
$newADComputerParameters['Enabled'] = $EnabledOnCreation
}
New-ADComputer @newADComputerParameters
}
}
<#
Now retrieve the newly created computer account so the other
properties can be set if specified.
#>
$getTargetResourceResult = Get-TargetResource @getTargetResourceParameters
}
<#
- Ignores the parameter ComputerName since we are not supporting
renaming a computer account.
- Ignore to compare the parameter ServicePrincipalNames here
because it needs a special comparison, so it is handled
afterwards.
- Ignores the Enabled property because it is DEPRECATED.
#>
$compareTargetResourceStateParameters = @{
CurrentValues = $getTargetResourceResult
DesiredValues = $PSBoundParameters
# This gives an array of properties to compare.
Properties = $script:computerObjectPropertyMap.ParameterName
# But these properties
IgnoreProperties = @(
'ComputerName'
'ServicePrincipalNames'
'Enabled'
)
}
$compareTargetResourceStateResult = Compare-ResourcePropertyState @compareTargetResourceStateParameters
if ($PSBoundParameters.ContainsKey('ServicePrincipalNames'))
{
$testServicePrincipalNamesParameters = @{
ExistingServicePrincipalNames = $getTargetResourceResult.ServicePrincipalNames
ServicePrincipalNames = $ServicePrincipalNames
}
$compareTargetResourceStateResult += @{
ParameterName = 'ServicePrincipalNames'
Expected = $testServicePrincipalNamesParameters.ServicePrincipalNames
Actual = $testServicePrincipalNamesParameters.ExistingServicePrincipalNames
InDesiredState = Test-ServicePrincipalNames @testServicePrincipalNamesParameters
}
}
$commonParameters = Get-ADCommonParameters @PSBoundParameters
if ($compareTargetResourceStateResult.Where( { $_.ParameterName -eq 'Path' -and -not $_.InDesiredState }))
{
<#
Must move the computer account since we can't simply
update the DistinguishedName property
It does not work moving the computer account using the
SamAccountName as the identity, so using the property
DistinguishedName instead.
#>
$moveADObjectParameters = $commonParameters.Clone()
$moveADObjectParameters['Identity'] = $getTargetResourceResult.DistinguishedName
Write-Verbose -Message (
$script:localizedData.MovingComputerAccount -f $ComputerName, $getTargetResourceResult.Path, $Path
)
Move-ADObject @moveADObjectParameters -TargetPath $Path
}
$replaceComputerProperties = @{ }
$removeComputerProperties = @{ }
# Get all properties, other than Path, that is not in desired state.
$propertiesNotInDesiredState = $compareTargetResourceStateResult |
Where-Object -FilterScript {
$_.ParameterName -ne 'Path' -and -not $_.InDesiredState
}
foreach ($property in $propertiesNotInDesiredState)
{
$computerAccountPropertyName = ($script:computerObjectPropertyMap |
Where-Object -FilterScript {
$_.ParameterName -eq $property.ParameterName
}).PropertyName
if (-not $computerAccountPropertyName)
{
$computerAccountPropertyName = $property.ParameterName
}
if ($property.Expected)
{
Write-Verbose -Message (
$script:localizedData.UpdatingComputerAccountProperty -f $computerAccountPropertyName, ($property.Expected -join ''',''')
)
# Replace the current value.
$replaceComputerProperties[$computerAccountPropertyName] = $property.Expected
}
else
{
Write-Verbose -Message (
$script:localizedData.RemovingComputerAccountProperty -f $property.ParameterName, ($property.Actual -join ''',''')
)
# Remove the current value since the desired value is empty or nothing.
$removeComputerProperties[$computerAccountPropertyName] = $property.Actual
}
}
$setADComputerParameters = $commonParameters.Clone()
# Set-ADComputer is only called if we have something to change.
if ($replaceComputerProperties.Count -gt 0 -or $removeComputerProperties.Count -gt 0)
{
if ($replaceComputerProperties.Count -gt 0)
{
$setADComputerParameters['Replace'] = $replaceComputerProperties
}
if ($removeComputerProperties.Count -gt 0)
{
$setADComputerParameters['Remove'] = $removeComputerProperties
}
Set-DscADComputer -Parameters $setADComputerParameters
Write-Verbose -Message (
$script:localizedData.UpdatedComputerAccount -f $ComputerName
)
}
}
elseif ($Ensure -eq 'Absent' -and $getTargetResourceResult.Ensure -eq 'Present')
{
# User exists and needs removing
Write-Verbose -Message (
$script:localizedData.RemovingComputerAccount -f $ComputerName
)
$removeADComputerParameters = Get-ADCommonParameters @PSBoundParameters
$removeADComputerParameters['Confirm'] = $false
Remove-ADComputer @removeADComputerParameters |
Out-Null
}
}
<#
.SYNOPSIS
This evaluates the service principal names current state against the
desired state.
.PARAMETER ExistingServicePrincipalNames
An array of existing service principal names that should be compared
against the array in parameter ServicePrincipalNames.
.PARAMETER ServicePrincipalNames
An array of the desired service principal names that should be compared
against the array in parameter ExistingServicePrincipalNames.
#>
function Test-ServicePrincipalNames
{
param
(
[Parameter(Mandatory = $true)]
[AllowEmptyCollection()]
[System.String[]]
$ExistingServicePrincipalNames,
[Parameter(Mandatory = $true)]
[AllowEmptyCollection()]
[AllowEmptyString()]
[System.String[]]
$ServicePrincipalNames
)
$testServicePrincipalNamesReturnValue = $true
$testMembersParameters = @{
ExistingMembers = $ExistingServicePrincipalNames
Members = $ServicePrincipalNames
}
if (-not (Test-Members @testMembersParameters))
{
Write-Verbose -Message (
$script:localizedData.ServicePrincipalNamesNotInDesiredState `
-f ($ExistingServicePrincipalNames -join ','), ($ServicePrincipalNames -join ',')
)
$testServicePrincipalNamesReturnValue = $false
}
else
{
Write-Verbose -Message (
$script:localizedData.ServicePrincipalNamesInDesiredState
)
}
return $testServicePrincipalNamesReturnValue
}
Export-ModuleMember -Function *-TargetResource