DSCResources/MSFT_xADUser/MSFT_xADUser.psm1

function Get-TargetResource
{
    param
    (
        [Parameter(Mandatory)]
        [string]$DomainName,

        [Parameter(Mandatory)]
        [string]$UserName,

        [Parameter(Mandatory)]
        [PSCredential]$DomainAdministratorCredential,
        
        [PSCredential]$Password,

        [ValidateSet("Present","Absent")]
        [string]$Ensure = "Present"                   
    )

    try
    {
        Write-Verbose -Message "Checking if the user $UserName in domain $DomainName is present ..."
        $user = Get-AdUser -Identity $UserName -Credential $DomainAdministratorCredential
        Write-Verbose -Message "User $UserName in domain $DomainName is present."
        $Ensure = "Present"
    }
    # User not found
    catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]
    {
        Write-Verbose -Message "User $UserName account in domain $DomainName is NOT present"
        $Ensure = "Absent"
    }
    catch
    {
        Write-Error -Message "Unhandled exception looking up $UserName account in domain $DomainName."
        throw $_
    }

    @{
        DomainName = $DomainName
        UserName = $UserName
        Ensure = $Ensure
    }
}

function Set-TargetResource
{
    param
    (
        [Parameter(Mandatory)]
        [string]$DomainName,

        [Parameter(Mandatory)]
        [string]$UserName,
        
        [Parameter(Mandatory)]
        [PSCredential]$DomainAdministratorCredential,

        [PSCredential]$Password,

        [ValidateSet("Present","Absent")]
        [string]$Ensure = "Present"                    
    )
    try
    {
        ValidateProperties @PSBoundParameters -Apply
    }
    catch
    {
        Write-Error -Message "Error setting AD User $UserName in domain $DomainName. $_"
        throw $_
    }
}

function Test-TargetResource
{
    param
    (
        [Parameter(Mandatory)]
        [string]$DomainName,

        [Parameter(Mandatory)]
        [string]$UserName,
        
        [Parameter(Mandatory)]
        [PSCredential]$DomainAdministratorCredential,

        [PSCredential]$Password,

        [ValidateSet("Present","Absent")]
        [string]$Ensure = "Present"          
    )

    try
    {
        $parameters = $PSBoundParameters.Remove("Debug");
        ValidateProperties @PSBoundParameters    
    }
    catch
    {
        Write-Error -Message "Error testing AD User $UserName in domain $DomainName. $_"
        throw $_
    }
}

function ValidateProperties
{
    param
    (
        [Parameter(Mandatory)]
        [string]$DomainName,

        [Parameter(Mandatory)]
        [string]$UserName,

        [Parameter(Mandatory)]
        [PSCredential]$DomainAdministratorCredential,

        [PSCredential]$Password,

        [ValidateSet("Present","Absent")]
        [string]$Ensure = "Present",          

        [Switch]$Apply
    )

    $result = $true
    # Check if user exists and if user exists validate the password
    try
    {
        Write-Verbose -Message "Checking if the user $UserName in domain $DomainName is present ..."
        $user = Get-AdUser -Identity $UserName -Credential $DomainAdministratorCredential
        Write-Verbose -Message "User $UserName in domain $DomainName is present."
        
        if( $Ensure -eq "Absent" )
        {
            if( $Apply )
            {
                Remove-ADUser -Identity $UserName -Credential $DomainAdministratorCredential -Confirm:$false
                Write-Verbose -Message "Removed $UserName account in domain $DomainName."
                return
            }
            else
            {
                return $false
            }
        }
        
        if($Apply)
        {
            # If account is not enabled, enable it. Needed for password validation
            If(!($user.Enabled))
            {
                Set-AdUser -Identity $UserName -Enabled $true -Credential $DomainAdministratorCredential
                Write-Verbose -Message "Enabled $UserName account in domain $DomainName."
            }
        }
        
        # If password is specified, check if it is valid
        if($Password)
        {
            Write-Verbose -Message "Checking if the user $UserName password is valid ..."
            Add-Type -AssemblyName 'System.DirectoryServices.AccountManagement'
            
            Write-Verbose -Message "Creating connection to the domain $DomainName ..."
            $prnContext = new-object System.DirectoryServices.AccountManagement.PrincipalContext(
                            "Domain", $DomainName, $DomainAdministratorCredential.UserName, `
                            $DomainAdministratorCredential.GetNetworkCredential().Password)

            # This can return true or false
            $result = $prnContext.ValidateCredentials($UserName,$Password.GetNetworkCredential().Password)
            if($result)
            {
                Write-Verbose -Message "User $UserName password is valid"
                return $true
            }
            else
            {
                Write-Verbose -Message "User $UserName password is NOT valid"
                if($Apply)
                {
                    Set-AdAccountPassword -Reset -Identity $UserName -NewPassword $Password.Password -Credential $DomainAdministratorCredential
                    Write-Verbose -Message "User $UserName password has been reset"
                }
                else
                {
                    return $false
                }
            }
        }
        else
        {
            Write-Verbose -Message "User $UserName account in domain $DomainName is present"
            return $true
        }
    }
    # User not found
    catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]
    {
        Write-Verbose -Message "User $UserName account in domain $DomainName is NOT present"
        if($Apply)
        {
            if( $Ensure -ne "Absent" )
            {
                $params = @{ Name = $UserName; Credential = $DomainAdministratorCredential }
                if( $Password )
                {
                    $params.Add( "AccountPassword", $Password.Password )
                    $params.Add( "Enabled", $true )
                }
                New-AdUser @params
                Write-Verbose -Message "User $UserName account in domain $DomainName has been created"
            }
        }
        else
        {
            return ( $Ensure -eq "Absent" )
        }
    }
}

Export-ModuleMember -Function *-TargetResource