$script:ModuleRoot = $PSScriptRoot
$script:ModuleVersion = (Import-PowerShellDataFile -Path "$($script:ModuleRoot)\ADLDSMF.psd1").ModuleVersion

# Detect whether at some level dotsourcing was enforced
$script:doDotSource = Get-PSFConfigValue -FullName ADLDSMF.Import.DoDotSource -Fallback $false
if ($ADLDSMF_dotsourcemodule) { $script:doDotSource = $true }

Note on Resolve-Path:
All paths are sent through Resolve-Path/Resolve-PSFPath in order to convert them to the correct path separator.
This allows ignoring path separators throughout the import sequence, which could otherwise cause trouble depending on OS.
Resolve-Path can only be used for paths that already exist, Resolve-PSFPath can accept that the last leaf my not exist.
This is important when testing for paths.

# Detect whether at some level loading individual module files, rather than the compiled module was enforced
$importIndividualFiles = Get-PSFConfigValue -FullName ADLDSMF.Import.IndividualFiles -Fallback $false
if ($ADLDSMF_importIndividualFiles) { $importIndividualFiles = $true }
if (Test-Path (Resolve-PSFPath -Path "$($script:ModuleRoot)\..\.git" -SingleItem -NewChild)) { $importIndividualFiles = $true }
if ("<was compiled>" -eq '<was not compiled>') { $importIndividualFiles = $true }
function Import-ModuleFile
            Loads files into the module on module import.
            This helper function is used during module initialization.
            It should always be dotsourced itself, in order to proper function.
            This provides a central location to react to files being imported, if later desired
        .PARAMETER Path
            The path to the file to load
            PS C:\> . Import-ModuleFile -File $function.FullName
            Imports the file stored in $function according to import policy

    Param (
    $resolvedPath = $ExecutionContext.SessionState.Path.GetResolvedPSPathFromPSPath($Path).ProviderPath
    if ($doDotSource) { . $resolvedPath }
    else { $ExecutionContext.InvokeCommand.InvokeScript($false, ([scriptblock]::Create([io.file]::ReadAllText($resolvedPath))), $null, $null) }

#region Load individual files
if ($importIndividualFiles)
    # Execute Preimport actions
    foreach ($path in (& "$ModuleRoot\internal\scripts\preimport.ps1")) {
        . Import-ModuleFile -Path $path
    # Import all internal functions
    foreach ($function in (Get-ChildItem "$ModuleRoot\internal\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
        . Import-ModuleFile -Path $function.FullName
    # Import all public functions
    foreach ($function in (Get-ChildItem "$ModuleRoot\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
        . Import-ModuleFile -Path $function.FullName
    # Execute Postimport actions
    foreach ($path in (& "$ModuleRoot\internal\scripts\postimport.ps1")) {
        . Import-ModuleFile -Path $path
    # End it here, do not load compiled code below
#endregion Load individual files

#region Load compiled code
This file loads the strings documents from the respective language folders.
This allows localizing messages and errors.
Load psd1 language files for each language you wish to support.
Partial translations are acceptable - when missing a current language message,
it will fallback to English or another available language.

Import-PSFLocalizedString -Path "$($script:ModuleRoot)\en-us\*.psd1" -Module 'ADLDSMF' -Language 'en-US'

function New-Change {
        Create a new change object.
        Create a new change object.
        Helper command that unifies result generation.
    .PARAMETER Identity
        The identity the change applies to.
    .PARAMETER Property
        What property is being modified.
    .PARAMETER OldValue
        The old value that is being updated.
    .PARAMETER NewValue
        The new value that will be set instead.
    .PARAMETER DisplayStyle
        How the change will display in text form.
        Defaults to: NewValue
        Additional data to include in the change.
        PS C:\> New-Change -Identity "CN=max,OU=Users,DC=Fabrikam,DC=org" Property LuckyNumber -OldValue 1 -NewValue 42
        Creates a new change.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    param (
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]



        [ValidateSet('NewValue', 'RemoveValue')]
        $DisplayStyle = 'NewValue',


    $dsStyles = @{
        'NewValue'    = {
            '{0} -> {1}' -f $this.Property, $this.New
        'RemoveValue' = {
            '{0} Remove {1}' -f $this.Property, $this.Old

    $object = [PSCustomObject]@{
        PSTypeName = 'AdLds.Change'
        Identity   = $Identity
        Property   = $Property
        Old        = $OldValue
        New        = $NewValue
        Data       = $Data
    Add-Member -InputObject $object -MemberType ScriptMethod -Name ToString -Value $dsStyles[$DisplayStyle] -Force

function New-Password {
            Generate a new, complex password.
            Generate a new, complex password.
        .PARAMETER Length
            The length of the password calculated.
            Defaults to 32
        .PARAMETER AsSecureString
            Returns the password as secure string.
            PS C:\> New-Password
            Generates a new 32v character password.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingConvertToSecureStringWithPlainText", "")]
    Param (
        $Length = 32,

    begin {
        $characters = @{
            0 = @('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z')
            1 = @('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z')
            2 = @(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9)
            3 = @('#', '$', '%', '&', "'", '(', ')', '*', '+', ',', '-', '.', '/', ':', ';', '<', '=', '>', '?', '@')
            4 = @('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z')
            5 = @('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z')
            6 = @(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9)
            7 = @('#', '$', '%', '&', "'", '(', ')', '*', '+', ',', '-', '.', '/', ':', ';', '<', '=', '>', '?', '@')
    process {
        $letters = foreach ($number in (5..$Length)) {
            $characters[(($number % 4) + (0..4 | Get-Random))] | Get-Random
        0, 1, 2, 3 | ForEach-Object {
            $letters += $characters[$_] | Get-Random
        $letters = $letters | Sort-Object { Get-Random }
        if ($AsSecureString) { $letters -join "" | ConvertTo-SecureString -AsPlainText -Force }
        else { $letters -join "" }

function New-TestResult {
        A new test result, as produced by any of the test commands.
        A new test result, as produced by any of the test commands.
        This helper function ensures that all test results look the same.
        What kind object is being tested.
        Should receive the objectclass being affected.
    .PARAMETER Action
        What we do with the object in question.
    .PARAMETER Identity
        The specific object being changed.
    .PARAMETER Change
        Any specific change data that will be applied to the object.
        See New-Change for more details on that structure.
        The actual AD LDS Object being modified.
        Will usually be $null when creating something new.
    .PARAMETER Configuration
        The configuration object based on which the change will be applied.
        PS C:\> New-TestResult -Type User -Action Create -Identity $userName -Configuration $configSet
        Test result heralding the creation of a new user.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    param (

        [ValidateSet('Create', 'Update', 'Delete', 'Add', 'Remove', 'Rename')]





