From 339d3ebf451771f1cccb4ce6f708106a511bec31 Mon Sep 17 00:00:00 2001 From: John D Pell <52194+gaelicWizard@users.noreply.github.com> Date: Sun, 16 May 2021 23:08:35 -0400 Subject: [PATCH 1/4] Don't assume UserName is SamAccountName Fix New-ADUser to use '-Name' instead of '-SamAccountName' for specifying the user account name. Change parameter descriptions to clarify that UserName can be more than just SamAccountName. --- source/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 | 11 +++++++---- .../DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof | 3 ++- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/source/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 b/source/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 index 3cd3e04f0..c47c2ecd9 100644 --- a/source/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 +++ b/source/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 @@ -27,7 +27,8 @@ $adPropertyMap = (Import-PowerShellDataFile -Path $adPropertyMapPath).Parameters Name of the domain where the user account is located (only used if password is managed). .PARAMETER UserName - Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName'). + Specifies the account name of the user. (You can identify a user by its distinguished + name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name.) .PARAMETER DomainController Specifies the Active Directory Domain Services instance to use to perform the task. @@ -185,7 +186,8 @@ function Get-TargetResource Name of the domain where the user account is located (only used if password is managed). .PARAMETER UserName - Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName'). + Specifies the account name of the user. (You can identify a user by its distinguished + name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name.) .PARAMETER Password Specifies a new password value for the account. @@ -869,7 +871,8 @@ function Test-TargetResource Name of the domain where the user account is located (only used if password is managed). .PARAMETER UserName - Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName'). + Specifies the account name of the user. (You can identify a user by its distinguished + name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name.) .PARAMETER Password Specifies a new password value for the account. @@ -1506,7 +1509,7 @@ function Set-TargetResource Write-Debug -Message ('New-ADUser Parameters:' + ($newADUserParams | Out-String)) - $newADUser = New-ADUser @newADUserParams -SamAccountName $UserName -Passthru + $newADUser = New-ADUser @newADUserParams -Name $UserName -Passthru if ($updateCnRequired) { diff --git a/source/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof b/source/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof index be736b0ad..ddb18f145 100644 --- a/source/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof +++ b/source/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof @@ -2,7 +2,8 @@ class MSFT_ADUser : OMI_BaseResource { [Key, Description("Name of the domain where the user account is located (only used if password is managed).")] String DomainName; - [Key, Description("Specifies the Security Account Manager (SAM) account name of the user (ldapDisplayName 'sAMAccountName').")] String UserName; + [Key, Description("Specifies the account name of the user. (You can identify a user by its distinguished + name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name.)")] String UserName; [Write, Description("Specifies a new password value for the account."), EmbeddedInstance("MSFT_Credential")] String Password; [Write, Description("Specifies whether the user account should be present or absent. Default value is 'Present'."), ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] String Ensure; [Write, Description("Specifies the common name assigned to the user account (ldapDisplayName 'cn'). If not specified the default value will be the same value provided in parameter UserName.")] String CommonName; From 69af909a1641106eac410ba52a5d6b2aba23e863 Mon Sep 17 00:00:00 2001 From: John D Pell <52194+gaelicWizard@users.noreply.github.com> Date: Sun, 16 May 2021 22:31:01 -0400 Subject: [PATCH 2/4] ADUser: Add SamAccountName property Add SamAccountName property to allow setting the name of the user; this requires that the UserName property be specified with something other than the SamAccountName (e.g., the SID, DN, &c.). --- .../MSFT_ADUser/MSFT_ADUser.PropertyMap.psd1 | 6 +++++ .../DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 | 24 +++++++++++++++---- .../MSFT_ADUser/MSFT_ADUser.schema.mof | 6 ++--- 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/source/DSCResources/MSFT_ADUser/MSFT_ADUser.PropertyMap.psd1 