DSCResources/VE_XD7Role/VE_XD7Role.ps1
Import-LocalizedData -BindingVariable localizedData -FileName Resources.psd1; function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [System.String] $Name, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [System.String[]] $Members, [Parameter()] [ValidateSet('Present','Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateNotNullOrEmpty()] [System.String] $RoleScope = 'All', [Parameter()] [AllowNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Credential ) begin { AssertXDModule -Name 'Citrix.DelegatedAdmin.Admin.V1' -IsSnapin; } process { $scriptBlock = { Add-PSSnapin -Name 'Citrix.DelegatedAdmin.Admin.V1' -ErrorAction Stop; $xdAdminRoleMembers = Get-AdminAdministrator | Select-Object -Property Name -ExpandProperty Rights | Where-Object { $_.RoleName -eq $using:Name -and $_.ScopeName -eq $using:RoleScope } | ForEach { $_.Name }; $targetResource = @{ Name = $using:Name; Scope = $using:RoleScope; Members = $xdAdminRoleMembers; Ensure = $using:Ensure; }; return $targetResource; } #end scriptblock $invokeCommandParams = @{ ScriptBlock = $scriptBlock; ErrorAction = 'Stop'; } if ($Credential) { AddInvokeScriptBlockCredentials -Hashtable $invokeCommandParams -Credential $Credential; } else { $invokeCommandParams['ScriptBlock'] = [System.Management.Automation.ScriptBlock]::Create($scriptBlock.ToString().Replace('$using:','$')); } $scriptBlockParams = @($Name, $RoleScope, $Members, $Ensure); Write-Verbose ($localizedData.InvokingScriptBlockWithParams -f [System.String]::Join("','", $scriptBlockParams)); $targetResource = Invoke-Command @invokeCommandParams; return $targetResource; } #end process } #end function Get-TargetResource function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [System.String] $Name, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [System.String[]] $Members, [Parameter()] [ValidateSet('Present','Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateNotNullOrEmpty()] [System.String] $RoleScope = 'All', [Parameter()] [AllowNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Credential ) process { $targetResource = Get-TargetResource @PSBoundParameters; foreach ($member in $Members) { $netBIOSName = $member; if ($member.Contains('\')) { $netBIOSName = $member.Split('\')[1]; } ## Try a direct match if ($targetResource.Members -contains $member) { if ($Ensure -eq 'Absent') { Write-Verbose ($localizedData.SurplusRoleMember -f $member); $targetResource['Ensure'] = 'Present'; } } ## If not, try a *\UserName or *\GroupName match elseif ($targetResource.Members -match '^\S+\\{0}$' -f $netBIOSName) { Write-Warning -Message ($localizedData.UserNameNotFullyQualifiedWarning -f $member); if ($Ensure -eq 'Absent') { Write-Verbose ($localizedData.SurplusRoleMember -f $member); $targetResource['Ensure'] = 'Present'; } } else { if ($Ensure -eq 'Present') { Write-Verbose ($localizedData.MissingRoleMember -f $member); $targetResource['Ensure'] = 'Absent'; } } } #end foreach member if ($targetResource['Ensure'] -eq $Ensure) { Write-Verbose ($localizedData.ResourceInDesiredState -f $Name); return $true; } else { Write-Verbose ($localizedData.ResourceNotInDesiredState -f $Name); return $false; } } #end process } #end function Test-TargetResource function Set-TargetResource { [CmdletBinding()] param ( [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [System.String] $Name, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [System.String[]] $Members, [Parameter()] [ValidateSet('Present','Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateNotNullOrEmpty()] [System.String] $RoleScope = 'All', [Parameter()] [AllowNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Credential ) begin { AssertXDModule -Name 'Citrix.DelegatedAdmin.Admin.V1' -IsSnapin; } process { $scriptBlock = { Add-PSSnapin -Name 'Citrix.DelegatedAdmin.Admin.V1' -ErrorAction Stop; if ($using:Ensure -eq 'Present') { foreach ($member in $using:Members) { Write-Verbose ($using:localizedData.AddingRoleMember -f $member, $using:Name); Add-AdminRight -Administrator $member -Role $using:Name -Scope $using:RoleScope; } } else { foreach ($member in $using:Members) { $hasAdminRights = Get-AdminAdministrator -Name $member | Select-Object -ExpandProperty Rights | Where-Object { $_.RoleName -eq $using:Name -and $_.ScopeName -eq $using:RoleScope }; if ($hasAdminRights) { Write-Verbose ($using:localizedData.RemovingRoleMember -f $member, $using:Name); Remove-AdminRight -Administrator $member -Role $using:Name -Scope $using:RoleScope; } } } } #end scriptblock $invokeCommandParams = @{ ScriptBlock = $scriptBlock; ErrorAction = 'Stop'; } if ($Credential) { AddInvokeScriptBlockCredentials -Hashtable $invokeCommandParams -Credential $Credential; } else { $invokeCommandParams['ScriptBlock'] = [System.Management.Automation.ScriptBlock]::Create($scriptBlock.ToString().Replace('$using:','$')); } $scriptBlockParams = @($Name, $RoleScope, $Members, $Ensure); Write-Verbose ($localizedData.InvokingScriptBlockWithParams -f [System.String]::Join("','", $scriptBlockParams)); $targetResource = Invoke-Command @invokeCommandParams; } #end process } #end function Set-TargetResource |