        PSTypeName    = 'AdLds.Testresult'
        Type          = $Type
        Action        = $Action
        Identity      = $Identity
        Change        = $Change
        ADObject      = $ADObject
        Configuration = $Configuration

function Resolve-SchemaGuid {
        Resolves the name of an attribute or objectclass to its GUID form.
        Resolves the name of an attribute or objectclass to its GUID form.
        Used to enable user-friendly names in configuration.
        + Supports caching requests to optimize performance
        + Will return guids unmodified
        The name or guid of the attribute or object class.
        Guids will be returned unverified.
    .PARAMETER Server
        The LDS Server to connect to.
    .PARAMETER Credential
        The credentials - if any - to use to the specified server.
    .PARAMETER Cache
        A hashtable used for caching requests.
        PS C:\> Resolve-SchemaGuid -Name contact -Server -Cache $cache
        Returns the GUID form of the "contact" object class if present.

    param (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]

        [Parameter(Mandatory = $true)]


        $Cache = @{ }

    begin {
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
    process {
        if ($Name -as [Guid]) {
            return $Name

        if ($Cache[$Name]) {
            return $Cache[$Name]

        $rootDSE = [adsi]"LDAP://$Server/rootDSE"
        $targetObjectClassObj = Get-ADObject @ldsParam -SearchBase ($rootdse.schemaNamingContext.value) -LDAPFilter "CN=$Name" -Properties 'schemaIDGUID'
        if (-not $targetObjectClassObj) {
            throw "Unknown attribute or object class: $Name"
        $bytes = [byte[]]$targetObjectClassObj.schemaIDGUID
        $guid = [guid]::new($bytes)
        $Cache[$Name] = "$guid"


function Unprotect-OrganizationalUnit {
        Removes deny rules on OrganizationalUnits.
        Removes deny rules on OrganizationalUnits.
        Necessary whenever we want to delete an OU.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Identity
        The OU to unprotect.
        Specify the full distinguishedname.
        PS C:\> Unprotect-OrganizationalUnit @ldsParam -Identity $ouPath
        Removes the deletion protection from the OU specified in $ouPath

    param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


        [Parameter(Mandatory = $true)]

    begin {
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential

    process {
        $adObject = Get-ADObject @ldsParam -Identity $Identity -Partition $Partition -Properties DistinguishedName

        $acl = Get-AdsAcl @ldsParam -Path $adObject.DistinguishedName
        $denyRules = $acl.Access | Where-Object AccessControlType -eq Deny
        if (-not $denyRules) { return }

        foreach ($rule in $denyRules) {
            $null = $acl.RemoveAccessRule($rule)
        $acl | Set-AdsAcl @ldsParam -Path $adObject.DistinguishedName

function Update-ADSec {
        Injects Get-LdsDomain into the ADSec module to overwrite its use of Get-ADDomain.
        Injects Get-LdsDomain into the ADSec module to overwrite its use of Get-ADDomain.
        This enables us to override the AD domain connection verification performed by the module.
        PS C:\> Update-ADSec
        Injects Get-LdsDomain into the ADSec module to overwrite its use of Get-ADDomain.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    param ()

    & (Get-Module ADSec) {
        Set-Alias -Name Get-ADDomain -Value Get-LdsDomain -Scope Script

function Update-LdsConfiguration {
        Updates the reference to the currently "connected to" LDS instance.
        Updates the reference to the currently "connected to" LDS instance.
        This is used by Get-LdsDomain, which is injected into the ADSec module to avoid issues with domain resolution.
    .PARAMETER LdsServer
        The server hosting the LDS instance.
    .PARAMETER LdsPartition
        The partition of the LDS instance.
        PS C:\> Update-LdsConfiguration -LdsServer -LdsPartition 'DC=Fabrikam,DC=org'
        Registers as the current server and 'DC=Fabrikam,DC=org' as the current partition.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

    $script:_ldsServer = $LdsServer
    $script:_ldsPartition = $LdsPartition

function Get-LdsDomain {
        Returns a pseudo-domain object from an LDS instance.
        Returns a pseudo-domain object from an LDS instance.
        Use to transparently redirect Get-ADDomain calls.
    .PARAMETER LdsServer
        LDS Server instance to use.
        Reads from cache if provided.
    .PARAMETER LdsPartition
        LDS partition to use.
        Reads from cache if provided.
        PS C:\> Get-LdsDomain
        Returns the default domain

    param (
        $LdsServer = $script:_ldsServer,

        $LdsPartition = $script:_ldsPartition

    $object = Get-ADObject -LdapFilter '(objectClass=domainDns)' -Server $LdsServer -SearchBase $LdsPartition -Properties *
    Add-Member -InputObject $object -MemberType NoteProperty -Name NetbiosName -Value $object.Name -Force
    Add-Member -InputObject $object -MemberType NoteProperty -Name DnsRoot -Value ($object.DistinguishedName -replace "DC=" -replace ",", ".") -Force
    $groupSid = Get-ADObject -LdapFilter '(&(objectClass=group)(isCriticalSystemObject=TRUE))' -Server $LdsServer -SearchBase $LdsPartition -Properties ObjectSID -ResultSetSize 1 | ForEach-Object ObjectSID
    Add-Member -InputObject $object -MemberType NoteProperty -Name DomainSID -Value (($groupSid.Value -replace '-\d+$') -as [System.Security.Principal.SecurityIdentifier]) -Force

function Import-LdsConfiguration {
        Import a set of configuration files.
        Import a set of configuration files.
        Each configuration file must be a psd1, json or (at PS7+) jsonc file.
        They can be stored any levels of nested folder deep, but they cannot be hidden.
        Each file shall contain an array of entries and each entry shall have an objectclass plus all the attributes it should have.
        Note to include everything an object of the given type must have.
        For each entry, specifying an objectclass is optional: If none is specified, the name of the parent folder is chosen instead.
        Thus, creating a folder named "user" will have all settings directly within default to the objectclass "user".
        Supported Object Classes:
        - AccessRule
        - Group
        - GroupMembership
        - OrganizationalUnit
        - SchemaAttribute
        - User
        Note: Group Memberships and access rules are not really object entities in AD LDS, but are treated the same for configuration purposes.
        Example Content:
        > user.psd1
            Name = 'Thomas'
            Path = 'OU=Admin,%DomainDN%'
            Enabled = $true
        Path to a folder containing all configuration sets.
        PS C:\> Import-LdsConfiguration -Path C:\scripts\lds\config
        Imports all the configuration files under the specified path, no matter how deeply nested.

    param (
        [Parameter(Mandatory = $true)]

