ActiveDirectoryManagementFramework
diff --git a/‎DomainManagement/DomainManagement.psd1‎
Lines changed: 1 addition & 1 deletion b/‎DomainManagement/DomainManagement.psd1‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎DomainManagement/changelog.md‎
Lines changed: 11 additions & 0 deletions b/‎DomainManagement/changelog.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎DomainManagement/functions/AccessRule/Register-DMAccessRule.ps1‎
Lines changed: 11 additions & 1 deletion b/‎DomainManagement/functions/AccessRule/Register-DMAccessRule.ps1‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎DomainManagement/functions/AccessRule/Test-DMAccessRule.ps1‎
Lines changed: 3 additions & 0 deletions b/‎DomainManagement/functions/AccessRule/Test-DMAccessRule.ps1‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎DomainManagement/functions/gplinks/Register-DMGPLink.ps1‎
Lines changed: 11 additions & 1 deletion b/‎DomainManagement/functions/gplinks/Register-DMGPLink.ps1‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎DomainManagement/functions/groupmemberships/Register-DMGroupMembership.ps1‎
Lines changed: 71 additions & 70 deletions b/‎DomainManagement/functions/groupmemberships/Register-DMGroupMembership.ps1‎
Lines changed: 71 additions & 70 deletions
diff --git a/‎DomainManagement/functions/groupmemberships/Unregister-DMGroupMembership.ps1‎
Lines changed: 12 additions & 0 deletions b/‎DomainManagement/functions/groupmemberships/Unregister-DMGroupMembership.ps1‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎DomainManagement/functions/grouppolicies/Test-DMGroupPolicy.ps1‎
Lines changed: 1 addition & 1 deletion b/‎DomainManagement/functions/grouppolicies/Test-DMGroupPolicy.ps1‎
Lines changed: 1 addition & 1 deletion
@@ -3,7 +3,7 @@
 	RootModule         = 'DomainManagement.psm1'
 
 	# Version number of this module.
-	ModuleVersion      = '1.9.210'
+	ModuleVersion      = '1.9.218'
 
 	# ID used to uniquely identify this module
 	GUID               = '0a405382-ebc2-445b-8325-541535810193'
 
@@ -1,5 +1,16 @@
 # Changelog
 
+## 1.9.218 (2025-05-28)
+
+- Upd: Organizational Units - added ability to define GP inheritance blocking. Defaults to NOT block.
+- Upd: Users - added ability to specify custom attributes/properties for users.
+- Upd: AccessRules - added configuration property showing what context it comes from.
+- Upd: AccessRules - will ignore Group Policy AD Objects - they are governed by the GP Permissions component
+- Fix: AccessRules - objects that have no default permission generate an empty restore result
+- Fix: GroupPolicy - Reports wrong Policyname when failing to read GPO tracking file
+- Fix: GroupPolicy - Fails with the wrong error when the GPO no longer has a matching directory in SYSVOL.
+- Fix: GroupMemberships - Cannot unregister group memberships assigned based on categories.
+
 ## 1.9.210 (2024-12-13)
 
 - Upd: Content Mode - added ability to exclude individual Components from constrained Content Mode
 
@@ -62,6 +62,11 @@
 		By default, Test-DMAccessRule will generate a "FixConfig" result for accessrules that have been explicitly defined but are also part of the Schema Default permissions.
 		If this setting is enabled, this result object is suppressed.
 
+	.PARAMETER ContextName
+		The name of the context defining the setting.
+		This allows determining the configuration set that provided this setting.
+		Used by the ADMF, available to any other configuration management solution.
+
 	.EXAMPLE
 		PS C:\> Register-DMAccessRule -ObjectCategory DomainControllers -Identity '%DomainName%\Domain Admins' -ActiveDirectoryRights GenericAll
 
@@ -111,7 +116,10 @@
 		$Present = 'true',
 
 		[bool]
-		$NoFixConfig = $false
+		$NoFixConfig = $false,
+
+		[string]
+		$ContextName = '<Undefined>'
 	)
 
 	process {
@@ -130,6 +138,7 @@
 					Optional              = $Optional
 					Present               = $Present
 					NoFixConfig           = $NoFixConfig
+					ContextName           = $ContextName
 				}
 			}
 			'Category' {
@@ -146,6 +155,7 @@
 					Optional              = $Optional
 					Present               = $Present
 					NoFixConfig           = $NoFixConfig
+					ContextName           = $ContextName
 				}
 			}
 		}
 
