Rights guid (#32)

* Updated ActiveDirectoryAccessEntry example with a valid ADRights value
Refactored Get-SchemaGuidId helper function to
Get-DelegationRightsGuid so it returns schemaGuids and rightsGuids

* typo corrections

* Update Get-SchemaObjectName to resolve SchemaGuids and RightsGuids

* Added $guidmap to Get-SchemaObjectName

* Added $rootDse to Get-SchemaObjectName

DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1

@@ -124,7 +124,8 @@ function Assert-Module
     [CmdletBinding()]
     param
     (
-        [Parameter()] [ValidateNotNullOrEmpty()]
+        [Parameter()]
+        [ValidateNotNullOrEmpty()]
         [System.String]
         $ModuleName
     )
@@ -137,7 +138,7 @@ function Assert-Module
     }
 } 
 
-Function Get-SchemaIdGuid
+function Get-DelegationRightsGuid
 {
     Param 
     (
@@ -148,31 +149,48 @@ Function Get-SchemaIdGuid
 
     if($ObjectName)
     {
-        $value = Get-ADObject -filter {name -eq $ObjectName} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID
-        return [system.guid]$value.schemaIDGUID 
+        # Create a hashtable to store the GUID value of each schemaGuids and rightsGuids
+        $guidmap = @{}
+        $rootdse = Get-ADRootDSE
+        Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID | 
+            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID }
+
+        Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid | 
+            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid }
+
+        return [system.guid]$guidmap[$ObjectName]
     }
     else
     {
         return [system.guid]"00000000-0000-0000-0000-000000000000"
     }
 }
 
-Function Get-SchemaObjectName
+function Get-SchemaObjectName
 {
-    Param 
+    Param
     (
         [Parameter()]
         [guid]
         $SchemaIdGuid
     )
 
-    If($SchemaIdGuid)
+    if($SchemaIdGuid)
     {
-        $value = Get-ADObject -filter {schemaIDGUID  -eq $SchemaIdGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID
-        return $value.name
+        $guidmap = @{}
+        $rootdse = Get-ADRootDSE
+        Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID | 
+            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID }
+
+        Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid | 
+            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid }
+
+        # This is to address the edge case where one guid resolves to multiple names ex. f3a64788-5306-11d1-a9c5-0000f80367c1 resolves to Service-Principal-Name,Validated-SPN
+        $names = ( $guidmap.GetEnumerator() | Where-Object -FilterScript { $_.Value -eq $SchemaIdGuid } ).Name
+        return $names -join ','
     }
     else
     {
         return "none"
-    } 
+    }
 }

DscResources/ActiveDirectoryAccessEntry/ActiveDirectoryAccessEntry.psm1

@@ -361,8 +361,8 @@ Function ConvertTo-ActiveDirectoryAccessRule
 
     foreach($ace in $AccessControlList.AccessControlEntry)
     {
-        $inheritedObjectType = Get-SchemaIdGuid -ObjectName $ace.InheritedObjectType
-        $objectType = Get-SchemaIdGuid -ObjectName $ace.ObjectType
+        $inheritedObjectType = Get-DelegationRightsGuid -ObjectName $ace.InheritedObjectType
+        $objectType = Get-DelegationRightsGuid -ObjectName $ace.ObjectType
         $rule = [PSCustomObject]@{
             Rules = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityRef, $ace.ActiveDirectoryRights, $ace.AccessControlType, $objectType, $ace.InheritanceType, $inheritedObjectType)
             Ensure = $ace.Ensure

DscResources/ActiveDirectoryAuditRuleEntry/ActiveDirectoryAuditRuleEntry.psm1

@@ -406,7 +406,7 @@ Function ConvertTo-ActiveDirectoryAuditRule
 
     foreach($ace in $AccessControlList.AccessControlEntry)
     {
-        $InheritedObjectType = Get-SchemaIdGuid -ObjectName $ace.InheritedObjectType
+        $InheritedObjectType = Get-DelegationRightsGuid -ObjectName $ace.InheritedObjectType
         $rule = [PSCustomObject]@{
             Rules = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($IdentityRef, $ace.ActiveDirectoryRights, $ace.AuditFlags, $ace.InheritanceType, $InheritedObjectType)
             Ensure = $ace.Ensure

Examples/ActiveDirectoryAccessEntry_example.ps1

@@ -15,11 +15,11 @@ configuration Sample_ADAccessControl
                         ActiveDirectoryAccessRule
                         {
                             AccessControlType = 'Allow'
-                            ActiveDirectoryRights = 'FullControl'
+                            ActiveDirectoryRights = 'GenericAll'
                             InheritanceType = 'Descendents'
                             Ensure = 'Present'
                         }
-                    )               
+                    )
                 }
             )
         }
@@ -40,7 +40,7 @@ configuration Sample_ADAccessControl
                             InheritedObjectType = 'organizational-unit'
                             Ensure = 'Present'
                         }
-                    )               
+                    )
                 }
                 ActiveDirectoryAccessControlList
                 {
@@ -55,7 +55,7 @@ configuration Sample_ADAccessControl
                             ObjectType = 'computer'
                             Ensure = 'Present'
                         }
-                    )               
+                    )
                 }
             )
         }

Tests/Unit/ActiveDirectoryAccessEntry.Tests.ps1

@@ -111,7 +111,7 @@ InModuleScope ActiveDirectoryAccessEntry {
         Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName
         Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName
         Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$name -eq 'ActiveDirectory'}-ModuleName $DSCResourceName 
-        Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
+        Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
         Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName
 
         Mock -CommandName Get-Acl -MockWith {
@@ -218,7 +218,7 @@ InModuleScope ActiveDirectoryAccessEntry {
         Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName
         Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName
         Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$name -eq 'ActiveDirectory'} -ModuleName $DSCResourceName
-        Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
+        Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
         Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName
 
         $identity = Resolve-Identity -Identity "Everyone"

Tests/Unit/ActiveDirectoryAuditRuleEntry.Tests.ps1

@@ -111,7 +111,7 @@ Import-Module "$($PSScriptRoot)\..\TestHelper.psm1" -Force
         Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName
         Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName
         Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$Name -eq 'ActiveDirectory'}-ModuleName $DSCResourceName 
-        Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
+        Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
         Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName
 
         Mock -CommandName Get-Acl -MockWith {
@@ -261,7 +261,7 @@ Import-Module "$($PSScriptRoot)\..\TestHelper.psm1" -Force
         Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName
         Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName
         Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$Name -eq 'ActiveDirectory'} -ModuleName $DSCResourceName
-        Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
+        Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
         Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName
 
         $Identity = Resolve-Identity -Identity "Everyone"