    $objectClasses = 'AccessRule', 'Group', 'GroupMembership', 'OrganizationalUnit', 'SchemaAttribute', 'User'
    $extensions = '.json', '.psd1'
    if ($PSVersionTable.PSVersion.Major -ge 7) {$extensions = '.json', '.jsonc', '.psd1'}

    foreach ($file in Get-ChildItem -Path $Path -Recurse -File | Where-Object Extension -In $extensions) {
        $datasets = Import-PSFPowerShellDataFile -LiteralPath $file.FullName -Psd1Mode Unsafe
        $defaultObjectClass = $file.Directory.Name.ToLower()

        foreach ($dataset in $datasets) {
            if (-not $dataset.ObjectClass) { $dataset.ObjectClass = $defaultObjectClass }

            switch ($dataset.ObjectClass) {
                'groupmembership' {
                    $identity = "$($dataset.Group)|$($dataset.Member)|$($dataset.Type)"
                    $script:content.groupmembership.$identity = $dataset
                'accessrule' {
                    $identity = "$($dataset.Path)|$($dataset.Identity)|$($dataset.IdentityType)|$($dataset.Rights)|$($dataset.ObjectType)"
                    $script:content.accessrule.$identity = $dataset
                'SchemaAttribute' {
                    $script:content.SchemaAttribute[$dataSet.AttributeID] = $dataSet
                default {
                    if ($dataset.ObjectClass -notin $objectClasses) {
                        Write-PSFMessage -Level Warning -Message 'Invalid Object Class: {0} Importing file "{1}". Legal Values: {2}' -StringValues $dataset.ObjectClass, $file.FullName, ($objectClasses -join ', ') -Tag 'badClass' -Target $dataset
                    $identity = "$($dataset.Name),$($dataset.Path)"
                    if (-not $script:content.$($dataset.ObjectClass)) {
                        $script:content.$($dataset.ObjectClass) = @{ }
                    $script:content.$($dataset.ObjectClass)[$identity] = $dataset

function Invoke-LdsConfiguration {
        Applies all currently configured settings to the target AD LDS server.
        Applies all currently configured settings to the target AD LDS server.
        Use Import-LdsConfiguration first to load one or more configuration sets.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Options
        Which part of the configuration to deploy.
        Defaults to all of them ('User', 'Group', 'OrganizationalUnit', 'GroupMembership', 'AccessRule', 'SchemaAttribute')
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
        PS C:\> Invoke-LdsConfiguration -Server -Partition 'DC=fabrikam,DC=org'
        Applies all currently configured settings to the target AD LDS server.
        PS C:\> Invoke-LdsConfiguration -Server -Partition 'DC=fabrikam,DC=org' -Options User, Group, OrganizationalUnit
        Applies all currently configured users, groups and OUs to the target AD LDS server.

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


        [ValidateSet('User', 'Group', 'OrganizationalUnit', 'GroupMembership', 'AccessRule', 'SchemaAttribute')]
        $Options = @('User', 'Group', 'OrganizationalUnit', 'GroupMembership', 'AccessRule', 'SchemaAttribute'),

    begin {
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
    process {
        if ($Options -contains 'SchemaAttribute') {
            Invoke-LdsSchemaAttribute @ldsParam
        if ($Options -contains 'OrganizationalUnit') {
            Invoke-LdsOrganizationalUnit @ldsParam -Delete:$Delete
        if ($Options -contains 'Group') {
            Invoke-LdsGroup @ldsParam -Delete:$Delete
        if ($Options -contains 'User') {
            Invoke-LdsUser @ldsParam -Delete:$Delete
        if ($Options -contains 'GroupMembership') {
            Invoke-LdsGroupMembership @ldsParam -Delete:$Delete
        if ($Options -contains 'AccessRule') {
            Invoke-LdsAccessRule @ldsParam -Delete:$Delete

function Reset-LdsAccountPassword {
        Reset the password of any given user account.
        Reset the password of any given user account.
        The new password will be pasted to clipboard.
    .PARAMETER UserName
        Name of the user to reset.
    .PARAMETER Server
        LDS Server to contact.
    .PARAMETER Partition
        Partition of the LDS Server to search.
    .PARAMETER NewPassword
        The new password to assign.
        Autogenerates a random password if not specified.
    .PARAMETER Credential
        Credential to use for the request
        PS C:\> Reset-LdsAccountPassword -Name svc_whatever -Server -Partition 'DC=fabrikam,DC=org'
        Resets the password of account 'svc_whatever'

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        $NewPassword = (New-Password -AsSecureString),


    $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
    $ldsParamLight = $ldsParam | ConvertTo-PSFHashtable -Exclude Partition
    $userObject = Get-ADUser @ldsParamLight -LDAPFilter "(name=$UserName)" -SearchBase $Partition
    if (-not $userObject) {
        Stop-PSFFunction -Cmdlet $PSCmdlet -Message "Unable to find $UserName!" -EnableException $true

    if (1 -lt @($userObject).Count) {
        Stop-PSFFunction -Cmdlet $PSCmdlet -Message "More than one account found for $UserName!`n$($userObject.DistinguishedName -join "`n")" -EnableException $true

    Set-ADAccountPassword @ldsParam -NewPassword $NewPassword -Identity $userObject.ObjectGUID

    if (-not $userObject.Enabled) {
        Write-PSFMessage -Level Host -Message "Enabling account: $($userObject.Name)"
        Enable-ADAccount @ldsParam -Identity $userObject.ObjectGuid

    Write-PSFMessage -Level Host -Message "Password reset for $($userObject.Name) executed."
    $null = Read-Host "Press enter to paste the new password to the clipboard."
    $cred = [PSCredential]::new("whatever", $NewPassword)
    $cred.GetNetworkCredential().Password | Set-Clipboard
    Write-PSFMessage -Level Host -Message "Password for $($userObject.Name) has been written to clipboard."

function Reset-LdsConfiguration {
        Removes all registered configuration settings.
        Removes all registered configuration settings.
        PS C:\> Reset-LdsConfiguration
        Removes all registered configuration settings.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    param ()

    $script:content = @{
        user               = @{ }
        group              = @{ }
        organizationalUnit = @{ }
        groupmembership    = @{ }
        accessrule         = @{ }
        SchemaAttribute    = @{ }

function Test-LdsConfiguration {
        Test all configured settings against the target LDS instance.
        Test all configured settings against the target LDS instance.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Options
        Which part of the configuration to test for.
        Defaults to all of them ('User', 'Group', 'OrganizationalUnit', 'GroupMembership', 'AccessRule', 'SchemaAttribute')
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
        PS C:\> Test-LdsConfiguration -Server -Partition 'DC=Fabrikam,DC=org'
        Test all configured settings against the 'DC=Fabrikam,DC=org' LDS instance on server

