Changes to ADDomainController

- BREAKING CHANGE: Renamed the parameter `DomainAdministratorCredential` to `Credential` to better indicate that it is possible to impersonate any credential with enough permission to perform the task (issue dsccommunity#269).
johlju · Jul 29, 2019 · 7b5b0a3 · 7b5b0a3
1 parent c440190
commit 7b5b0a3
Show file tree

Hide file tree

Showing 14 changed files with 112 additions and 69 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -100,6 +100,9 @@
 - Changes to WaitForADDomain
   - Added comment-based help ([issue #341](https://github.com/PowerShell/ActiveDirectoryDsc/issues/341))
 - Changes to ADDomainController
+  - BREAKING CHANGE: Renamed the parameter `DomainAdministratorCredential`
+    to `Credential` to better indicate that it is possible to impersonate
+    any credential with enough permission to perform the task ([issue #269](https://github.com/PowerShell/ActiveDirectoryDsc/issues/269)).
   - Add support for creating Read-Only Domain Controller (RODC)
     ([issue #40](https://github.com/PowerShell/ActiveDirectoryDsc/issues/40)).
     [Svilen @SSvilen](https://github.com/SSvilen)

diff --git a/DSCResources/MSFT_ADComputer/en-US/about_ADComputer.help.txt b/DSCResources/MSFT_ADComputer/en-US/about_ADComputer.help.txt
@@ -106,7 +106,7 @@ Configuration ADComputer_AddComputerAccount_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $UserCredential
+        $Credential
     )
 
     Import-DscResource -ModuleName ActiveDirectoryDsc
@@ -117,15 +117,15 @@ Configuration ADComputer_AddComputerAccount_Config
         {
             ComputerName = 'SQL01'
 
-            PsDscRunAsCredential = $UserCredential
+            PsDscRunAsCredential = $Credential
         }
 
         ADComputer 'CreateEnabled_SQL02'
         {
             ComputerName      = 'SQL02'
             EnabledOnCreation = $true
 
-            PsDscRunAsCredential = $UserCredential
+            PsDscRunAsCredential = $Credential
         }
     }
 }
@@ -142,7 +142,7 @@ Configuration ADComputer_AddComputerAccountDisabled_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $UserCredential
+        $Credential
     )
 
     Import-DscResource -ModuleName ActiveDirectoryDsc
@@ -154,7 +154,7 @@ Configuration ADComputer_AddComputerAccountDisabled_Config
             ComputerName      = 'CLU_CNO01'
             EnabledOnCreation = $false
 
-            PsDscRunAsCredential = $UserCredential
+            PsDscRunAsCredential = $Credential
         }
     }
 }
@@ -172,7 +172,7 @@ Configuration ADComputer_AddComputerAccountSpecificPath_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $UserCredential
+        $Credential
     )
 
     Import-DscResource -ModuleName ActiveDirectoryDsc
@@ -184,7 +184,7 @@ Configuration ADComputer_AddComputerAccountSpecificPath_Config
             DomainController = 'DC01'
             ComputerName     = 'SQL01'
             Path             = 'OU=Servers,DC=contoso,DC=com'
-            Credential       = $UserCredential
+            Credential       = $Credential
         }
     }
 }
@@ -203,7 +203,7 @@ Configuration ADComputer_AddComputerAccountAndCreateODJRequest_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $UserCredential
+        $Credential
     )
 
     Import-DscResource -ModuleName ActiveDirectoryDsc
@@ -216,7 +216,7 @@ Configuration ADComputer_AddComputerAccountAndCreateODJRequest_Config
             ComputerName     = 'NANO-200'
             Path             = 'OU=Servers,DC=contoso,DC=com'
             RequestFile      = 'D:\ODJFiles\NANO-200.txt'
-            Credential       = $UserCredential
+            Credential       = $Credential
         }
     }
 }

diff --git a/DSCResources/MSFT_ADDomainController/MSFT_ADDomainController.psm1 b/DSCResources/MSFT_ADDomainController/MSFT_ADDomainController.psm1
@@ -13,7 +13,7 @@ $script:localizedData = Get-LocalizedData -ResourceName 'MSFT_ADDomainController
     .PARAMETER DomainName
         Provide the FQDN of the domain the Domain Controller is being added to.
 