b/source/DSCResources/MSFT_ADUser/MSFT_ADUser.PropertyMap.psd1 index b9b27d971..e5a98dea0 100644 --- a/source/DSCResources/MSFT_ADUser/MSFT_ADUser.PropertyMap.psd1 +++ b/source/DSCResources/MSFT_ADUser/MSFT_ADUser.PropertyMap.psd1 @@ -18,6 +18,12 @@ UseCmdletParameter = $false Array = $false } + @{ + Parameter = 'SamAccountName' + ADProperty = 'SamAccountName' + UseCmdletParameter = $true + Array = $false + } @{ Parameter = 'Path' ADProperty = 'distinguishedName' diff --git a/source/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 b/source/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 index c47c2ecd9..65935d704 100644 --- a/source/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 +++ b/source/DSCResources/MSFT_ADUser/MSFT_ADUser.psm1 @@ -187,7 +187,7 @@ function Get-TargetResource .PARAMETER UserName Specifies the account name of the user. (You can identify a user by its distinguished - name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name.) + name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name.) .PARAMETER Password Specifies a new password value for the account. @@ -205,6 +205,9 @@ function Get-TargetResource .PARAMETER DisplayName Specifies the display name of the object (ldapDisplayName 'displayName'). + .PARAMETER SamAccountName + Specifies the SamAccountName of the object (ldapDisplayName 'SamAccountName'). + .PARAMETER Path Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. @@ -305,7 +308,7 @@ function Get-TargetResource .PARAMETER LogonWorkstations Specifies the computers that the user can access. To specify more than one computer, create a single comma-separated list. You can identify a computer by using the Security Account Manager (SAM) account name - (sAMAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of + (SamAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of the computer (ldapDisplayName 'userWorkStations'). .PARAMETER Organization @@ -434,6 +437,11 @@ function Test-TargetResource [System.String] $DisplayName, + [Parameter()] + [ValidateNotNull()] + [System.String] + $SamAccountName, + [Parameter()] [ValidateNotNull()] [System.String] @@ -872,7 +880,7 @@ function Test-TargetResource .PARAMETER UserName Specifies the account name of the user. (You can identify a user by its distinguished - name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name.) + name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name.) .PARAMETER Password Specifies a new password value for the account. @@ -890,6 +898,9 @@ function Test-TargetResource .PARAMETER DisplayName Specifies the display name of the object (ldapDisplayName 'displayName'). + .PARAMETER SamAccountName + Specifies the SamAccountName of the object (ldapDisplayName 'SamAccountName'). + .PARAMETER Path Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created. @@ -990,7 +1001,7 @@ function Test-TargetResource .PARAMETER LogonWorkstations Specifies the computers that the user can access. To specify more than one computer, create a single comma-separated list. You can identify a computer by using the Security Account Manager (SAM) account name - (sAMAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of + (SamAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of the computer (ldapDisplayName 'userWorkStations'). .PARAMETER Organization @@ -1128,6 +1139,11 @@ function Set-TargetResource [System.String] $DisplayName, + [Parameter()] + [ValidateNotNull()] + [System.String] + $SamAccountName, + [Parameter()] [ValidateNotNull()] [System.String] diff --git a/source/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof b/source/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof index ddb18f145..e2b98e40e 100644 --- a/source/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof +++ b/source/DSCResources/MSFT_ADUser/MSFT_ADUser.schema.mof @@ -2,13 +2,13 @@ class MSFT_ADUser : OMI_BaseResource { [Key, Description("Name of the domain where the user account is located (only used if password is managed).")] String DomainName; - [Key, Description("Specifies the account name of the user. (You can identify a user by its distinguished - name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name.)")] String UserName; + [Key, Description("Specifies the account name of the user. (You can identify a user by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name.)")] String UserName; [Write, Description("Specifies a new password value for the account."), EmbeddedInstance("MSFT_Credential")] String Password; [Write, Description("Specifies whether the user account should be present or absent. Default value is 'Present'."), ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] String