@@ -193,6 +193,9 @@
 				# Prevent duplicate processing
 				if ($processed[$foundADObject.DistinguishedName]) { continue }
 				$processed[$foundADObject.DistinguishedName] = $true
+
+				# Skip GPOs, as those are handled within the GP Permissions Component
+				if ($foundADObject.DistinguishedName -match 'CN={[^,]+},CN=Policies,CN=System,') { continue }
 
 				# Skip items that were defined in configuration, they were already processed
 				if ($foundADObject.DistinguishedName -in $resolvedConfiguredObjects) { continue }
 
@@ -50,6 +50,11 @@
 	.PARAMETER Present
 		Whether the link should be present at all.
 		Relevant in additive mode, to retain the capability to delete undesired links.
+
+	.PARAMETER ContextName
+		The name of the context defining the setting.
+		This allows determining the configuration set that provided this setting.
+		Used by the ADMF, available to any other configuration management solution.
 	
 	.EXAMPLE
 		PS C:\> Get-Content $configPath | ConvertFrom-Json | Write-Output | Register-DMGPLink
@@ -91,7 +96,10 @@
 
 		[Parameter(ValueFromPipelineByPropertyName = $true)]
 		[bool]
-		$Present = $true
+		$Present = $true,
+		
+		[string]
+		$ContextName = '<Undefined>'
 	)
 
 	process {
@@ -109,6 +117,7 @@
 					State              = $State
 					ProcessingMode     = $ProcessingMode
 					Present            = $Present
+					ContextName        = $ContextName
 				}
 			}
 			'Filter' {
@@ -124,6 +133,7 @@
 					State          = $State
 					ProcessingMode = $ProcessingMode
 					Present        = $Present
+					ContextName    = $ContextName
 				}
 			}
 		}
 
@@ -1,5 +1,5 @@
 function Register-DMGroupMembership {
-    <#
+	<#
 	.SYNOPSIS
 		Registers a group membership assignment as desired state.
 	
@@ -56,83 +56,84 @@
 		Imports all defined groupmemberships from the targeted json configuration file.
 #>
 
-    [CmdletBinding(DefaultParameterSetName = 'Entry')]
-    param (
-        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
-        [string]
-        $Name,
+	[CmdletBinding(DefaultParameterSetName = 'Entry')]
+	param (
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
+		[string]
+		$Name,
 
-        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
-        [string]
-        $Domain,
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
+		[string]
+		$Domain,
 
-        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
-        [ValidateSet('User', 'Group', 'foreignSecurityPrincipal', 'Computer', 'msDS-GroupManagedServiceAccount')]
-        [string]
-        $ItemType,
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
+		[ValidateSet('User', 'Group', 'foreignSecurityPrincipal', 'Computer', 'msDS-GroupManagedServiceAccount')]
+		[string]
+		$ItemType,
 
-        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Category')]
-        [string]
-        $ObjectCategory,
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Category')]
+		[string]
+		$ObjectCategory,
 
-        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
-        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Category')]
-        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Empty')]
-        [string]
-        $Group,
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Entry')]
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Category')]
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Empty')]
+		[string]
+		$Group,
 
-        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Empty')]
-        [bool]
-        $Empty,
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Empty')]
+		[bool]
+		$Empty,
 
-        [Parameter(ValueFromPipelineByPropertyName = $true)]
-        [ValidateSet('Default', 'MayBeMember', 'MemberIfExists', 'MayBeMemberIfExists')]
-        [string]
-        $Mode = 'Default',
+		[Parameter(ValueFromPipelineByPropertyName = $true)]
+		[ValidateSet('Default', 'MayBeMember', 'MemberIfExists', 'MayBeMemberIfExists')]
+		[string]
+		$Mode = 'Default',
 
-        [Parameter(ValueFromPipelineByPropertyName = $true)]
-        [ValidateSet('Constrained', 'Additive')]
-        [string]
-        $GroupProcessingMode,
+		[Parameter(ValueFromPipelineByPropertyName = $true)]
+		[ValidateSet('Constrained', 'Additive')]
+		[string]
+		$GroupProcessingMode,
 
-        [string]
-        $ContextName = '<Undefined>'
-    )
+		[string]
+		$ContextName = '<Undefined>'
+	)
 