-    .PARAMETER DomainAdministrationCredential
+    .PARAMETER Credential
         Specifies the credential for the account used to install the domain controller.
         This account must have permission to access the other domain controllers
         in the domain to be able replicate domain information.
@@ -45,7 +45,7 @@ function Get-TargetResource
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential,
+        $Credential,
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
@@ -72,7 +72,7 @@ function Get-TargetResource
 
     $getTargetResourceResult = @{
         DomainName                          = $DomainName
-        DomainAdministratorCredential       = $DomainAdministratorCredential
+        Credential                          = $Credential
         SafemodeAdministratorPassword       = $SafemodeAdministratorPassword
         Ensure                              = $false
         IsGlobalCatalog                     = $false
@@ -87,7 +87,7 @@ function Get-TargetResource
 
     try
     {
-        $domain = Get-ADDomain -Identity $DomainName -Credential $DomainAdministratorCredential
+        $domain = Get-ADDomain -Identity $DomainName -Credential $Credential
     }
     catch
     {
@@ -99,7 +99,7 @@ function Get-TargetResource
         $script:localizedData.DomainPresent -f $DomainName
     )
 
-    $domainControllerObject = Get-DomainControllerObject -DomainName $DomainName -ComputerName $env:COMPUTERNAME -Credential $DomainAdministratorCredential
+    $domainControllerObject = Get-DomainControllerObject -DomainName $DomainName -ComputerName $env:COMPUTERNAME -Credential $Credential
     if ($domainControllerObject)
     {
         Write-Verbose -Message (
@@ -143,7 +143,7 @@ function Get-TargetResource
     .PARAMETER DomainName
         Provide the FQDN of the domain the Domain Controller is being added to.
 
-    .PARAMETER DomainAdministrationCredential
+    .PARAMETER Credential
         Specifies the credential for the account used to install the domain controller.
         This account must have permission to access the other domain controllers
         in the domain to be able replicate domain information.
@@ -203,7 +203,7 @@ function Set-TargetResource
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential,
+        $Credential,
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
@@ -264,7 +264,7 @@ function Set-TargetResource
         $installADDSDomainControllerParameters = @{
             DomainName                    = $DomainName
             SafeModeAdministratorPassword = $SafemodeAdministratorPassword.Password
-            Credential                    = $DomainAdministratorCredential
+            Credential                    = $Credential
             NoRebootOnCompletion          = $true
             Force                         = $true
         }
@@ -339,7 +339,7 @@ function Set-TargetResource
             $script:localizedData.IsDomainController -f $env:COMPUTERNAME, $DomainName
         )
 
-        $domainControllerObject = Get-DomainControllerObject -DomainName $DomainName -ComputerName $env:COMPUTERNAME -Credential $DomainAdministratorCredential
+        $domainControllerObject = Get-DomainControllerObject -DomainName $DomainName -ComputerName $env:COMPUTERNAME -Credential $Credential
 
         # Check if Node Global Catalog state is correct
         if ($PSBoundParameters.ContainsKey('IsGlobalCatalog') -and $targetResource.IsGlobalCatalog -ne $IsGlobalCatalog)
@@ -371,7 +371,7 @@ function Set-TargetResource
 
             # DC is not in correct site. Move it.
             Write-Verbose -Message ($script:localizedData.MovingDomainController -f $targetResource.SiteName, $SiteName)
-            Move-ADDirectoryServer -Identity $env:COMPUTERNAME -Site $SiteName -Credential $DomainAdministratorCredential
+            Move-ADDirectoryServer -Identity $env:COMPUTERNAME -Site $SiteName -Credential $Credential
         }
 
         if ($PSBoundParameters.ContainsKey('AllowPasswordReplicationAccountName'))
@@ -478,7 +478,7 @@ function Set-TargetResource
     .PARAMETER DomainName
         Provide the FQDN of the domain the Domain Controller is being added to.
 