Ensure; [Write, Description("Specifies the common name assigned to the user account (ldapDisplayName 'cn'). If not specified the default value will be the same value provided in parameter UserName.")] String CommonName; [Write, Description("Specifies the User Principal Name (UPN) assigned to the user account (ldapDisplayName 'userPrincipalName').")] String UserPrincipalName; [Write, Description("Specifies the display name of the object (ldapDisplayName 'displayName').")] String DisplayName; + [Write, Description("Specifies the SamAccountName of the object (ldapDisplayName 'SamAccountName').")] String SamAccountName; [Write, Description("Specifies the X.500 path of the Organizational Unit (OU) or container where the new object is created.")] String Path; [Write, Description("Specifies the user's given name (ldapDisplayName 'givenName').")] String GivenName; [Write, Description("Specifies the initials that represent part of a user's name (ldapDisplayName 'initials').")] String Initials; @@ -41,7 +41,7 @@ class MSFT_ADUser : OMI_BaseResource [Write, Description("Specifies the user's pager number (ldapDisplayName 'pager').")] String Pager; [Write, Description("Specifies the user's IP telephony phone number (ldapDisplayName 'ipPhone').")] String IPPhone; [Write, Description("Specifies the user's manager specified as a Distinguished Name (ldapDisplayName 'manager').")] String Manager; - [Write, Description("Specifies the computers that the user can access. To specify more than one computer, create a single comma-separated list. You can identify a computer by using the Security Account Manager (SAM) account name (sAMAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of the computer. The LDAP display name (ldapDisplayName) for this property is userWorkStations.")] String LogonWorkstations; + [Write, Description("Specifies the computers that the user can access. To specify more than one computer, create a single comma-separated list. You can identify a computer by using the Security Account Manager (SAM) account name (SamAccountName) or the DNS host name of the computer. The SAM account name is the same as the NetBIOS name of the computer. The LDAP display name (ldapDisplayName) for this property is userWorkStations.")] String LogonWorkstations; [Write, Description("Specifies the user's organization. This parameter sets the Organization property of a user object. The LDAP display name (ldapDisplayName) of this property is 'o'.")] String Organization; [Write, Description("Specifies a name in addition to a user's given name and surname, such as the user's middle name. This parameter sets the OtherName property of a user object. The LDAP display name (ldapDisplayName) of this property is 'middleName'.")] String OtherName; [Write, Description("Specifies if the account is enabled. Default value is $true.")] Boolean Enabled; From 3d9eeb746a9ed513a1c4eac08460467c7b2fcbe6 Mon Sep 17 00:00:00 2001 From: John D Pell Date: Sat, 22 May 2021 18:45:20 -0400 Subject: [PATCH 3/4] Add SamAccountName property to ADUser --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b0b2571b6..02dbedf00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ For older change log history see the [historic changelog](HISTORIC_CHANGELOG.md) - ADGroup - Refactored Module. - Refactored Unit and Integration Tests. +- ADUser + - Added SamAccountName property. ### Added From 48b01e1a0ae1c3a9e314ffb25aa64c2efe89faec Mon Sep 17 00:00:00 2001 From: John D Pell Date: Sat, 22 May 2021 19:14:16 -0400 Subject: [PATCH 4/4] ADUser: test SamAccountName parameter --- tests/Unit/MSFT_ADUser.Tests.ps1 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/Unit/MSFT_ADUser.Tests.ps1 b/tests/Unit/MSFT_ADUser.Tests.ps1 index 4cd8bec88..d2665b545 100644 --- a/tests/Unit/MSFT_ADUser.Tests.ps1 +++ b/tests/Unit/MSFT_ADUser.Tests.ps1 @@ -58,6 +58,7 @@ try Path = $mockPath DistinguishedName = "CN=$UserName,$mockPath" DisplayName = 'Test User' + SamAccountName = $UserName Initials = 'T' Enabled = $true GivenName = 'Test' @@ -114,7 +115,7 @@ try $mockAbsentResource = @{ DomainName = 'contoso.com' - UserName = 'TestUser' + UserName = $UserName Path = $null DistinguishedName = $null DisplayName = $null @@ -175,6 +176,7 @@ try $mockChangedResource = @{ Path = 'OU=Staff,DC=contoso,DC=com' DisplayName = 'Test User Changed' + SamAccountName = 'TestUserChanged' Initials = 'S' Enabled = $false GivenName = 'Test Changed' @@ -226,7 +228,7 @@ try } $mockGetADUserResult = @{ - samAccountName = $mockResource.UserName + samAccountName = $mockResource.SamAccountName cn = $mockResource.CommonName UserPrincipalName = $mockResource.UserPrincipalName DisplayName = $mockResource.DisplayName