Skip to content

microsoft/ActiveDirectoryTierModel

Repository files navigation

πŸ›οΈ Tier Model

Declarative PowerShell framework to deploy and audit an Active Directory Tier Model (OUs, Groups, Users, ACL Delegations, GPOs, ADMX, MSA/gMSA/dMSA Permissions) from a single version-controlled JSON configuration file. Supports idempotent re-runs, drift detection, and reproducible builds via pinned dependency versions.

πŸ—οΈ Built with the Specify Framework - Test-driven development ensuring quality and reliability

🎯 Goals

  • πŸ”’ Safe, repeatable deployments (WhatIf planning + convergent apply)
  • πŸ“Š Drift auditing & reporting (hash provenance + structured findings)
  • 🧩 Modular, test-first architecture (Pester enforced)
  • πŸ“¦ Version governance for dependencies & configuration schema

πŸ“š Documentation

πŸ“– Full documentation: GitHub Pages - Active Directory Tier Model

To get started with TierModel, please refer to our comprehensive documentation:

πŸš€ Getting Started

  • Quick Deployment Guide - Fast-track deployment for experienced administrators
  • Detailed Deployment Guide - Step-by-step deployment with explanations
  • FAQ - Frequently asked questions covering upgrades, migration from previous versions, troubleshooting, and Sentinel integration

πŸ“– Core Documentation

πŸ”§ Technical Specifications

πŸ§ͺ Testing & Quality Assurance

Current Test Status: βœ… ALL TESTS PASSING (Last run: June 4, 2026)

Test Suite Test Files Test Cases Status Coverage
Unit Tests 15 files 1,091 tests βœ… 100% Pass 91.6%
Integration Tests 6 files 201 tests βœ… 100% Pass 100%
Manual Integration Tests 1 file 311 tests βœ… 100% Pass 100%
Total 22 files 1,603 tests βœ… All Passing 91.6%

Test Coverage Highlights

  • βœ… 58/58 production files have comprehensive test coverage (12 new MSA/gMSA/dMSA cmdlets added in Phase 16)
  • βœ… 100% of all automated 1,292 test cases passing
  • βœ… 100% of all manual 311 test cases passing
  • βœ… 91.6% overall line coverage (10,444 / 11,389 commands) β€” all files at 80%+, MSA/gMSA/dMSA at 90%+
  • βœ… Get-TierModelConditionalGroupNames β€” new function with full test coverage (6 unit tests)
  • βœ… New in Phase 16: Unit test files for MSA/gMSA/dMSA ACL operations (Unit.MsaAclOperations.Tests.ps1, Unit.GmsaAclOperations.Tests.ps1, Unit.DmsaAclOperations.Tests.ps1)
  • βœ… Mock-based testing (no Active Directory connectivity required)
  • βœ… WhatIf support validation across all deployment operations

Running Tests

# Run all tests
.\tests\Invoke-AllTests.ps1

# Run unit tests only
.\tests\Invoke-AllTests.ps1 -TestType Unit

# Run integration tests only
.\tests\Invoke-AllTests.ps1 -TestType Integration

# Show only failures (useful for large test runs)
.\tests\Invoke-AllTests.ps1 -FailedOnly

# Run with detailed output
.\tests\Invoke-AllTests.ps1 -Detailed

Deployment Scripts

Script Purpose Optional Features
Deploy-TierModel.ps1 πŸš€ Deploy with scoped execution -IncludeMsa, -IncludeGmsa, -IncludeDmsa (Managed Service Account ACL delegation)
Audit-TierModel.ps1 πŸ“Š Audit and compliance checking -IncludeMsa, -IncludeGmsa, -IncludeDmsa (Managed Service Account ACL audit)

🀝 Contributing

Contributions are welcome! Before submitting a pull request, you must ensure:

  1. βœ… All Pester tests pass β€” the CI pipeline will reject any PR with failing tests
  2. πŸ§ͺ New or updated tests are included β€” any new code or bug fix must include corresponding test cases to maintain or improve code coverage
  3. πŸ“Š Code coverage stays at or above 80% β€” the CI enforces a minimum coverage threshold; if your changes reduce coverage below 80%, add tests until coverage is restored
  4. πŸ“ Documentation is updated for any new or changed functionality
  5. 🎯 Code follows project conventions

Note: The packaging step will not produce a release artifact unless all tests pass and coverage meets the minimum threshold.

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit Contributor License Agreements.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Development Setup

# Clone repository
git clone https://github.com/microsoft/ActiveDirectoryTierModel.git
cd ActiveDirectoryTierModel

# Run tests locally before submitting a PR
.\tests\Invoke-AllTests.ps1

πŸ“‹ Prerequisites

  • PowerShell: 7.0+
  • Elevation: Administrator privileges required
  • Domain Admin: Membership in Domain Admins group
  • Modules: ActiveDirectory, GroupPolicy (see config/dependencies.json)

For detailed prerequisite validation, run Test-TierModelPrerequisites

πŸ”— Additional Resources


Version: 1.1.0 | License: MIT | Status: βœ… Production Ready

πŸš€ Releasing

This project uses semantic versioning (MAJOR.MINOR.PATCH) and tag-based releases.

Bump When Example
PATCH (1.0.1) Bug fix, typo, doc correction Fix broken ACL rule
MINOR (1.1.0) New feature, backward-compatible Add WinLAPS parameter
MAJOR (2.0.0) Breaking change Restructure config schema

Creating a release

  1. Ensure all changes are merged to main and CI is green
  2. Tag the release:
    git tag v1.1.0
    git push origin v1.1.0
  3. The CI pipeline will automatically:
    • Run all tests and enforce code coverage (80% minimum)
    • Create a TierModel-1.1.0.zip release asset
    • Publish a GitHub Release with auto-generated release notes

You can also create a release from the GitHub UI: Releases β†’ Create a new release β†’ enter the tag name (e.g. v1.1.0).

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

About

Deployment of an Active Directory Tier Model structure to support Tier 0, Tier 1, and Tier 2 objects.

Resources

License

Code of conduct

Security policy

Stars

3 stars

Watchers

1 watching

Forks

Packages

 
 
 

Contributors