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


        [ValidateSet('User', 'Group', 'OrganizationalUnit', 'GroupMembership', 'AccessRule', 'SchemaAttribute')]
        $Options = @('User', 'Group', 'OrganizationalUnit', 'GroupMembership', 'AccessRule', 'SchemaAttribute'),

    begin {
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential, Delete
    process {
        if ($Options -contains 'SchemaAttribute' -and -not $Delete) {
            Test-LdsSchemaAttribute @ldsParam
        if ($Options -contains 'OrganizationalUnit') {
            Test-LdsOrganizationalUnit @ldsParam
        if ($Options -contains 'Group') {
            Test-LdsGroup @ldsParam
        if ($Options -contains 'User') {
            Test-LdsUser @ldsParam
        if ($Options -contains 'GroupMembership') {
            Test-LdsGroupMembership @ldsParam
        if ($Options -contains 'AccessRule') {
            Test-LdsAccessRule @ldsParam

function Invoke-LdsAccessRule {
        Applies all the configured access rules.
        Applies all the configured access rules.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
    .PARAMETER TestResult
        Result objects of the associated Test-Command.
        Allows cherry-picking which change to apply.
        If not specified, it will a test and apply all test results instead.
        PS C:\> Invoke-LdsAccessRule -Server -Partition 'DC=fabrikam,DC=org'
        Apply all configured access rules to the 'DC=fabrikam,DC=org' partition on

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]



        [Parameter(ValueFromPipeline = $true)]
    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
    process {
        if (-not $TestResult) {
            $TestResult = Test-LdsAccessRule @ldsParam -Partition $Partition -Delete:$Delete
        foreach ($testItem in $TestResult | Sort-Object Action -Descending) {
            switch ($testItem.Action) {
                'Add' {
                    $acl = Get-AdsAcl @ldsParam -Path $testItem.Identity
                    $acl | Set-AdsAcl @ldsParam -Path $testItem.Identity
                'Remove' {
                    $acl = Get-AdsAcl @ldsParam -Path $testItem.Identity
                    $null = $acl.RemoveAccessRuleSpecific($testItem.Change.Rule)
                    $acl | Set-AdsAcl @ldsParam -Path $testItem.Identity

function Test-LdsAccessRule {
        Tests, whether the current access rules match the configured state.
        Tests, whether the current access rules match the configured state.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
        PS C:\> Test-LdsAccessRule -Server -Partition 'DC=fabrikam,DC=org'
        Tests, whether the current access rules on match the configured state.

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


    begin {
        #region Functions
        function Resolve-AccessRule {
            param (
                [Parameter(Mandatory = $true)]

                [Parameter(Mandatory = $true)]

                [Parameter(Mandatory = $true)]


                $SchemaCache = @{ },

                $PrincipalCache = @{ },


            $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential

            $rights = $script:adrights[$RuleCfg.Rights]
            # resolve AccessRule settings
            $inheritanceType = 'None'
            if ($RuleCfg.Inheritance) {
                $inheritanceType = $RuleCfg.Inheritance
            $objectType = [guid]::Empty
            $inheritedObjectType = [guid]::Empty
            if ($RuleCfg.ObjectType) { $objectType = $RuleCfg.ObjectType | Resolve-SchemaGuid @ldsParam -Cache $SchemaCache }
            if ($RuleCfg.InheritedObjectType) { $inheritedObjectType = $RuleCfg.InheritedObjectType | Resolve-SchemaGuid @ldsParam -Cache $SchemaCache }
            $type = 'Allow'
            if ($RuleCfg.Type) { $type = $RuleCfg.Type }

            $principal = $PrincipalCache["$($RuleCfg.IdentityType):$($RuleCfg.Identity)"]
            if (-not $principal -and 'SID' -eq $RuleCfg.IdentityType){
                $ruleIdentity = $RuleCfg.Identity -replace '%DomainSID%', $DomainSID
                $sid = $ruleIdentity -as [System.Security.Principal.SecurityIdentifier]
                if (-not $sid) {
                    throw "Principal is not a legal SID: $($RuleCfg.Identity)!"
                $PrincipalCache["$($RuleCfg.IdentityType):$($RuleCfg.Identity)"] = $sid
                $principal = $PrincipalCache["$($RuleCfg.IdentityType):$($RuleCfg.Identity)"]
            elseif (-not $principal) {
                $principalObject = Get-ADObject @ldsParam -SearchBase $Partition -LDAPFilter "(&(objectClass=$($RuleCfg.IdentityType))(name=$($RuleCfg.Identity)))" -Properties ObjectSID -ErrorAction Stop
                if (-not $principalObject) {
                    throw "Principal not found: $($RuleCfg.IdentityType) - $($RuleCfg.Identity)"

                $PrincipalCache["$($RuleCfg.IdentityType):$($RuleCfg.Identity)"] = $principalObject.ObjectSID
                $principal = $PrincipalCache["$($RuleCfg.IdentityType):$($RuleCfg.Identity)"]

        function Compare-AccessRule {
            param (
                [Parameter(Mandatory = $true)]

                [Parameter(Mandatory = $true, ValueFromPipeline = $true)]


            process {
                if (-not $InputObject) { return }

                $isMatched = $false

                foreach ($referenceObject in $Reference) {
                    if ($referenceObject.ActiveDirectoryRights -bxor $InputObject.ActiveDirectoryRights) { continue }
                    if ($referenceObject.InheritanceType -ne $InputObject.InheritanceType) { continue }
                    if ($referenceObject.ObjectType -ne $InputObject.ObjectType) { continue }
                    if ($referenceObject.InheritedObjectType -ne $InputObject.InheritedObjectType) { continue }
                    if ($referenceObject.AccessControlType -ne $InputObject.AccessControlType) { continue }
                    if ("$($referenceObject.IdentityReference)" -ne "$($InputObject.IdentityReference)") { continue }

                    $isMatched = $true

                if ($isMatched -eq -not $NoMatch) {

        function Get-ObjectDefaultRule {
            param (





            $adObject = Get-ADObject @LdsParam -Identity $Path -Properties ObjectClass
            if ($DefaultPermissions.ContainsKey($adObject.ObjectClass)) {
                return $DefaultPermissions[$adObject.ObjectClass]

            $class = Get-ADObject @ldsParamLight -SearchBase $RootDSE.schemaNamingContext -LDAPFilter "(&(objectClass=classSchema)(ldapDisplayName=$($adObject.ObjectClass)))" -Properties defaultSecurityDescriptor
            $acl = [System.DirectoryServices.ActiveDirectorySecurity]::new()
            $DefaultPermissions[$adObject.ObjectClass] = $acl.GetAccessRules($true, $false, [System.Security.Principal.SecurityIdentifier])
        #endregion Functions

        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
        $ldsParamLight = $ldsParam | ConvertTo-PSFHashtable -Exclude Partition
        $rootDSE = Get-ADRootDSE @ldsParamLight
        $domainSID = (Get-ADObject @ldsParamLight -LDAPFilter '(&(objectCategory=group)(name=Administrators))' -SearchBase $ldsParam.Partition -Properties objectSID).ObjectSID.Value -replace '-512$'