-    process {
-        if (-not $script:groupMemberShips[$Group]) {
-            $script:groupMemberShips[$Group] = @{ }
-        }
-        if ($Name) {
-            $script:groupMemberShips[$Group]["$($ItemType):$($Name)"] = [PSCustomObject]@{
-                PSTypeName  = 'DomainManagement.GroupMembership'
-                Name        = $Name
-                Domain      = $Domain
-                ItemType    = $ItemType
-                Group       = $Group
-                Mode        = $Mode
-                ContextName = $ContextName
-            }
-        }
-        elseif ($ObjectCategory) {
-            $script:groupMemberShips[$Group]["ObjectCategory:$($ObjectCategory)"] = [PSCustomObject]@{
-                PSTypeName  = 'DomainManagement.GroupMembership'
-                Category    = $ObjectCategory
-                Group       = $Group
-                Mode        = $Mode
-                ContextName = $ContextName
-            }
-        }
-        elseif ($Empty) {
-            $script:groupMemberShips[$Group] = @{ }
-        }
+	process {
+		if (-not $script:groupMemberShips[$Group]) {
+			$script:groupMemberShips[$Group] = @{ }
+		}
+		if ($Name) {
+			$script:groupMemberShips[$Group]["$($ItemType):$($Name)"] = [PSCustomObject]@{
+				PSTypeName  = 'DomainManagement.GroupMembership'
+				Name        = $Name
+				Domain      = $Domain
+				ItemType    = $ItemType
+				Group       = $Group
+				Mode        = $Mode
+				ContextName = $ContextName
+			}
+		}
+		elseif ($ObjectCategory) {
+			$script:groupMemberShips[$Group]["ObjectCategory:$($ObjectCategory)"] = [PSCustomObject]@{
+				PSTypeName  = 'DomainManagement.GroupMembership'
+				Category    = $ObjectCategory
+				Group       = $Group
+				Mode        = $Mode
+				ContextName = $ContextName
+			}
+		}
+		elseif ($Empty) {
+			$script:groupMemberShips[$Group] = @{ }
+		}
 
-        if ($GroupProcessingMode) {
-            $script:groupMemberShips[$Group]['__Configuration'] = [PSCustomObject]@{
-                PSTypeName     = 'DomainManagement.GroupMembership.Configuration'
-                ProcessingMode = $GroupProcessingMode
-				Group = $Group
-            }
-        }
-    }
+		if ($GroupProcessingMode) {
+			$script:groupMemberShips[$Group]['__Configuration'] = [PSCustomObject]@{
+				PSTypeName     = 'DomainManagement.GroupMembership.Configuration'
+				ProcessingMode = $GroupProcessingMode
+				Group          = $Group
+				ContextName    = $ContextName
+			}
+		}
+	}
 }
@@ -12,6 +12,9 @@
 	
 	.PARAMETER ItemType
 		The type of object the identity being granted group membership is.
+
+	.PARAMETER Category
+		The Object Category that defines the members.
 	
 	.PARAMETER Group
 		The group being granted membership in.
@@ -35,8 +38,13 @@
 		[string]
 		$ItemType,
 
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Category')]
+		[string]
+		$Category,
+
 		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Processing')]
 		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Identity')]
+		[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Category')]
 		[string]
 		$Group,
 
@@ -59,6 +67,10 @@
 			$null = $script:groupMemberShips.Remove($Group)
 			return
 		}
+		if ($Category) {
+			$null = $script:groupMemberShips.Remove("ObjectCategory:$Category")
+			return
+		}
 		if (-not $script:groupMemberShips[$Group]["$($ItemType):$($Name)"]) { return }
 		$null = $script:groupMemberShips[$Group].Remove("$($ItemType):$($Name)")
 		if (-not $script:groupMemberShips[$Group].Count) {
 
