Add SamAccountName property to ADManagedServiceAccount

dsccommunity · May 20, 2021 · 9eff9e2 · 9eff9e2
1 parent f5d8d70
commit 9eff9e2
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 10 deletions.
diff --git a/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.psm1 b/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.psm1
@@ -16,9 +16,7 @@ $script:errorCodeKdsRootKeyNotFound = -2146893811
         Returns the current state of an Active Directory managed service account.
 
     .PARAMETER ServiceAccountName
-    Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName
-    'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20 characters
-    or less. Once created, the user's SamAccountName and CN cannot be changed.
+        Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is 'name'. Once created, the account's Name cannot be changed. Once created, the user's SamAccountName and CN cannot be changed.
 
     .PARAMETER AccountType
         The type of managed service account. Standalone will create a Standalone Managed Service Account (sMSA) and
@@ -92,6 +90,7 @@ function Get-TargetResource
             'DistinguishedName'
             'Description'
             'DisplayName'
+            'SamAccountName'
             'ObjectClass'
             'Enabled'
             'PrincipalsAllowedToRetrieveManagedPassword'
@@ -154,6 +153,7 @@ function Get-TargetResource
             Path                      = Get-ADObjectParentDN -DN $adServiceAccount.DistinguishedName
             Description               = $adServiceAccount.Description
             DisplayName               = $adServiceAccount.DisplayName
+            SamAccountName            = $SamAccountName
             DistinguishedName         = $adServiceAccount.DistinguishedName
             Enabled                   = $adServiceAccount.Enabled
             KerberosEncryptionType    = $adServiceAccount.KerberosEncryptionType -split (', ')
@@ -171,6 +171,7 @@ function Get-TargetResource
             Path                      = $null
             Description               = $null
             DisplayName               = $null
+            SamAccountName            = $null
             DistinguishedName         = $null
             Enabled                   = $false
             KerberosEncryptionType    = @()
@@ -188,9 +189,7 @@ function Get-TargetResource
         Tests if an Active Directory managed service account is in the desired state.
 
     .PARAMETER ServiceAccountName
-        Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName
-        'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20
-        characters or less. Once created, the user's SamAccountName and CN cannot be changed.
+        Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is 'name'. Once created, the account's Name cannot be changed. Once created, the user's SamAccountName and CN cannot be changed.
 
     .PARAMETER AccountType
         The type of managed service account. Standalone will create a Standalone Managed Service Account (sMSA) and
@@ -206,6 +205,11 @@ function Get-TargetResource
     .PARAMETER DisplayName
         Specifies the display name of the account (ldapDisplayName 'displayName').
 
+    .PARAMETER SamAccountName
+        Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName
+        'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20
+        characters or less.
+
     .PARAMETER DomainController
         Specifies the Active Directory Domain Controller instance to use to perform the task.
         This is only required if not executing the task on a domain controller.
@@ -268,6 +272,11 @@ function Test-TargetResource
         [System.String]
         $DisplayName,
 
+        [Parameter()]
+        [ValidateNotNullOrEmpty()]
+        [System.String]
+        $SamAccountName,
+
         [Parameter()]
         [ValidateNotNullOrEmpty()]
         [System.String]
@@ -375,9 +384,7 @@ function Test-TargetResource
         Sets the state of an Active Directory managed service account.
 
     .PARAMETER ServiceAccountName
-        Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName
-        'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20
-        characters or less. Once created, the user's SamAccountName and CN cannot be changed.
+        Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is 'name'. Once created, the account's Name cannot be changed. Once created, the user's SamAccountName and CN cannot be changed.
 
     .PARAMETER AccountType
         The type of managed service account. Standalone will create a Standalone Managed Service Account (sMSA) and
@@ -393,6 +400,11 @@ function Test-TargetResource
     .PARAMETER DisplayName
         Specifies the display name of the account (ldapDisplayName 'displayName').
 
+    .PARAMETER SamAccountName
+        Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName
+        'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20
+        characters or less.
+
     .PARAMETER DomainController
         Specifies the Active Directory Domain Controller instance to use to perform the task.
         This is only required if not executing the task on a domain controller.
@@ -463,6 +475,11 @@ function Set-TargetResource
         [System.String]
         $DisplayName,
 
+        [Parameter()]
+        [ValidateNotNullOrEmpty()]
+        [System.String]
+        $SamAccountName,
+
         [Parameter()]
         [ValidateNotNullOrEmpty()]
         [System.String]

diff --git a/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.schema.mof b/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.schema.mof
@@ -1,11 +1,12 @@
 [ClassVersion("1.0.1.0"), FriendlyName("ADManagedServiceAccount")]
 class MSFT_ADManagedServiceAccount : OMI_BaseResource
 {
-    [Key, Description("Specifies the Security Account Manager (SAM) account name of the managed service account (ldapDisplayName 'sAMAccountName'). To be compatible with older operating systems, create a SAM account name that is 20 characters or less. Once created, the user's SamAccountName and CN cannot be changed.")] String ServiceAccountName;
+    [Key, Description("Specifies the name of the object. This parameter sets the Name property of the Active Directory object. The LDAP Display Name (ldapDisplayName) of this property is 'name'. Once created, the account's Name cannot be changed.")] String ServiceAccountName;
     [Required, Description("The type of managed service account. Standalone will create a Standalone Managed Service Account (sMSA) and Group will create a Group Managed Service Account (gMSA)."), ValueMap{"Group","Standalone"}, Values{"Group","Standalone"}] String AccountType;
     [Write, Description("Specifies the user account credentials to use to perform this task. This is only required if not executing the task on a domain controller or using the parameter DomainController."), EmbeddedInstance("MSFT_Credential")] String Credential;
     [Write, Description("Specifies the description of the account (ldapDisplayName 'description').")] String Description;
     [Write, Description("Specifies the display name of the account (ldapDisplayName 'displayName').")] String DisplayName;
+    [Write, Description("Specifies the Security Account Manager (SAM) account name of the service account. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. If the string value provided is not terminated with a '$' character, the system adds one if needed. The LDAP display name (ldapDisplayName) for this property is 'sAMAccountName'.")] String SamAccountName;
     [Write, Description("Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller.")] String DomainController;
     [Write, Description("Specifies whether the user account is created or deleted. If not specified, this value defaults to Present."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
     [Write, Description("Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute."),ValueMap{"None","RC4","AES128","AES256"}, Values{"None","RC4","AES128","AES256"}] String KerberosEncryptionType[];