ADGroup: Changing group membership management mechanism

.vscode/settings.json

@@ -11,5 +11,12 @@
     "powershell.codeFormatting.preset": "Custom",
     "files.trimTrailingWhitespace": true,
     "files.insertFinalNewline": true,
-    "powershell.scriptAnalysis.settingsPath": ".vscode\\analyzersettings.psd1"
+    "files.defaultLanguage": "powershell",
+    "powershell.scriptAnalysis.settingsPath": ".vscode\\analyzersettings.psd1",
+    "[powershell]": {
+        "editor.rulers": [ 120 ]
+    },
+    "[markdown]": {
+        "editor.rulers": [ 120 ]
+    },
 }

CHANGELOG.md

@@ -7,6 +7,13 @@ For older change log history see the [historic changelog](HISTORIC_CHANGELOG.md)
 
 ## [Unreleased]
 
+### Added
+
+- ADGroup
+  - Added support for managing AD group membership of Foreign Security Principals. This involved completely
+    refactoring group membership management to utilize the `Set-ADGroup` cmdlet and referencing SID values.
+    ([issue #619](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/619)).
+
 ### Changed
 
 - ActiveDirectoryDsc

source/DSCResources/MSFT_ADGroup/MSFT_ADGroup.psm1

@@ -655,8 +655,6 @@ function Set-TargetResource
 
     Assert-MemberParameters @assertMemberParameters
 
-    $membersInMultipleDomains = $false
-
     if ($MembershipAttribute -eq 'DistinguishedName')
     {
         $allMembers = $Members + $MembersToInclude + $MembersToExclude
@@ -676,7 +674,6 @@ function Set-TargetResource
         if ($GroupMemberDomainCount -gt 1 -or ($groupMemberDomains -ine (Get-DomainName)).Count -gt 0)
         {
             Write-Verbose -Message ($script:localizedData.GroupMembershipMultipleDomains -f $GroupMemberDomainCount)
-            $membersInMultipleDomains = $true
         }
     }
 
@@ -842,12 +839,24 @@ function Set-TargetResource
                         {
                             Write-Verbose -Message ($script:localizedData.RemovingGroupMembers -f $adGroupMembers.Count, $GroupName)
 
-                            Remove-ADGroupMember @commonParameters -Members $adGroupMembers -Confirm:$false -ErrorAction 'Stop'
+                            $removeMemberSplat = @{
+                                Members = $adGroupMembers
+                                MembershipAttribute = $MembershipAttribute
+                                Parameters = $commonParameters
+                                Action = 'Remove'
+                            }
+                            Set-ADCommonGroupMember @removeMemberSplat
                         }
 
                         Write-Verbose -Message ($script:localizedData.AddingGroupMembers -f $Members.Count, $GroupName)
 
-                        Add-ADCommonGroupMember -Parameters $commonParameters -Members $Members -MembersInMultipleDomains:$membersInMultipleDomains
+                        $addMemberSplat = @{
+                            Members = $Members
+                            MembershipAttribute = $MembershipAttribute
+                            Parameters = $commonParameters
+                            Action = 'Add'
+                        }
+                        Set-ADCommonGroupMember @addMemberSplat
                     }
 
                     if ($PSBoundParameters.ContainsKey('MembersToInclude') -and -not [System.String]::IsNullOrEmpty($MembersToInclude))
@@ -856,7 +865,13 @@ function Set-TargetResource
 
                         Write-Verbose -Message ($script:localizedData.AddingGroupMembers -f $MembersToInclude.Count, $GroupName)
 
-                        Add-ADCommonGroupMember -Parameters $commonParameters -Members $MembersToInclude -MembersInMultipleDomains:$membersInMultipleDomains
+                        $addMemberSplat = @{
+                            Members = $MembersToInclude
+                            MembershipAttribute = $MembershipAttribute
+                            Parameters = $commonParameters
+                            Action = 'Add'
+                        }
+                        Set-ADCommonGroupMember @addMemberSplat
                     }
 
                     if ($PSBoundParameters.ContainsKey('MembersToExclude') -and -not [System.String]::IsNullOrEmpty($MembersToExclude))
@@ -865,7 +880,13 @@ function Set-TargetResource
 
                         Write-Verbose -Message ($script:localizedData.RemovingGroupMembers -f $MembersToExclude.Count, $GroupName)
 
-                        Remove-ADGroupMember @commonParameters -Members $MembersToExclude -Confirm:$false -ErrorAction 'Stop'
+                        $removeMemberSplat = @{
+                            Members = $MembersToExclude
+                            MembershipAttribute = $MembershipAttribute
+                            Parameters = $commonParameters
+                            Action = 'Remove'
+                        }
+                        Set-ADCommonGroupMember @removeMemberSplat
                     }
                 }
             }
@@ -960,15 +981,27 @@ function Set-TargetResource
 
                 Write-Verbose -Message ($script:localizedData.AddingGroupMembers -f $Members.Count, $GroupName)
 
-                Add-ADCommonGroupMember -Parameters $commonParameters -Members $Members -MembersInMultipleDomains:$membersInMultipleDomains
+                $addMemberSplat = @{
+                    Members = $Members
+                    MembershipAttribute = $MembershipAttribute
+                    Parameters = $commonParameters
+                    Action = 'Add'
+                }
+                Set-ADCommonGroupMember @addMemberSplat
             }
             elseif ($PSBoundParameters.ContainsKey('MembersToInclude') -and -not [System.String]::IsNullOrEmpty($MembersToInclude))
             {
                 $MembersToInclude = Remove-DuplicateMembers -Members $MembersToInclude
 
                 Write-Verbose -Message ($script:localizedData.AddingGroupMembers -f $MembersToInclude.Count, $GroupName)
 
-                Add-ADCommonGroupMember -Parameters $commonParameters -Members $MembersToInclude -MembersInMultipleDomains:$membersInMultipleDomains
+                $addMemberSplat = @{
+                    Members = $MembersToInclude
+                    MembershipAttribute = $MembershipAttribute
+                    Parameters = $commonParameters
+                    Action = 'Add'
+                }
+                Set-ADCommonGroupMember @addMemberSplat
             }
         }
     } #end catch

source/Modules/ActiveDirectoryDsc.Common/ActiveDirectoryDsc.Common.psd1

@@ -37,7 +37,7 @@
         'ConvertTo-DeploymentDomainMode'
         'Restore-ADCommonObject'
         'Get-ADDomainNameFromDistinguishedName'
-        'Add-ADCommonGroupMember'
+        'Set-ADCommonGroupMember'
         'Get-DomainControllerObject'
         'Test-IsDomainController'
         'Convert-PropertyMapToObjectProperties'
@@ -53,6 +53,7 @@
         'Get-ActiveDirectoryDomain'
         'Get-ActiveDirectoryForest'
         'Resolve-SamAccountName'
+        'Resolve-MembersSecurityIdentifier'
     )
 
     # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.