        $principals = @{ }
        $schemaCache = @{ }
        $pathCache = @{ }
    process {
        #region Adding
        foreach ($ruleCfg in $script:content.accessrule.Values) {
            $resolvedPath = $ruleCfg.Path -replace '%DomainDN%', $Partition
            try { $rule = Resolve-AccessRule @ldsParam -RuleCfg $ruleCfg -SchemaCache $schemaCache -PrincipalCache $principals -DomainSID $domainSID }
            catch {
                Write-PSFMessage -Level Warning -Message "Failed to process rule for $resolvedPath, granting $($ruleCfg.Rights) to $($ruleCfg.Identity)" -ErrorRecord $_
            if (-not $pathCache[$resolvedPath]) { $pathCache[$resolvedPath] = @($rule) }
            else { $pathCache[$resolvedPath] = @($pathCache[$resolvedPath]) + @($rule) }

            $acl = Get-AdsAcl @ldsParamLight -Path $resolvedPath
            $currentRules = $acl.GetAccessRules($true, $false, [System.Security.Principal.SecurityIdentifier])
            $matching = $currentRules | Compare-AccessRule -Reference $rule

            $change = [PSCustomObject]@{
                Path  = $resolvedPath
                Name  = $ruleCfg.Identity
                Right = $ruleCfg.Rights
                Type  = $rule.AccessControlType
                Rule  = $rule
            Add-Member -InputObject $change -MemberType ScriptMethod -Name ToString -Force -Value {
                if ('Allow' -eq $this.Type) { '{0} -> {1}' -f $this.Name, $this.Right }
                else { '{0} != {1}' -f $this.Name, $this.Right }

            if ($matching) {
                if ($Delete) {
                    $change.Rule = $matching
                    New-TestResult -Type AccessRule -Action Remove -Identity $resolvedPath -Configuration $ruleCfg -ADObject $acl -Change $change
            if ($Delete) { continue }

            New-TestResult -Type AccessRule -Action Add -Identity $resolvedPath -Configuration $ruleCfg -ADObject $acl -Change $change
        #endregion Adding

        #region Removing
        $schemaDefaultPermissions = @{ }
        $sidToName = @{ }

        foreach ($adPath in $pathCache.Keys) {
            $defaultRules = Get-ObjectDefaultRule -Path $adPath -LdsParam $ldsParam -LdsParamLight $ldsParamLight -RootDSE $rootDSE -DefaultPermissions $schemaDefaultPermissions
            $intendedRules = @($defaultRules) + @($pathCache[$adPath]) | Remove-PSFNull

            $acl = Get-AdsAcl @ldsParamLight -Path $adPath
            $currentRules = $acl.GetAccessRules($true, $false, [System.Security.Principal.SecurityIdentifier])
            $surplusRules = $currentRules | Compare-AccessRule -Reference $intendedRules -NoMatch

            foreach ($surplusRule in $surplusRules) {
                # Skip OU deletion protection
                if ('S-1-1-0' -eq $surplusRule.IdentityReference -and 'Deny' -eq $surplusRule.AccessControlType) { continue }
                if (-not $sidToName[$surplusRule.IdentityReference]) {
                    try { $sidToName[$surplusRule.IdentityReference] = Get-ADObject @ldsParamLight -SearchBase $Partition -LDAPFilter "(objectSID=$($surplusRule.IdentityReference))" -Properties Name }
                    catch { $sidToName[$surplusRule.IdentityReference] = @{ Name = $surplusRule.IdentityReference }}
                    if (-not $sidToName[$surplusRule.IdentityReference]) { $sidToName[$surplusRule.IdentityReference] = @{ Name = $surplusRule.IdentityReference } }
                $change = [PSCustomObject]@{
                    Path  = $adPath
                    Name  = $sidToName[$surplusRule.IdentityReference].Name
                    Right = $surplusRule.ActiveDirectoryRights
                    Type  = $surplusRule.AccessControlType
                    Rule  = $surplusRule

                Add-Member -InputObject $change -MemberType ScriptMethod -Name ToString -Force -Value {
                    if ('Allow' -eq $this.Type) { '{0} -> {1}' -f $this.Name, $this.Right }
                    else { '{0} != {1}' -f $this.Name, $this.Right }
                New-TestResult -Type AccessRule -Action Remove -Identity $adPath -ADObject $acl -Change $change
        #endregion Removing

function Invoke-LdsGroup {
        Applies all configured groups.
        Applies all configured groups, creating or updating their settings as needed.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
    .PARAMETER TestResult
        Result objects of the associated Test-Command.
        Allows cherry-picking which change to apply.
        If not specified, it will a test and apply all test results instead.
        PS C:\> Invoke-LdsGroup -Server -Partition 'DC=fabrikam,DC=org'
        Applies all configured groups to 'DC=fabrikam,DC=org' on the server ''.

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]



        [Parameter(ValueFromPipeline = $true)]
    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
        $ldsParamLight = $ldsParam | ConvertTo-PSFHashtable -Exclude Partition
        $systemProperties = 'ObjectClass', 'Path', 'Name', 'GroupScope'
    process {
        if (-not $TestResult) {
            $TestResult = Test-LdsGroup @ldsParam -Delete:$Delete
        foreach ($testItem in $TestResult) {
            switch ($testItem.Action) {
                'Create' {
                    $attributes = $testItem.Configuration | ConvertTo-PSFHashtable -Exclude $systemProperties
                    $newParam = @{
                        Name = $testItem.Configuration.Name
                        GroupScope = $testItem.Configuration.GroupScope
                        Path = ($testItem.Identity -replace '^.+?,')
                    if (0 -lt $attributes.Count) { $newParam.OtherAttributes = $attributes }
                    if (-not $newParam.GroupScope) { $newParam.GroupScope = 'DomainLocal' }
                    New-ADGroup @ldsParamLight @newParam
                'Delete' {
                    Remove-ADGroup @ldsParam -Identity $testItem.ADObject.ObjectGUID -Recursive -Confirm:$false
                'Update' {
                    $update = @{ }
                    foreach ($change in $testItem.Change) {
                        $update[$change.Property] = $change.New
                    Set-ADObject @ldsParam -Identity $testItem.ADObject.ObjectGUID -Replace $update

function Test-LdsGroup {
        Tests, whether the targeted ad lds server conforms to the group configuration.
        Tests, whether the targeted ad lds server conforms to the group configuration.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
        PS C:\> Test-LdsGroup -Server -Partition 'DC=fabrikam,DC=org'
        Tests whether the groups in 'DC=fabrikam,DC=org' on are in their desired state.