-    .PARAMETER DomainAdministrationCredential
+    .PARAMETER Credential
         Specifies the credential for the account used to install the domain controller.
         This account must have permission to access the other domain controllers
         in the domain to be able replicate domain information.
@@ -528,7 +528,7 @@ function Test-TargetResource
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential,
+        $Credential,
 
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
@@ -585,7 +585,7 @@ function Test-TargetResource
 
     if ($PSBoundParameters.ContainsKey('SiteName'))
     {
-        if (-not (Test-ADReplicationSite -SiteName $SiteName -DomainName $DomainName -Credential $DomainAdministratorCredential))
+        if (-not (Test-ADReplicationSite -SiteName $SiteName -DomainName $DomainName -Credential $Credential))
         {
             $errorMessage = $script:localizedData.FailedToFindSite -f $SiteName, $DomainName
             New-ObjectNotFoundException -Message $errorMessage

diff --git a/DSCResources/MSFT_ADDomainController/MSFT_ADDomainController.schema.mof b/DSCResources/MSFT_ADDomainController/MSFT_ADDomainController.schema.mof
@@ -2,7 +2,7 @@
 class MSFT_ADDomainController : OMI_BaseResource
 {
     [Key, Description("The fully qualified domain name (FQDN) of the domain the Domain Controller will be joining.")] String DomainName;
-    [Required, Description("The credentials (as a 'PSCredential' object) of a user that has Domain Administrator rights to add the Domain Controller to the domain."), EmbeddedInstance("MSFT_Credential")] String DomainAdministratorCredential;
+    [Required, Description("The credentials (as a 'PSCredential' object) of a user that has Domain Administrator rights to add the Domain Controller to the domain."), EmbeddedInstance("MSFT_Credential")] String Credential;
     [Required, Description("The 'PSCredential' object containing the password to use for Directory Services Restore Mode (DSRM)."), EmbeddedInstance("MSFT_Credential")] String SafemodeAdministratorPassword;
     [Write, Description("The path where the database will be stored.")] String DatabasePath;
     [Write, Description("The path where the logs will be stored.")] String LogPath;

diff --git a/DSCResources/MSFT_ADDomainController/en-US/about_ADDomainController.help.txt b/DSCResources/MSFT_ADDomainController/en-US/about_ADDomainController.help.txt
@@ -22,7 +22,7 @@
     Key - String
     The fully qualified domain name (FQDN) of the domain the Domain Controller will be joining.
 
-.PARAMETER DomainAdministratorCredential
+.PARAMETER Credential
     Required - String
     The credentials (as a 'PSCredential' object) of a user that has Domain Administrator rights to add the Domain Controller to the domain.
 
@@ -82,7 +82,12 @@ Configuration ADDomainController_AddDomainControllerToDomainMinimal_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential
+        $Credential,
+
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+        [System.Management.Automation.PSCredential]
+        $SafeModePassword
     )
 
     Import-DscResource -ModuleName PSDscResources
@@ -107,7 +112,7 @@ Configuration ADDomainController_AddDomainControllerToDomainMinimal_Config
         WaitForADDomain 'WaitForestAvailability'
         {
             DomainName           = 'contoso.com'
-            DomainUserCredential = $DomainAdministratorCredential
+            DomainUserCredential = $Credential
             RetryCount           = 10
             RetryIntervalSec     = 120
 
@@ -117,8 +122,8 @@ Configuration ADDomainController_AddDomainControllerToDomainMinimal_Config
         ADDomainController 'DomainControllerMinimal'
         {
             DomainName                    = 'contoso.com'
-            DomainAdministratorCredential = $DomainAdministratorCredential
-            SafemodeAdministratorPassword = $DomainAdministratorCredential
+            Credential                    = $Credential
+            SafeModeAdministratorPassword = $SafeModePassword
 
             DependsOn                     = '[WaitForADDomain]WaitForestAvailability'
         }
@@ -137,7 +142,12 @@ Configuration ADDomainController_AddDomainControllerToDomainAllProperties_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential
+        $Credential,
+
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+        [System.Management.Automation.PSCredential]
+        $SafeModePassword
     )
 
     Import-DscResource -ModuleName PSDscResources
@@ -162,7 +172,7 @@ Configuration ADDomainController_AddDomainControllerToDomainAllProperties_Config
         WaitForADDomain 'WaitForestAvailability'
         {
             DomainName           = 'contoso.com'
-            DomainUserCredential = $DomainAdministratorCredential
+            DomainUserCredential = $Credential
             RetryCount           = 10
             RetryIntervalSec     = 120
 
