ActiveDirectoryManagementFramework · FriedrichWeinmann · Dec 13, 2024 · Dec 13, 2024 · Dec 13, 2024
diff --git a/ForestManagement/ForestManagement.psd1 b/ForestManagement/ForestManagement.psd1
@@ -3,7 +3,7 @@
 	RootModule = 'ForestManagement.psm1'
 
 	# Version number of this module.
-	ModuleVersion = '1.5.76'
+	ModuleVersion = '1.5.78'
 
 	# ID used to uniquely identify this module
 	GUID = '7de4379d-17c8-48d3-bd6d-93279aef64bb'
@@ -26,7 +26,7 @@
 	# Modules that must be imported into the global environment prior to importing
 	# this module
 	RequiredModules   = @(
-		@{ ModuleName = 'PSFramework'; ModuleVersion = '1.10.318' }
+		@{ ModuleName = 'PSFramework'; ModuleVersion = '1.12.346' }
 
 		# Additional Dependencies, cannot declare due to bug in dependency handling in PS5.1
 		# @{ ModuleName = 'ResolveString'; ModuleVersion = '1.0.0' }

diff --git a/ForestManagement/changelog.md b/ForestManagement/changelog.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.5.78 (2024-12-13)
+
+- Upd: Schema - significant test performance improvements
+- Upd: Schema - added option to scan _all_ attributes and report any unconfigured ones as "Unmanaged"
+
 ## 1.5.76 (2024-03-05)
 
 - Fix: Exchange Schema - invoke fails on validating sites.

diff --git a/ForestManagement/functions/schema/Test-FMSchema.ps1 b/ForestManagement/functions/schema/Test-FMSchema.ps1
@@ -74,9 +74,13 @@
 		# Pick up termination flag from Stop-PSFFunction and interrupt if begin failed to connect
 		if (Test-PSFFunctionInterrupt) { return }
 
+		$allAttributes = Get-ADObject @parameters -LDAPFilter "(attributeID=*)" -SearchBase $rootDSE.schemaNamingContext -ErrorAction Ignore -Properties *
+		$allClasses = Get-ADObject @parameters -LDAPFilter "(objectClass=classSchema)" -SearchBase $rootDSE.schemaNamingContext -ErrorAction Ignore -Properties *
+
+		#region Process Configuration
 		foreach ($schemaSetting in (Get-FMSchema)) {
 			$schemaObject = $null
-			$schemaObject = Get-ADObject @parameters -LDAPFilter "(attributeID=$($schemaSetting.OID))" -SearchBase $rootDSE.schemaNamingContext -ErrorAction Ignore -Properties *
+			$schemaObject = $allAttributes.Where{ $_.attributeID -eq $schemaSetting.OID }[0]
 
 			if (-not $schemaObject) {
 				# If we already want to disable the attribute, no need to create it
@@ -147,7 +151,7 @@
 			}
 
 			if (-not $schemaSetting.IsDefunct -and $schemaSetting.PSObject.Properties.Name -contains 'MayBeContainedIn') {
-				$mayContain = Get-ADObject @parameters -LDAPFilter "(mayContain=$($schemaSetting.LdapDisplayName))" -SearchBase $rootDSE.schemaNamingContext
+				$mayContain = $allClasses.Where{ $_.MayContain -contains $schemaSetting.LdapDisplayName }
 				if (-not $mayContain -and $schemaSetting.MayBeContainedIn) {
 					$null = $changes.Add((New-AdcChange -Property MayContain -NewValue $schemaSetting.MayBeContainedIn -Identity $schemaObject.DistinguishedName -Type Schema -ToString $mayContainToString))
 				}
@@ -163,7 +167,7 @@
 			}
 
 			if (-not $schemaSetting.IsDefunct -and $schemaSetting.PSObject.Properties.Name -contains 'MustBeContainedIn') {
-				$mustContain = Get-ADObject @parameters -LDAPFilter "(mustContain=$($schemaSetting.LdapDisplayName))" -SearchBase $rootDSE.schemaNamingContext
+				$mustContain = $allClasses.Where{ $_.mustContain -contains $schemaSetting.LdapDisplayName }
 				if (-not $mustContain -and $schemaSetting.MustBeContainedIn) {
 					$null = $changes.Add((New-AdcChange -Property MustContain -NewValue $schemaSetting.MustBeContainedIn -Identity $schemaObject.DistinguishedName -Type Schema -ToString $mustContainToString))
 				}
@@ -191,5 +195,24 @@
 				}
 			}
 		}
+		#endregion Process Configuration
+
+		#region Process AD Only
+		if (-not (Get-PSFConfigValue -FullName 'ForestManagement.Schema.Attributes.ReportUnconfigured')) { return }
+		$unconfigured = $allAttributes | Where-Object attributeID -NotIn (Get-FMSchema).OID
+		foreach ($unexpectedAttribute in $unconfigured) {
+			if ($unexpectedAttribute.IsDefunct) { continue }
+			[PSCustomObject]@{
+				PSTypeName    = 'ForestManagement.Schema.TestResult'
+				Type          = 'Unmanaged'
+				ObjectType    = 'Schema'
+				Identity      = $unexpectedAttribute.AdminDisplayName
+				Changed       = $null
+				Server        = $forest.SchemaMaster
+				ADObject      = $unexpectedAttribute
+				Configuration = $null
+			}
+		}
+		#endregion Process AD Only
 	}
 }
diff --git a/ForestManagement/internal/configurations/configuration.ps1 b/ForestManagement/internal/configurations/configuration.ps1
@@ -29,3 +29,4 @@ Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.AutoDisable' -Val
 Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.AutoGrant' -Value $false -Initialize -Validation bool -Description 'Whether the account to use for performing the schema update should be added to the schema admins group before use.'
 Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.AutoRevoke' -Value $false -Initialize -Validation bool -Description 'Whether the account to use for performing the schema update should be removed from the schema admins group after use.'
 Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Password.AutoReset' -Value $false -Initialize -Validation bool -Description 'Whether the password of the used account should be reset before & after use.'
+Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Attributes.ReportUnconfigured' -Value $false -Initialize -Validation bool -Description 'Whether Schema attributes that were not configured should be reported as a test finding.'