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
        $systemProperties = 'ObjectClass', 'Path', 'Name'
    process {
        foreach ($configurationItem in $ {
            $path = 'CN={0},{1}' -f $configurationItem.Name, ($configurationItem.Path -replace '%DomainDN%',$Partition)
            if ($path -notmatch ',DC=') { $path = $path, $Partition -join ',' }

            $resultDefaults = @{
                Type = 'Group'
                Identity = $path
                Configuration = $configurationItem

            $failed = $null
            $adObject = $null
            try { $adObject = Get-ADGroup @ldsParam -Identity $path -Properties * -ErrorAction SilentlyContinue -ErrorVariable failed }
            catch { $failed = $_ }
            if ($failed -and $failed.CategoryInfo.Category -ne 'ObjectNotFound') {
                foreach ($failure in $failed) { Write-Error $failure }

            #region Cases
            # Case: Does not Exist
            if (-not $adObject) {
                if ($Delete) { continue }

                New-TestResult @resultDefaults -Action Create

            # Case: Exists
            $resultDefaults.ADObject = $adObject
            if ($Delete) {
                New-TestResult @resultDefaults -Action Delete

            $changes = foreach ($pair in $configurationItem.GetEnumerator()) {
                if ($pair.Key -in $systemProperties) { continue }
                if ($pair.Value -ne $adObject.$($pair.Key)) {
                    New-Change -Identity $path -Property $pair.Key -OldValue $adObject.$($pair.Key) -NewValue $pair.Value

            if ($changes) {
                New-TestResult @resultDefaults -Action Update -Change $changes
            #endregion Cases

function Invoke-LdsGroupMembership {
        Applies the configuration-defined group memberships.
        Applies the configuration-defined group memberships.
        It is generally good idea to apply groups and users first.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
    .PARAMETER TestResult
        Result objects of the associated Test-Command.
        Allows cherry-picking which change to apply.
        If not specified, it will a test and apply all test results instead.
        PS C:\> Invoke-LdsGroupMembership -Server -Partition 'DC=fabrikam,DC=org'
        Applies the configuration-defined group memberships against 'DC=fabrikam,DC=org' on

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]



        [Parameter(ValueFromPipeline = $true)]
    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
    process {
        if (-not $TestResult) {
            $TestResult = Test-LdsGroupMembership @ldsParam -Delete:$Delete
        foreach ($testItem in $TestResult) {
            switch ($testItem.Action) {
                'Update' {
                    foreach ($change in $testItem.Change) {
                        switch ($change.Action) {
                            'Add' { Add-ADGroupMember @ldsParam -Identity $testItem.ADObject -Members $change.DN }
                            'Remove' { Remove-ADGroupMember @ldsParam -Identity $testItem.ADObject -Members $change.DN }

function Test-LdsGroupMembership {
        Test whether the group memberships are in their desired state.
        Test whether the group memberships are in their desired state.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
        PS C:\> Test-LdsGroupMembership -Server -Partition 'DC=fabrikam,DC=org'
        Test whether the group memberships are in their desired state for 'DC=fabrikam,DC=org' on

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
        $ldsParamLight = $ldsParam | ConvertTo-PSFHashtable -Remap @{ Partition = 'SearchBase' }

        $members = @{ }
        $ldsObjects = @{ }
    process {
        foreach ($configurationSets in $script:content.groupmembership.Values | Group-Object { $_.Group }) {
            Write-PSFMessage -Level Verbose -Message "Processing group memberships of {0}" -StringValues $configurationSets.Name
            $groupObject = Get-ADGroup @ldsParamLight -LDAPFilter "(name=$($configurationSets.Name))" -Properties *
            if (-not $groupObject) {
                Write-PSFMessage -Level Warning -Message "Group not found: {0}! Cannot process members" -StringValues  $configurationSets.Name
            $ldsObjects[$groupObject.DistinguishedName] = $groupObject

            #region Determine intended members
            $intendedMembers = foreach ($entry in $configurationSets.Group) {
                # Read from Cache
                if ($members["$($entry.Type):$($entry.Member)"]) {

                # Read from LDS Instance
                $ldsObject = Get-ADObject @ldsParamLight -LDAPFilter "(&(objectClass=$($entry.Type))(name=$($entry.Member)))" -Properties *
                # Not Yet Created
                if (-not $ldsObject) {
                    Write-PSFMessage -Level Warning -Message 'Unable to find {0} {1}, will be unable to add it to group {2}' -StringValues $entry.Type, $entry.Member, $entry.Group

                $members["$($entry.Type):$($entry.Member)"] = $ldsObject
                $ldsObjects[$ldsObject.DistinguishedName] = $ldsObject
            #endregion Determine intended members

            #region Determine actual members
            $actualMembers = foreach ($member in $groupObject.Members) {
                if ($ldsObjects[$member]) {

                try { $ldsObject = Get-ADObject @ldsParam -Identity $member -Properties * -ErrorAction Stop }
                catch {
                    Write-PSFMessage -Level Warning -Message "Error resolving member of {0}: {1}" -StringValues $configurationSets.Name, $member -ErrorRecord $_
                $ldsObjects[$ldsObject.DistinguishedName] = $ldsObject
            #endregion Determine actual members
            #region Compare and generate changes
            $toAdd = $intendedMembers | Where-Object DistinguishedName -NotIn $actualMembers.DistinguishedName | ForEach-Object {
                    PSTypename = 'AdLdsTools.Change.GroupMembership'
                    Action     = 'Add'
                    Member     = $_.Name
                    Type       = $_.ObjectClass
                    DN         = $_.DistinguishedName
                    Group      = $configurationSets.Name
            if ($Delete) { $toAdd = @() }

            $toRemove = $actualMembers | Where-Object {
                (-not $Delete -and $_.DistinguishedName -NotIn $intendedMembers.DistinguishedName) -or
                ($Delete -and $_.DistinguishedName -in $intendedMembers.DistinguishedName)
            } | ForEach-Object {
                    PSTypename = 'AdLdsTools.Change.GroupMembership'
                    Action     = 'Remove'
                    Member     = $_.Name
                    Type       = $_.ObjectClass
                    DN         = $_.DistinguishedName
                    Group      = $configurationSets.Name

            $changes = @($toAdd) + @($toRemove) | Remove-PSFNull | Add-Member -MemberType ScriptMethod -Name ToString -Value {
                '{0} -> {1}' -f $this.Action, $this.Member
            } -Force -PassThru
            #endregion Compare and generate changes

            if ($changes) {
                New-TestResult -Type GroupMemberShip -Action Update -Identity $groupObject.Name -ADObject $groupObject -Configuration $configurationSets -Change $changes

function Invoke-LdsOrganizationalUnit {
        Creates the desired organizational units.
        Creates the desired organizational units.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
    .PARAMETER TestResult
        Result objects of the associated Test-Command.
        Allows cherry-picking which change to apply.
        If not specified, it will a test and apply all test results instead.
        PS C:\> Invoke-LdsOrganizationalUnit -Server -Partition 'DC=fabrikam,DC=org'
        Creates the desired organizational units in 'DC=fabrikam,DC=org' on

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]