@@ -172,8 +182,8 @@ Configuration ADDomainController_AddDomainControllerToDomainAllProperties_Config
         ADDomainController 'DomainControllerAllProperties'
         {
             DomainName                    = 'contoso.com'
-            DomainAdministratorCredential = $DomainAdministratorCredential
-            SafemodeAdministratorPassword = $DomainAdministratorCredential
+            Credential                    = $Credential
+            SafeModeAdministratorPassword = $SafeModePassword
             DatabasePath                  = 'C:\Windows\NTDS'
             LogPath                       = 'C:\Windows\Logs'
             SysvolPath                    = 'C:\Windows\SYSVOL'
@@ -197,7 +207,12 @@ Configuration ADDomainController_AddDomainControllerToDomainUsingIFM_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential
+        $Credential,
+
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+        [System.Management.Automation.PSCredential]
+        $SafeModePassword
     )
 
     Import-DscResource -ModuleName PSDscResources
@@ -222,7 +237,7 @@ Configuration ADDomainController_AddDomainControllerToDomainUsingIFM_Config
         WaitForADDomain 'WaitForestAvailability'
         {
             DomainName           = 'contoso.com'
-            DomainUserCredential = $DomainAdministratorCredential
+            DomainUserCredential = $Credential
             RetryCount           = 10
             RetryIntervalSec     = 120
 
@@ -232,8 +247,8 @@ Configuration ADDomainController_AddDomainControllerToDomainUsingIFM_Config
         ADDomainController 'DomainControllerWithIFM'
         {
             DomainName                    = 'contoso.com'
-            DomainAdministratorCredential = $DomainAdministratorCredential
-            SafemodeAdministratorPassword = $DomainAdministratorCredential
+            Credential                    = $Credential
+            SafeModeAdministratorPassword = $SafeModePassword
             InstallationMediaPath         = 'F:\IFM'
 
             DependsOn                     = '[WaitForADDomain]WaitForestAvailability'
@@ -253,7 +268,12 @@ Configuration ADDomainController_AddReadOnlyDomainController_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $DomainAdministratorCredential
+        $Credential,
+
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+        [System.Management.Automation.PSCredential]
+        $SafeModePassword
     )
 
     Import-DscResource -ModuleName PSDscResources
@@ -278,7 +298,7 @@ Configuration ADDomainController_AddReadOnlyDomainController_Config
         WaitForADDomain 'WaitForestAvailability'
         {
             DomainName           = 'contoso.com'
-            DomainUserCredential = $DomainAdministratorCredential
+            DomainUserCredential = $Credential
             RetryCount           = 10
             RetryIntervalSec     = 120
 
@@ -288,8 +308,8 @@ Configuration ADDomainController_AddReadOnlyDomainController_Config
         ADDomainController 'Read-OnlyDomainController(RODC)'
         {
             DomainName                          = 'contoso.com'
-            DomainAdministratorCredential       = $DomainAdministratorCredential
-            SafemodeAdministratorPassword       = $DomainAdministratorCredential
+            Credential                          = $Credential
+            SafeModeAdministratorPassword       = $SafeModePassword
             ReadOnlyReplica                     = $true
             SiteName                            = 'Default-First-Site-Name'
             AllowPasswordReplicationAccountName = @('pvdi.test1', 'pvdi.test')

diff --git a/Examples/Resources/ADComputer/1-ADComputer_AddComputerAccount_Config.ps1 b/Examples/Resources/ADComputer/1-ADComputer_AddComputerAccount_Config.ps1
@@ -29,7 +29,7 @@ Configuration ADComputer_AddComputerAccount_Config
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
         [System.Management.Automation.PSCredential]
-        $UserCredential
+        $Credential
     )
 
     Import-DscResource -ModuleName ActiveDirectoryDsc
@@ -40,15 +40,15 @@ Configuration ADComputer_AddComputerAccount_Config
         {
             ComputerName = 'SQL01'
 
-            PsDscRunAsCredential = $UserCredential
+            PsDscRunAsCredential = $Credential
         }
 
         ADComputer 'CreateEnabled_SQL02'
         {
             ComputerName      = 'SQL02'
             EnabledOnCreation = $true
 
-            PsDscRunAsCredential = $UserCredential
+            PsDscRunAsCredential = $Credential
         }
     }
 }