DSCResources/MSFT_SPFarmAdministrators/MSFT_SPFarmAdministrators.psm1
function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [parameter(Mandatory = $true)] [System.String] $Name, [parameter(Mandatory = $false)] [System.String[]] $Members, [parameter(Mandatory = $false)] [System.String[]] $MembersToInclude, [parameter(Mandatory = $false)] [System.String[]] $MembersToExclude, [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $InstallAccount ) if ($Members -and (($MembersToInclude) -or ($MembersToExclude))) { Throw "Cannot use the Members parameter together with the MembersToInclude or MembersToExclude parameters" } if (!$Members -and !$MembersToInclude -and !$MembersToExclude) { throw "At least one of the following parameters must be specified: Members, MembersToInclude, MembersToExclude" } Write-Verbose -Message "Getting all Farm Administrators" $result = Invoke-SPDSCCommand -Credential $InstallAccount -Arguments $PSBoundParameters -ScriptBlock { $params = $args[0] $caWebapp = Get-SPwebapplication -includecentraladministration | Where-Object -FilterScript { $_.IsAdministrationWebApplication } if ($null -eq $caWebapp) { Write-Verbose "Unable to locate central administration website" return $null } $caWeb = Get-SPweb($caWebapp.Url) $farmAdminGroup = $caWeb.AssociatedOwnerGroup $farmAdministratorsGroup = $caWeb.SiteGroups.GetByName($farmAdminGroup) return @{ Name = $params.Name Members = $farmAdministratorsGroup.users.UserLogin MembersToInclude = $params.MembersToInclude MembersToExclude = $params.MembersToExclude InstallAccount = $params.InstallAccount } } return $result } function Set-TargetResource { [CmdletBinding()] param ( [parameter(Mandatory = $true)] [System.String] $Name, [parameter(Mandatory = $false)] [System.String[]] $Members, [parameter(Mandatory = $false)] [System.String[]] $MembersToInclude, [parameter(Mandatory = $false)] [System.String[]] $MembersToExclude, [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $InstallAccount ) Write-Verbose -Message "Setting Farm Administrator config" if ($Members -and (($MembersToInclude) -or ($MembersToExclude))) { Throw "Cannot use the Members parameter together with the MembersToInclude or MembersToExclude parameters" } if (!$Members -and !$MembersToInclude -and !$MembersToExclude) { throw "At least one of the following parameters must be specified: Members, MembersToInclude, MembersToExclude" } $CurrentValues = Get-TargetResource @PSBoundParameters if ($null -eq $CurrentValues) { throw "Unable to locate central administration website" } $changeUsers = @{} $runChange = $false if ($Members) { Write-Verbose "Processing Members parameter" $differences = Compare-Object -ReferenceObject $CurrentValues.Members -DifferenceObject $Members if ($null -eq $differences) { Write-Verbose "Farm Administrators group matches. No further processing required" } else { Write-Verbose "Farm Administrators group does not match. Perform corrective action" $addUsers = @() $removeUsers = @() ForEach ($difference in $differences) { if ($difference.SideIndicator -eq "=>") { # Add account $user = $difference.InputObject Write-Verbose "Add $user to Add list" $addUsers += $user } elseif ($difference.SideIndicator -eq "<=") { # Remove account $user = $difference.InputObject Write-Verbose "Add $user to Remove list" $removeUsers += $user } } if($addUsers.count -gt 0) { Write-Verbose "Adding $($addUsers.Count) users to the Farm Administrators group" $changeUsers.Add = $addUsers $runChange = $true } if($removeUsers.count -gt 0) { Write-Verbose "Removing $($removeUsers.Count) users from the Farm Administrators group" $changeUsers.Remove = $removeUsers $runChange = $true } } } if ($MembersToInclude) { Write-Verbose "Processing MembersToInclude parameter" $addUsers = @() ForEach ($member in $MembersToInclude) { if (-not($CurrentValues.Members.Contains($member))) { Write-Verbose "$member is not a Farm Administrator. Add user to Add list" $addUsers += $member } else { Write-Verbose "$member is already a Farm Administrator. Skipping" } } if($addUsers.count -gt 0) { Write-Verbose "Adding $($addUsers.Count) users to the Farm Administrators group" $changeUsers.Add = $addUsers $runChange = $true } } if ($MembersToExclude) { Write-Verbose "Processing MembersToExclude parameter" $removeUsers = @() ForEach ($member in $MembersToExclude) { if ($CurrentValues.Members.Contains($member)) { Write-Verbose "$member is a Farm Administrator. Add user to Remove list" $removeUsers += $member } else { Write-Verbose "$member is not a Farm Administrator. Skipping" } } if($removeUsers.count -gt 0) { Write-Verbose "Removing $($removeUsers.Count) users from the Farm Administrators group" $changeUsers.Remove = $removeUsers $runChange = $true } } if ($runChange) { Write-Verbose "Apply changes" Update-SPDSCFarmAdministrators $changeUsers } } function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [parameter(Mandatory = $true)] [System.String] $Name, [parameter(Mandatory = $false)] [System.String[]] $Members, [parameter(Mandatory = $false)] [System.String[]] $MembersToInclude, [parameter(Mandatory = $false)] [System.String[]] $MembersToExclude, [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $InstallAccount ) Write-Verbose -Message "Testing Farm Administrator settings" if ($Members -and (($MembersToInclude) -or ($MembersToExclude))) { Throw "Cannot use the Members parameter together with the MembersToInclude or MembersToExclude parameters" } if (!$Members -and !$MembersToInclude -and !$MembersToExclude) { throw "At least one of the following parameters must be specified: Members, MembersToInclude, MembersToExclude" } $CurrentValues = Get-TargetResource @PSBoundParameters if ($null -eq $CurrentValues) { return $false } if ($Members) { Write-Verbose "Processing Members parameter" $differences = Compare-Object -ReferenceObject $CurrentValues.Members -DifferenceObject $Members if ($null -eq $differences) { Write-Verbose "Farm Administrators group matches" return $true } else { Write-Verbose "Farm Administrators group does not match" return $false } } $result = $true if ($MembersToInclude) { Write-Verbose "Processing MembersToInclude parameter" ForEach ($member in $MembersToInclude) { if (-not($CurrentValues.Members -contains $member)) { Write-Verbose "$member is not a Farm Administrator. Set result to false" $result = $false } else { Write-Verbose "$member is already a Farm Administrator. Skipping" } } } if ($MembersToExclude) { Write-Verbose "Processing MembersToExclude parameter" ForEach ($member in $MembersToExclude) { if ($CurrentValues.Members -contains $member) { Write-Verbose "$member is a Farm Administrator. Set result to false" $result = $false } else { Write-Verbose "$member is not a Farm Administrator. Skipping" } } } return $result } function Update-SPDSCFarmAdministrators { param ([Hashtable] $changeUsers) $result = Invoke-SPDSCCommand -Credential $InstallAccount -Arguments $changeUsers -ScriptBlock { $changeUsers = $args[0] $caWebapp = Get-SPwebapplication -includecentraladministration | Where-Object -FilterScript { $_.IsAdministrationWebApplication } if ($null -eq $caWebapp) { throw "Unable to locate central administration website" } $caWeb = Get-SPweb($caWebapp.Url) $farmAdminGroup = $caWeb.AssociatedOwnerGroup if ($changeUsers.ContainsKey("Add")) { ForEach ($loginName in $changeUsers.Add) { $caWeb.SiteGroups.GetByName($farmAdminGroup).AddUser($loginName,"","","") } } if ($changeUsers.ContainsKey("Remove")) { ForEach ($loginName in $changeUsers.Remove) { $removeUser = get-spuser $loginName -web $caWebapp.Url $caWeb.SiteGroups.GetByName($farmAdminGroup).RemoveUser($removeUser) } } } } Export-ModuleMember -Function *-TargetResource |