        [Parameter(ValueFromPipeline = $true)]
    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
        $ldsParamLight = $ldsParam | ConvertTo-PSFHashtable -Exclude Partition
        $systemProperties = 'ObjectClass', 'Path', 'Name'
        $filter = {
            # Delete actions should go from innermost to top-level
            # Create actions should go from top-level to most nested
            if ($_.Action -eq 'Delete') { $_.Identity.Length * -1 }
            else { $_.Identity.Length }
    process {
        if (-not $TestResult) {
            $TestResult = Test-LdsOrganizationalUnit @ldsParam -Delete:$Delete
        foreach ($testItem in $TestResult | Sort-Object Action, $filter) {
            switch ($testItem.Action) {
                'Create' {
                    $attributes = $testItem.Configuration | ConvertTo-PSFHashtable -Exclude $systemProperties
                    $newParam = @{
                        Name = $testItem.Configuration.Name
                        Path = ($testItem.Identity -replace '^.+?,')
                    if (0 -lt $attributes.Count) { $newParam.OtherAttributes = $attributes }
                    New-ADOrganizationalUnit @ldsParamLight @newParam
                'Delete' {
                    Unprotect-OrganizationalUnit @ldsParam -Identity $testItem.ADObject.ObjectGUID
                    Remove-ADOrganizationalUnit @ldsParam -Identity $testItem.ADObject.ObjectGUID -Recursive -Confirm:$false
                'Update' {
                    $update = @{ }
                    foreach ($change in $testItem.Change) {
                        $update[$change.Property] = $change.New
                    Set-ADObject @ldsParam -Identity $testItem.ADObject.ObjectGUID -Replace $update

function Test-LdsOrganizationalUnit {
        Tests, whether the desired organizational units exist.
        Tests, whether the desired organizational units exist.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
        PS C:\> Test-LdsOrganizationalUnit -Server -Partition 'DC=fabrikam,DC=org'
        Tests, whether the desired organizational units exist in 'DC=fabrikam,DC=org' on

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
        $systemProperties = 'ObjectClass', 'Path', 'Name'
    process {
        foreach ($configurationItem in $script:content.organizationalUnit.Values) {
            $path = 'OU={0},{1}' -f $configurationItem.Name, ($configurationItem.Path -replace '%DomainDN%',$Partition)
            if ($path -notmatch ',DC=') { $path = $path, $Partition -join ',' }

            $resultDefaults = @{
                Type = 'OrganizationalUnit'
                Identity = $path
                Configuration = $configurationItem

            $failed = $null
            $adObject = $null
            try { $adObject = Get-ADOrganizationalUnit @ldsParam -Identity $path -Properties * -ErrorAction SilentlyContinue -ErrorVariable failed }
            catch { $failed = $_ }
            if ($failed -and $failed.CategoryInfo.Category -ne 'ObjectNotFound') {
                foreach ($failure in $failed) { Write-Error $failure }

            #region Cases
            # Case: Does not Exist
            if (-not $adObject) {
                if ($Delete) { continue }

                New-TestResult @resultDefaults -Action Create

            # Case: Exists
            $resultDefaults.ADObject = $adObject
            if ($Delete) {
                New-TestResult @resultDefaults -Action Delete

            $changes = foreach ($pair in $configurationItem.GetEnumerator()) {
                if ($pair.Key -in $systemProperties) { continue }
                if ($pair.Value -ne $adObject.$($pair.Key)) {
                    New-Change -Identity $path -Property $pair.Key -OldValue $adObject.$($pair.Key) -NewValue $pair.Value

            if ($changes) {
                New-TestResult @resultDefaults -Action Update -Change $changes
            #endregion Cases

function Invoke-LdsSchemaAttribute {
        Applies the intended schema attributes.
        Applies the intended schema attributes.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER TestResult
        Result objects of the associated Test-Command.
        Allows cherry-picking which change to apply.
        If not specified, it will a test and apply all test results instead.
        PS C:\> Invoke-LdsSchemaAttribute -Server -Partition 'DC=fabrikam,DC=org'
        Applies the intended schema attributes to 'DC=fabrikam,DC=org' on

    param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


        [Parameter(ValueFromPipeline = $true)]

    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
        $ldsParamLight = $ldsParam | ConvertTo-PSFHashtable -Exclude Partition
        $systemProperties = 'ObjectClass', 'AttributeID', 'IsDeleted', 'Optional', 'MayContain'

        $rootDSE = Get-ADRootDSE @ldsParamLight
    process {
        if (-not $TestResult) {
            $TestResult = Test-LdsSchemaAttribute @ldsParam
        $testResultsSorted = $TestResult | Sort-Object {
            switch ($_.Action) {
                Create { 1 }
                Delete { 2 }
                Update { 3 }
                Add { 4 }
                Remove { 5 }
                Default { 6 }

        foreach ($testItem in $testResultsSorted) {
            switch ($testItem.Action) {
                'Create' {
                    $attributes = $testItem.Configuration | ConvertTo-PSFHashtable -Exclude $systemProperties
                    $attributes.AttributeID = $testItem.Configuration.AttributeID
                    $name = $testItem.Configuration.Name
                    if (-not $name) { $name = $testItem.Configuration.AdminDisplayName }
                    New-ADObject @ldsParamLight -Type attributeSchema -Name $name -Path $rootDSE.schemaNamingContext -OtherAttributes $attributes
                'Delete' {
                    $testItem.ADObject | Set-ADObject @ldsParamLight -Replace @{ IsDeleted = $true }
                'Update' {
                    $replacements = @{ }
                    foreach ($change in $testItem.Change) {
                        $replacements[$change.Property] = $change.New
                    $testItem.ADObject | Set-ADObject @ldsParamLight -Replace $replacements
                'Add' {
                    $testItem.Change.Data | Set-ADObject @ldsParamLight -Add @{
                        mayContain = $testItem.ADObject.lDAPDisplayName
                'Remove' {
                    $testItem.Change.Data | Set-ADObject @ldsParamLight -Remove @{
                        mayContain = $testItem.Identity
                'Rename' {
                    $testItem.ADObject | Rename-ADObject @ldsParamLight -NewName @($testItem.Change.New)[0]

function Test-LdsSchemaAttribute {
        Tests, whether the intended schema attributes have been applied.
        Tests, whether the intended schema attributes have been applied.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
        PS C:\> Test-LdsSchemaAttribute -Server -Partition 'DC=fabrikam,DC=org'
        Tests, whether the intended schema attributes have been applied to 'DC=fabrikam,DC=org' on

    param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
        $ldsParamLight = $ldsParam | ConvertTo-PSFHashtable -Exclude Partition
        $systemProperties = 'ObjectClass', 'AttributeID', 'IsDeleted', 'Optional', 'MayContain'

