Merge pull request #107 from ActiveDirectoryManagementFramework/july25

1.9.227

Author: FriedrichWeinmann

.gitignore

@@ -19,4 +19,7 @@ DomainManagement/DomainManagement.psproj
 TestResults/*
 
 # ignore the publishing Directory
-publish/*
+publish/*
+
+# Local Planning Folder
+planning/*

DomainManagement/DomainManagement.psd1

@@ -3,7 +3,7 @@
 	RootModule         = 'DomainManagement.psm1'
 
 	# Version number of this module.
-	ModuleVersion      = '1.9.218'
+	ModuleVersion      = '1.9.228'
 
 	# ID used to uniquely identify this module
 	GUID               = '0a405382-ebc2-445b-8325-541535810193'

DomainManagement/changelog.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 1.9.228 (2025-10-02)
+
+- Upd: Group Memberships - added option "ConfigOnly", allowing to define the group processing mode, without specifying any actual memberships.
+- Upd: Group Memberships - added option "GroupOptional", disabling the warning message if the group does not exist
+- Upd: Organizational Units - test results sorted correctly for invocation already during test, to help with Invoke-AdmfItem execution.
+- Upd: Users - UserPrincipalName made optional, $null and empty string are now considered equal.
+- Upd: Users - Added support for DomainData in name resolution
+- Fix: Access Rules - in additive mode, Restore changes should not be generated
+- Fix: Organizational Units - test results not sorted correctly during invocation, when specifying explicit results to invoke (#101)
+- Fix: Organizational Units - Group Policy Inheritance fails to correctly detect its state, when gpOptions are set to 0 instead of $null
+- Fix: Users - A user without a UserAccountControl property will fail all PasswordNeverExpires comparissons, no matter the configuration
+- Fix: Wmi Filter - fails to apply filters with a single query correctly on Windows PowerShell
+
 ## 1.9.218 (2025-05-28)
 
 - Upd: Organizational Units - added ability to define GP inheritance blocking. Defaults to NOT block.

DomainManagement/functions/AccessRule/Register-DMAccessRule.ps1

@@ -33,6 +33,11 @@
 	
 	.PARAMETER InheritanceType
 		How the Access Rule is being inherited.
+		None: Indicates no inheritance. The ACE information is only used on the object on which the ACE is set. ACE information is not inherited by any descendents of the object.
+		All: Indicates inheritance that includes the object to which the ACE is applied, the object's immediate children, and the descendents of the object's children.
+		Descendents: Indicates inheritance that includes the object's immediate children and the descendants of the object's children, but not the object itself.
+		SelfAndChildren: Indicates inheritance that includes the object itself and its immediate children. It does not include the descendents of its children.
+		Children: Indicates inheritance that includes the object's immediate children only, not the object itself or the descendents of its children.
 	
 	.PARAMETER InheritedObjectType
 		Name or Guid of property or right affected by this rule.

DomainManagement/functions/gplinks/Invoke-DMGPLink.ps1

@@ -227,4 +227,4 @@
 		}
 		#endregion Executing Test-Results
 	}
-}
+}

DomainManagement/functions/groupmemberships/Register-DMGroupMembership.ps1

@@ -25,6 +25,11 @@
 	
 	.PARAMETER Group
 		The group to define members for.
+
+	.PARAMETER GroupOptional
+		Group needs not exist.
+		If this is set to true for all assignments to a group, the group need not actually exist, disabling the corresponding error message.
+		This also always applies to groups with no assignments.
 	
 	.PARAMETER Empty
 		Whether the specified group should be empty.
@@ -44,6 +49,9 @@
 		- Constrained: Existing Group Memberships not defined will be removed
 		- Additive: Group Memberships defined will be applied, but non-configured memberships will be ignored.
 		If no setting is defined, it will default to 'Constrained'
+
+	.PARAMETER ConfigOnly
+		Define only the Group Processing Mode, without making any statement about actual memberships.
 	
 	.PARAMETER ContextName
 		The name of the context defining the setting.
@@ -55,7 +63,7 @@
 		
 		Imports all defined groupmemberships from the targeted json configuration file.
 #>
-	
+	[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "")]
 	[CmdletBinding(DefaultParameterSetName = 'Entry')]
 	param (
 		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
@@ -78,8 +86,12 @@
 		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
 		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Category')]
 		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Empty')]
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Config')]
 		[string]
 		$Group,
+
+		[bool]
+		$GroupOptional,
 
 		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Empty')]
 		[bool]
@@ -90,10 +102,17 @@
 		[string]
 		$Mode = 'Default',
 
