From 50785f4b496bae864bab3efe13eb0888996733a2 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Mon, 5 Feb 2024 13:07:45 +0000 Subject: [PATCH] :wrench: Minor fixes to the SHM DC desired state configuration to ensure that correct state is noted as such in the portal --- .../PrimaryDomainController.ps1 | 29 +++++++++++++++---- 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/data_safe_haven/resources/desired_state_configuration/PrimaryDomainController.ps1 b/data_safe_haven/resources/desired_state_configuration/PrimaryDomainController.ps1 index d1d856af16..755603d8d5 100644 --- a/data_safe_haven/resources/desired_state_configuration/PrimaryDomainController.ps1 +++ b/data_safe_haven/resources/desired_state_configuration/PrimaryDomainController.ps1 @@ -310,13 +310,13 @@ Configuration ConfigureActiveDirectory { $AzureADSyncSID = (Get-ADUser -Identity $AzureADSyncUsername).SID $DefaultNamingContext = $(Get-ADRootDSE).DefaultNamingContext $ConfigurationNamingContext = $(Get-ADRootDSE).ConfigurationNamingContext - $null = dsacls "$($DefaultNamingContext)" /G "${AzureADSyncSID}:CA;Replicating Directory Changes" + $null = dsacls "$DefaultNamingContext" /G "${AzureADSyncSID}:CA;Replicating Directory Changes" $success = $success -and $? - $null = dsacls "$($ConfigurationNamingContext)" /G "${AzureADSyncSID}:CA;Replicating Directory Changes" + $null = dsacls "$ConfigurationNamingContext" /G "${AzureADSyncSID}:CA;Replicating Directory Changes" $success = $success -and $? - $null = dsacls "$($DefaultNamingContext)" /G "${AzureADSyncSID}:CA;Replicating Directory Changes All" + $null = dsacls "$DefaultNamingContext" /G "${AzureADSyncSID}:CA;Replicating Directory Changes All" $success = $success -and $? - $null = dsacls "$($ConfigurationNamingContext)" /G "${AzureADSyncSID}:CA;Replicating Directory Changes All" + $null = dsacls "$ConfigurationNamingContext" /G "${AzureADSyncSID}:CA;Replicating Directory Changes All" $success = $success -and $? if ($success) { Write-Verbose -Message "Successfully updated ACL permissions for AD Sync Service account '$AzureADSyncUsername'" @@ -324,11 +324,26 @@ Configuration ConfigureActiveDirectory { throw "Failed to update ACL permissions for AD Sync Service account '$AzureADSyncUsername'!" } } catch { - Write-Error "SetAzureADSynchroniserPermissions: $($_.Exception)" + Write-Error "SetAzureADSynchroniserPermissions::SetScript $($_.Exception)" } } GetScript = { @{} } - TestScript = { $false } + TestScript = { + try { + $success = $true + $AzureADSyncUsername = $using:DataSafeHavenServiceAccounts.AzureADSynchroniser.Username + $DefaultNamingContext = $(Get-ADRootDSE).DefaultNamingContext + $ConfigurationNamingContext = $(Get-ADRootDSE).ConfigurationNamingContext + $success = $success -and $($null -ne $(dsacls "$DefaultNamingContext" | Select-String "$AzureADSyncUsername" | Select-String "Replicating Directory Changes$")) + $success = $success -and $($null -ne $(dsacls "$ConfigurationNamingContext" | Select-String "$AzureADSyncUsername" | Select-String "Replicating Directory Changes$")) + $success = $success -and $($null -ne $(dsacls "$DefaultNamingContext" | Select-String "$AzureADSyncUsername" | Select-String "Replicating Directory Changes All")) + $success = $success -and $($null -ne $(dsacls "$ConfigurationNamingContext" | Select-String "$AzureADSyncUsername" | Select-String "Replicating Directory Changes All")) + $success + } catch { + Write-Error "SetAzureADSynchroniserPermissions::TestScript $($_.Exception)" + $false + } + } DependsOn = "[ADUser]AzureADSynchroniser" } } @@ -408,6 +423,8 @@ Configuration PrimaryDomainController { [String]$LDAPSearcherUsername ) + Import-DscResource -ModuleName xPSDesiredStateConfiguration -ModuleVersion 9.1.0 + # Common parameters $DataSafeHavenBasePath = "C:\DataSafeHaven" $ActiveDirectoryBasePath = Join-Path $DataSafeHavenBasePath "ActiveDirectory"