ActiveDirectoryDsc icon indicating copy to clipboard operation
ActiveDirectoryDsc copied to clipboard
verified publisher icon dsccommunity

ADDomainController: Support for supplying DelegatedAdministratorAccountName

Open Borgquite opened this issue 1 year ago • 4 comments

Pull Request (PR) description

When setting up a read-only domain controller, it is possible to supply a user or group which will gain local administrative privileges to the RODC. The specified user or members of the specified group can perform operations on the RODC with privileges equivalent to the computer's Administrators group. They aren't members of the Domain Admins or domain built-in Administrators groups.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller--rodc---level-200-#delegation-of-rodc-installation-and-administration

This can be selected during initial setup via the DelegatedAdministratorAccountName parameter, but also updated later using the ManagedBy attribute on the computer account in Active Directory. This pull request adds support for configuring this via PowerShell DSC using the ADDomainController resource.

https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-delegate-administrator-of-rodcs/

This Pull Request (PR) fixes the following issues

None

Task list

  • [x] Added an entry to the change log under the Unreleased section of the file CHANGELOG.md. Entry should say what was changed and how that affects users (if applicable), and reference the issue being resolved (if applicable).
  • [ ] Resource documentation added/updated in README.md.
  • [x] Resource parameter descriptions added/updated in README.md, schema.mof and comment-based help.
  • [x] Comment-based help added/updated.
  • [x] Localization strings added/updated in all localization files as appropriate.
  • [x] Examples appropriately added/updated.
  • [x] Unit tests added/updated. See DSC Community Testing Guidelines.
  • [ ] Integration tests added/updated (where possible). See DSC Community Testing Guidelines.
  • [ ] New/changed code adheres to DSC Community Style Guidelines.

This change is Reviewable

Borgquite avatar Apr 26 '24 16:04 Borgquite

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 98%. Comparing base (bdde66f) to head (7b33fc0). Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@         Coverage Diff         @@
##           main   #709   +/-   ##
===================================
  Coverage    98%    98%           
===================================
  Files        25     25           
  Lines      3475   3512   +37     
===================================
+ Hits       3406   3443   +37     
  Misses       69     69
Files Coverage Δ
...FT_ADDomainController/MSFT_ADDomainController.psm1 100% <100%> (ø)

codecov[bot] avatar Apr 29 '24 17:04 codecov[bot]

@johlju I hope this is all good to go now!

Borgquite avatar May 02 '24 15:05 Borgquite

Will get back to as soon as I have time. It's on the todo list. 🙂

johlju avatar May 02 '24 16:05 johlju

Hey @johlju, wondering if you're able to carve out some time for this yet? Appreciate how busy things can be! :)

Borgquite avatar May 10 '24 11:05 Borgquite

@johlju Sorry to pester you as appreciate you've got a lot on - keen to try this in production :) Let me know if you have any time!

Borgquite avatar May 17 '24 10:05 Borgquite

It is on my todo list, I haven't been able to carve out enough free time to do it yet. Will do as soon as possible.

If another community member have time to review then go for it. Then I can merge it too. 😊

johlju avatar May 17 '24 10:05 johlju

@Borgquite one comment then I think this is ready to merge.

johlju avatar May 17 '24 16:05 johlju