-		[Parameter(ValueFromPipelineByPropertyName = $true)]
+		[Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
+		[Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Category')]
+		[Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Empty')]
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Config')]
 		[ValidateSet('Constrained', 'Additive')]
 		[string]
 		$GroupProcessingMode,
+
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Config')]
+		[switch]
+		$ConfigOnly,
 
 		[string]
 		$ContextName = '<Undefined>'
@@ -105,22 +124,24 @@
 		}
 		if ($Name) {
 			$script:groupMemberShips[$Group]["$($ItemType):$($Name)"] = [PSCustomObject]@{
-				PSTypeName  = 'DomainManagement.GroupMembership'
-				Name        = $Name
-				Domain      = $Domain
-				ItemType    = $ItemType
-				Group       = $Group
-				Mode        = $Mode
-				ContextName = $ContextName
+				PSTypeName    = 'DomainManagement.GroupMembership'
+				Name          = $Name
+				Domain        = $Domain
+				ItemType      = $ItemType
+				Group         = $Group
+				GroupOptional = $GroupOptional
+				Mode          = $Mode
+				ContextName   = $ContextName
 			}
 		}
 		elseif ($ObjectCategory) {
 			$script:groupMemberShips[$Group]["ObjectCategory:$($ObjectCategory)"] = [PSCustomObject]@{
-				PSTypeName  = 'DomainManagement.GroupMembership'
-				Category    = $ObjectCategory
-				Group       = $Group
-				Mode        = $Mode
-				ContextName = $ContextName
+				PSTypeName    = 'DomainManagement.GroupMembership'
+				Category      = $ObjectCategory
+				Group         = $Group
+				GroupOptional = $GroupOptional
+				Mode          = $Mode
+				ContextName   = $ContextName
 			}
 		}
 		elseif ($Empty) {

DomainManagement/functions/groupmemberships/Test-DMGroupMembership.ps1

@@ -123,8 +123,10 @@
 
 			#region Resolve Assignments
 			$failedResolveAssignment = $false
+			$groupNeedsNotExist = $true
 			$assignments = foreach ($assignment in $script:groupMemberShips[$groupMembershipName].Values) {
 				if ($assignment.PSObject.TypeNames -contains 'DomainManagement.GroupMembership.Configuration') { continue }
+				if (-not $assignment.GroupOptional) { $groupNeedsNotExist = $false }
 
 				#region Explicit Entity
 				if ($assignment.Name) {
@@ -194,7 +196,13 @@
 				$null = $groupsProcessed.Add($adObject.SamAccountName)
 				$adMembers = Get-GroupMember -ADObject $adObject -Parameters $parameters
 			}
-			catch { Stop-PSFFunction -String 'Test-DMGroupMembership.Group.Access.Failed' -StringValues $resolvedGroupName -ErrorRecord $_ -EnableException $EnableException -Continue }
+			catch {
+				if ($groupNeedsNotExist) {
+					Write-PSFMessage -Level Debug -String 'Test-DMGroupMembership.Group.Access.Failed' -StringValues $resolvedGroupName -ErrorRecord $_
+					continue
+				}
+				Stop-PSFFunction -String 'Test-DMGroupMembership.Group.Access.Failed' -StringValues $resolvedGroupName -ErrorRecord $_ -EnableException $EnableException -Continue
+			}
 			#endregion Check Current AD State
 
 			#region Compare Assignments to existing state

DomainManagement/functions/organizationalunits/Invoke-DMOrganizationalUnit.ps1

@@ -75,10 +75,10 @@
 		}
 		#endregion Sort Script
 		if (-not $InputObject) {
-			$InputObject = Test-DMOrganizationalUnit @parameters | Sort-Object $sortScript -Descending
+			$InputObject = Test-DMOrganizationalUnit @parameters
 		}
 
-		:main foreach ($testItem in $InputObject) {
+		:main foreach ($testItem in $InputObject | Sort-Object $sortScript -Descending) {
 			# Catch invalid input - can only process test results
 			if ($testItem.PSObject.TypeNames -notcontains 'DomainManagement.OrganizationalUnit.TestResult') {
 				Stop-PSFFunction -String 'General.Invalid.Input' -StringValues 'Test-DMOrganizationalUnit', $testItem -Target $testItem -Continue -EnableException $EnableException

DomainManagement/functions/organizationalunits/Test-DMOrganizationalUnit.ps1

@@ -35,11 +35,18 @@
 		Invoke-Callback @parameters -Cmdlet $PSCmdlet
 		Assert-Configuration -Type OrganizationalUnits -Cmdlet $PSCmdlet
 		Set-DMDomainContext @parameters
+
+		#region Sort Script
+		$sortScript = {
+			if ($_.Type -eq 'ShouldDelete') { $_.ADObject.DistinguishedName.Split(",").Count }
+			else { 1000 - $_.Identity.Split(",").Count }
+		}
+		#endregion Sort Script
 	}
 	process
 	{
 		#region Process Configured OUs
-		:main foreach ($ouDefinition in $script:organizationalUnits.Values) {
+		$results = :main foreach ($ouDefinition in $script:organizationalUnits.Values) {
 			$resolvedDN = Resolve-String -Text $ouDefinition.DistinguishedName
 
