Skip to content

Commit

Permalink
🔧 Minor fixes to the SHM DC desired state configuration to ensure tha…
Browse files Browse the repository at this point in the history 
…t correct state is noted as such in the portal
  • Loading branch information
@jemrobinson
jemrobinson committed Feb 5, 2024
1 parent eeab36f commit 50785f4
Showing 1 changed file with 23 additions and 6 deletions.
29 changes: 23 additions & 6 deletions data_safe_haven/resources/desired_state_configuration/PrimaryDomainController.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -310,25 +310,40 @@ Configuration ConfigureActiveDirectory {
$AzureADSyncSID = (Get-ADUser -Identity $AzureADSyncUsername).SID
$DefaultNamingContext = $(Get-ADRootDSE).DefaultNamingContext
$ConfigurationNamingContext = $(Get-ADRootDSE).ConfigurationNamingContext
$null = dsacls "$($DefaultNamingContext)" /G "${AzureADSyncSID}:CA;Replicating Directory Changes"
$null = dsacls "$DefaultNamingContext" /G "${AzureADSyncSID}:CA;Replicating Directory Changes"
$success = $success -and $?
$null = dsacls "$($ConfigurationNamingContext)" /G "${AzureADSyncSID}:CA;Replicating Directory Changes"
$null = dsacls "$ConfigurationNamingContext" /G "${AzureADSyncSID}:CA;Replicating Directory Changes"
$success = $success -and $?
$null = dsacls "$($DefaultNamingContext)" /G "${AzureADSyncSID}:CA;Replicating Directory Changes All"
$null = dsacls "$DefaultNamingContext" /G "${AzureADSyncSID}:CA;Replicating Directory Changes All"
$success = $success -and $?
$null = dsacls "$($ConfigurationNamingContext)" /G "${AzureADSyncSID}:CA;Replicating Directory Changes All"
$null = dsacls "$ConfigurationNamingContext" /G "${AzureADSyncSID}:CA;Replicating Directory Changes All"
$success = $success -and $?
if ($success) {
Write-Verbose -Message "Successfully updated ACL permissions for AD Sync Service account '$AzureADSyncUsername'"
} else {
throw "Failed to update ACL permissions for AD Sync Service account '$AzureADSyncUsername'!"
}
} catch {
Write-Error "SetAzureADSynchroniserPermissions: $($_.Exception)"
Write-Error "SetAzureADSynchroniserPermissions::SetScript $($_.Exception)"
}
}
GetScript = { @{} }
TestScript = { $false }
TestScript = {
try {
$success = $true
$AzureADSyncUsername = $using:DataSafeHavenServiceAccounts.AzureADSynchroniser.Username
$DefaultNamingContext = $(Get-ADRootDSE).DefaultNamingContext
$ConfigurationNamingContext = $(Get-ADRootDSE).ConfigurationNamingContext
$success = $success -and $($null -ne $(dsacls "$DefaultNamingContext" | Select-String "$AzureADSyncUsername" | Select-String "Replicating Directory Changes$"))
$success = $success -and $($null -ne $(dsacls "$ConfigurationNamingContext" | Select-String "$AzureADSyncUsername" | Select-String "Replicating Directory Changes$"))
$success = $success -and $($null -ne $(dsacls "$DefaultNamingContext" | Select-String "$AzureADSyncUsername" | Select-String "Replicating Directory Changes All"))
$success = $success -and $($null -ne $(dsacls "$ConfigurationNamingContext" | Select-String "$AzureADSyncUsername" | Select-String "Replicating Directory Changes All"))
$success
} catch {
Write-Error "SetAzureADSynchroniserPermissions::TestScript $($_.Exception)"
$false
}
}
DependsOn = "[ADUser]AzureADSynchroniser"
}
}
Expand Down Expand Up @@ -408,6 +423,8 @@ Configuration PrimaryDomainController {
[String]$LDAPSearcherUsername
)

Import-DscResource -ModuleName xPSDesiredStateConfiguration -ModuleVersion 9.1.0

# Common parameters
$DataSafeHavenBasePath = "C:\DataSafeHaven"
$ActiveDirectoryBasePath = Join-Path $DataSafeHavenBasePath "ActiveDirectory"
Expand Down

0 comments on commit 50785f4

Please sign in to comment.