@@ -81,7 +81,7 @@
 			}
 			# Resolve-PolicyRevision updates the content of $groupPolicy without producing output
 			try { Resolve-PolicyRevision -Policy $groupPolicy -Session $session }
-			catch { Write-PSFMessage -Level Warning -String 'Test-DMGroupPolicy.PolicyRevision.Lookup.Failed' -StringValues $allPolicies.DisplayName -ErrorRecord $_ -EnableException $EnableException.ToBool() }
+			catch { Write-PSFMessage -Level Warning -String 'Test-DMGroupPolicy.PolicyRevision.Lookup.Failed' -StringValues $groupPolicy.DisplayName -ErrorRecord $_ -EnableException $EnableException.ToBool() }
 		}
 		$desiredHash = @{ }
 		$policyHash = @{ }
Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,11 @@`
`62`	`62`	`By default, Test-DMAccessRule will generate a "FixConfig" result for accessrules that have been explicitly defined but are also part of the Schema Default permissions.`
`63`	`63`	`If this setting is enabled, this result object is suppressed.`
`64`	`64`
	`65`	`+ .PARAMETER ContextName`
	`66`	`+ The name of the context defining the setting.`
	`67`	`+ This allows determining the configuration set that provided this setting.`
	`68`	`+ Used by the ADMF, available to any other configuration management solution.`
	`69`	`+`
`65`	`70`	`.EXAMPLE`
`66`	`71`	`PS C:\> Register-DMAccessRule -ObjectCategory DomainControllers -Identity '%DomainName%\Domain Admins' -ActiveDirectoryRights GenericAll`
`67`	`72`
`@@ -111,7 +116,10 @@`
`111`	`116`	`$Present = 'true',`
`112`	`117`
`113`	`118`	`[bool]`
`114`		`- $NoFixConfig = $false`
	`119`	`+ $NoFixConfig = $false,`
	`120`	`+`
	`121`	`+ [string]`
	`122`	`+ $ContextName = '<Undefined>'`
`115`	`123`	`)`
`116`	`124`
`117`	`125`	`process {`
`@@ -130,6 +138,7 @@`
`130`	`138`	`Optional = $Optional`
`131`	`139`	`Present = $Present`
`132`	`140`	`NoFixConfig = $NoFixConfig`
	`141`	`+ ContextName = $ContextName`
`133`	`142`	`}`
`134`	`143`	`}`
`135`	`144`	`'Category' {`
`@@ -146,6 +155,7 @@`
`146`	`155`	`Optional = $Optional`
`147`	`156`	`Present = $Present`
`148`	`157`	`NoFixConfig = $NoFixConfig`
	`158`	`+ ContextName = $ContextName`
`149`	`159`	`}`
`150`	`160`	`}`
`151`	`161`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,11 @@`
`50`	`50`	`.PARAMETER Present`
`51`	`51`	`Whether the link should be present at all.`
`52`	`52`	`Relevant in additive mode, to retain the capability to delete undesired links.`
	`53`	`+`
	`54`	`+ .PARAMETER ContextName`
	`55`	`+ The name of the context defining the setting.`
	`56`	`+ This allows determining the configuration set that provided this setting.`
	`57`	`+ Used by the ADMF, available to any other configuration management solution.`
`53`	`58`
`54`	`59`	`.EXAMPLE`
`55`	`60`	`PS C:\> Get-Content $configPath \| ConvertFrom-Json \| Write-Output \| Register-DMGPLink`
`@@ -91,7 +96,10 @@`
`91`	`96`
`92`	`97`	`[Parameter(ValueFromPipelineByPropertyName = $true)]`
`93`	`98`	`[bool]`
`94`		`- $Present = $true`
	`99`	`+ $Present = $true,`
	`100`	`+`
	`101`	`+ [string]`
	`102`	`+ $ContextName = '<Undefined>'`
`95`	`103`	`)`
`96`	`104`
`97`	`105`	`process {`
`@@ -109,6 +117,7 @@`
`109`	`117`	`State = $State`
`110`	`118`	`ProcessingMode = $ProcessingMode`
`111`	`119`	`Present = $Present`
	`120`	`+ ContextName = $ContextName`
`112`	`121`	`}`
`113`	`122`	`}`
`114`	`123`	`'Filter' {`
`@@ -124,6 +133,7 @@`
`124`	`133`	`State = $State`
`125`	`134`	`ProcessingMode = $ProcessingMode`
`126`	`135`	`Present = $Present`
	`136`	`+ ContextName = $ContextName`
`127`	`137`	`}`
`128`	`138`	`}`
`129`	`139`	`}`
Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@`
`81`	`81`	`}`
`82`	`82`	`# Resolve-PolicyRevision updates the content of $groupPolicy without producing output`
`83`	`83`	`try { Resolve-PolicyRevision -Policy $groupPolicy -Session $session }`
`84`		`- catch { Write-PSFMessage -Level Warning -String 'Test-DMGroupPolicy.PolicyRevision.Lookup.Failed' -StringValues $allPolicies.DisplayName -ErrorRecord $_ -EnableException $EnableException.ToBool() }`
	`84`	`+ catch { Write-PSFMessage -Level Warning -String 'Test-DMGroupPolicy.PolicyRevision.Lookup.Failed' -StringValues $groupPolicy.DisplayName -ErrorRecord $_ -EnableException $EnableException.ToBool() }`
`85`	`85`	`}`
`86`	`86`	`$desiredHash = @{ }`
`87`	`87`	`$policyHash = @{ }`