 			$resultDefaults = @{
@@ -98,9 +105,9 @@
 
 			[System.Collections.ArrayList]$changes = @()
 			Compare-Property -Property Description -Configuration $ouDefinition -ADObject $adObject -Changes $changes -Resolve -AsString -AsUpdate -Type OrganizationalUnit
-			$gpInheritIntended = $null
+			$gpInheritIntended = $null, 0
 			if ($ouDefinition.BlockGPInheritance) { $gpInheritIntended = 1 }
-			if ($gpInheritIntended -ne $adObject.gpOptions) {
+			if ($adObject.gpOptions -notin $gpInheritIntended) {
 				$null = $changes.Add(
 					(New-Change -Property 'GPBlocked' -Identity $adObject.DistinguishedName -Type OrganizationalUnit -NewValue $ouDefinition.BlockGPInheritance -OldValue (-not $ouDefinition.BlockGPInheritance))
 				)
@@ -112,7 +119,10 @@
 		}
 		#endregion Process Configured OUs
 
-		if ($script:contentMode.ExcludeComponents.OrganizationalUnits) { return }
+		if ($script:contentMode.ExcludeComponents.OrganizationalUnits) {
+			$results | Sort-Object $sortScript
+			return
+		}
 
 		#region Process Managed Containers
 		$foundOUs = foreach ($searchBase in (Resolve-ContentSearchBase @parameters -IgnoreMissingSearchbase)) {
@@ -126,11 +136,13 @@
 			ObjectType = 'OrganizationalUnit'
 		}
 
-		foreach ($existingOU in $foundOUs) {
+		$resultsDelete = foreach ($existingOU in $foundOUs) {
 			if ($existingOU.DistinguishedName -in $resolvedConfiguredNames) { continue } # Ignore configured OUs - they were previously configured for moving them, if they should not be in these containers
 
 			New-TestResult @resultDefaults -Type Delete -ADObject $existingOU -Identity $existingOU.DistinguishedName
 		}
+
+		$results, $resultsDelete | Remove-PSFNull -Enumerate | Sort-Object $sortScript
 		#endregion Process Managed Containers
 	}
 }

DomainManagement/functions/users/Invoke-DMUser.ps1

@@ -72,29 +72,29 @@
 					} -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet -Continue
 				}
 				'Create' {
-					$targetOU = Resolve-String -Text $testItem.Configuration.Path
+					$targetOU = Resolve-String -Text $testItem.Configuration.Path @parameters
 					try { $null = Get-ADObject @parameters -Identity $targetOU -ErrorAction Stop }
 					catch { Stop-PSFFunction -String 'Invoke-DMUser.User.Create.OUExistsNot' -StringValues $targetOU, $testItem.Identity -Target $testItem -EnableException $EnableException -Continue -ContinueLabel main }
 					Invoke-PSFProtectedCommand -ActionString 'Invoke-DMUser.User.Create' -Target $testItem -ScriptBlock {
 						$newParameters = $parameters.Clone()
 						$newParameters += @{
-							Name = (Resolve-String -Text $testItem.Configuration.SamAccountName)
-							SamAccountName = (Resolve-String -Text $testItem.Configuration.SamAccountName)
-							UserPrincipalName = (Resolve-String -Text $testItem.Configuration.UserPrincipalName)
+							Name = (Resolve-String -Text $testItem.Configuration.SamAccountName @parameters)
+							SamAccountName = (Resolve-String -Text $testItem.Configuration.SamAccountName @parameters)
+							UserPrincipalName = (Resolve-String -Text $testItem.Configuration.UserPrincipalName @parameters)
 							PasswordNeverExpires = $testItem.Configuration.PasswordNeverExpires
 							Path = $targetOU
 							AccountPassword = (New-Password -Length 128 -AsSecureString)
 							Enabled = $testItem.Configuration.Enabled # Both True and Undefined will result in $true
 							Confirm = $false
 						}
-						if ($testItem.Configuration.Description) { $newParameters['Description'] = Resolve-String -Text $testItem.Configuration.Description }
-						if ($testItem.Configuration.GivenName) { $newParameters['GivenName'] = Resolve-String -Text $testItem.Configuration.GivenName }
-						if ($testItem.Configuration.Surname) { $newParameters['Surname'] = Resolve-String -Text $testItem.Configuration.Surname }
+						if ($testItem.Configuration.Description) { $newParameters['Description'] = Resolve-String -Text $testItem.Configuration.Description @parameters }
+						if ($testItem.Configuration.GivenName) { $newParameters['GivenName'] = Resolve-String -Text $testItem.Configuration.GivenName @parameters }
+						if ($testItem.Configuration.Surname) { $newParameters['Surname'] = Resolve-String -Text $testItem.Configuration.Surname @parameters }
 
 						# Other Attributes
 						$otherAttributes = @{}
 						foreach ($attribute in $testItem.Configuration.Attributes.Keys) { $otherAttributes[$attribute] = $testItem.Configuration.Attributes.$attribute }
-						foreach ($attribute in $testItem.Configuration.AttributesResolved.Keys) { $otherAttributes[$attribute] = Resolve-String -Text $testItem.Configuration.AttributesResolved.$attribute }
+						foreach ($attribute in $testItem.Configuration.AttributesResolved.Keys) { $otherAttributes[$attribute] = Resolve-String -Text $testItem.Configuration.AttributesResolved.$attribute @parameters }
 						if ($otherAttributes.Count -gt 0) { $newParameters.OtherAttributes = $otherAttributes }
 
 						New-ADUser @newParameters
@@ -104,16 +104,16 @@
 					Stop-PSFFunction -String 'Invoke-DMUser.User.MultipleOldUsers' -StringValues $testItem.Identity, ($testItem.ADObject.Name -join ', ') -Target $testItem -EnableException $EnableException -Continue -Tag 'user', 'critical', 'panic'
 				}
 				'Rename' {
-					Invoke-PSFProtectedCommand -ActionString 'Invoke-DMUser.User.Rename' -ActionStringValues (Resolve-String -Text $testItem.Configuration.SamAccountName) -Target $testItem -ScriptBlock {
+					Invoke-PSFProtectedCommand -ActionString 'Invoke-DMUser.User.Rename' -ActionStringValues (Resolve-String -Text $testItem.Configuration.SamAccountName @parameters) -Target $testItem -ScriptBlock {
 						Set-ADUser @parameters -Identity $testItem.ADObject.ObjectGUID -SamAccountName $testItem.Configuration.SamAccountName -ErrorAction Stop
-						if ($testItem.ADObject.Name -ne (Resolve-String -Text $testItem.Configuration.Name)) {
-							Rename-ADObject @parameters -Identity $testItem.ADObject.ObjectGUID -NewName (Resolve-String -Text $testItem.Configuration.Name) -ErrorAction Stop
+						if ($testItem.ADObject.Name -ne (Resolve-String -Text $testItem.Configuration.Name @parameters)) {
+							Rename-ADObject @parameters -Identity $testItem.ADObject.ObjectGUID -NewName (Resolve-String -Text $testItem.Configuration.Name @parameters) -ErrorAction Stop
 						}
 					} -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet -Continue
 				}
 				'Changed' {
 					if ($testItem.Changed.Property -contains 'Path') {
-						$targetOU = Resolve-String -Text $testItem.Configuration.Path
+						$targetOU = Resolve-String -Text $testItem.Configuration.Path @parameters
 						try { $null = Get-ADObject @parameters -Identity $targetOU -ErrorAction Stop }
 						catch { Stop-PSFFunction -String 'Invoke-DMUser.User.Update.OUExistsNot' -StringValues $testItem.Identity, $targetOU -Target $testItem -EnableException $EnableException -Continue -ContinueLabel main }
 
@@ -141,8 +141,8 @@
 						} -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
 					}
 					if ($testItem.Changed.Property -contains 'Name') {
-						Invoke-PSFProtectedCommand -ActionString 'Invoke-DMUser.User.Update.Name' -ActionStringValues (Resolve-String -Text $testItem.Configuration.Name) -Target $testItem -ScriptBlock {
-							Rename-ADObject @parameters -Identity $testItem.ADObject.ObjectGUID -NewName (Resolve-String -Text $testItem.Configuration.Name) -ErrorAction Stop -Confirm:$false
+						Invoke-PSFProtectedCommand -ActionString 'Invoke-DMUser.User.Update.Name' -ActionStringValues (Resolve-String -Text $testItem.Configuration.Name @parameters) -Target $testItem -ScriptBlock {
+							Rename-ADObject @parameters -Identity $testItem.ADObject.ObjectGUID -NewName (Resolve-String -Text $testItem.Configuration.Name @parameters) -ErrorAction Stop -Confirm:$false
 						} -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
 					}
 					if ($testItem.Changed.Property -contains 'PasswordNeverExpires') {