        $rootDSE = Get-ADRootDSE @ldsParamLight
        $classes = Get-ADObject @ldsParamLight -SearchBase $rootDSE.schemaNamingContext -LDAPFilter '(objectClass=classSchema)' -Properties mayContain, adminDisplayName
    process {
        foreach ($schemaSetting in $script:content.SchemaAttribute.Values) {
            $schemaObject = $null
            $schemaObject = Get-ADObject @ldsParamLight -LDAPFilter "(attributeID=$($schemaSetting.AttributeID))" -SearchBase $rootDSE.schemaNamingContext -ErrorAction Ignore -Properties *
            $resultDefaults = @{
                Type          = 'SchemaAttribute'
                Identity      = $schemaSetting.AdminDisplayName
                Configuration = $schemaSetting

            if (-not $schemaObject) {
                # If we already want to disable the attribute, no need to create it
                if ($schemaSetting.IsDeleted) { continue }
                if ($schemaSetting.Optional) { continue }

                New-TestResult @resultDefaults -Action Create
                foreach ($entry in $schemaSetting.MayContain) {
                    if ($classes.AdminDisplayName -notcontains $entry) { continue }
                    New-TestResult @resultDefaults -Action Add -Change @(
                        New-Change -Identity $schemaSetting.AdminDisplayName -Property MayContain -NewValue $entry -Data ($classes | Where-Object AdminDisplayName -EQ $entry)

            $resultDefaults.ADObject = $schemaObject

            if ($schemaSetting.IsDeleted -and -not $schemaObject.isDeleted) {
                New-TestResult @resultDefaults -Action Delete -Change @(
                    New-Change -Identity $schemaSetting.AdminDisplayName -Property IsDeleted -OldValue $false -NewValue $true

            if ($schemaSetting.Name -and $schemaSetting.Name -cne $schemaObject.Name) {
                New-TestResult @resultDefaults -Action Rename -Change @(
                    New-Change -Identity $schemaSetting.AdminDisplayName -Property Name -OldValue $schemaObject.Name -NewValue $schemaSetting.Name

            $changes = foreach ($pair in $schemaSetting.GetEnumerator()) {
                if ($pair.Key -in $systemProperties) { continue }
                if ($pair.Value -cne $schemaObject.$($pair.Key)) {
                    New-Change -Identity $schemaSetting.AdminDisplayName -Property $pair.Key -OldValue $schemaObject.$($pair.Key) -NewValue $pair.Value
            if ($changes) {
                New-TestResult @resultDefaults -Action Update -Change $changes

            $mayBeContainedIn = $schemaSetting.MayContain
            if ($schemaSetting.IsDeleted) { $mayBeContainedIn = @() }

            $classesMatch = $classes | Where-Object mayContain -Contains $schemaObject.LdapDisplayName
            foreach ($matchingclass in $classesMatch) {
                if ($matchingclass.AdminDisplayName -in $mayBeContainedIn) { continue }
                New-TestResult @resultDefaults -Action Remove -Change @(
                    New-Change -Identity $schemaSetting.AdminDisplayName -Property MayContain -OldValue $matchingclass.AdminDisplayName -DisplayStyle RemoveValue -Data $matchingClass
            foreach ($allowedClass in $mayBeContainedIn) {
                if ($classesMatch.AdminDisplayName -contains $allowedClass) { continue }
                New-TestResult @resultDefaults -Action Add -Change @(
                    New-Change -Identity $schemaSetting.AdminDisplayName -Property MayContain -NewValue $allowedClass -Data ($classes | Where-Object AdminDisplayName -EQ $allowedClass)

function Invoke-LdsUser {
        Creates the intended user objects.
        Creates the intended user objects.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
    .PARAMETER TestResult
        Result objects of the associated Test-Command.
        Allows cherry-picking which change to apply.
        If not specified, it will a test and apply all test results instead.
        PS C:\> Invoke-LdsUser -Server -Partition 'DC=fabrikam,DC=org'
        Creates the intended user objects for 'DC=fabrikam,DC=org' on

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]



        [Parameter(ValueFromPipeline = $true)]
    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
        $ldsParamLight = $ldsParam | ConvertTo-PSFHashtable -Exclude Partition
        $systemProperties = 'ObjectClass', 'Path', 'Name', 'Enabled', 'PasswordNeverExpires'
    process {
        if (-not $TestResult) {
            $TestResult = Test-LdsUser @ldsParam -Delete:$Delete
        foreach ($testItem in $TestResult) {
            switch ($testItem.Action) {
                'Create' {
                    $attributes = $testItem.Configuration | ConvertTo-PSFHashtable -Exclude $systemProperties
                    $newParam = @{
                        Name = $testItem.Configuration.Name
                        Path = ($testItem.Identity -replace '^.+?,')
                        OtherAttributes = $attributes
                    if ($testItem.Configuration.Enabled) {
                        $newParam += @{
                            Enabled = $true
                            AccountPassword = New-Password -AsSecureString
                    if ($testItem.Configuration.PasswordNeverExpires) {
                        $newParam.PasswordNeverExpires = $true
                    if (0 -eq $newParam.OtherAttributes.Count) { $newParam.Remove('OtherAttributes') }
                    New-ADUser @ldsParamLight @newParam
                'Delete' {
                    Remove-ADUser @ldsParam -Identity $testItem.ADObject.ObjectGUID -Recursive -Confirm:$false
                'Update' {
                    $update = @{ }
                    foreach ($change in $testItem.Change) {
                        # Workaround for something a lot easier with Set-ADUser than Set-ADObject
                        if ($change.Property -eq 'PasswordNeverExpires') {
                            Set-ADUser @ldsParam -Identity $testItem.ADObject.ObjectGUID -PasswordNeverExpires $change.New
                        $update[$change.Property] = $change.New

                    # If the only change is PasswordNeverExpires, no need to call Set-ADObject
                    if ($update.Count -lt 1) { continue }

                    Set-ADObject @ldsParam -Identity $testItem.ADObject.ObjectGUID -Replace $update

function Test-LdsUser {
        Tests, whether the desired users have already been created.
        Tests, whether the desired users have already been created.
    .PARAMETER Server
        The LDS Server to target.
    .PARAMETER Partition
        The Partition on the LDS Server to target.
    .PARAMETER Credential
        Credentials to use for the operation.
    .PARAMETER Delete
        Undo everything defined in configuration.
        Allows rolling back after deployment.
        PS C:\> Test-LdsUser -Server -Partition 'DC=fabrikam,DC=org'
        Tests, whether the desired users have already been created for 'DC=fabrikam,DC=org' on

    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


    begin {
        Update-LdsConfiguration -LdsServer $Server -LdsPartition $Partition
        $ldsParam = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Partition, Credential
        $systemProperties = 'ObjectClass', 'Path', 'Name', 'Enabled'
    process {
        foreach ($configurationItem in $script:content.user.Values) {
            if ($configurationItem.SamAccountName -and -not $configurationItem.Name) {
                $configurationItem.Name = $configurationItem.SamAccountName
            $path = 'CN={0},{1}' -f $configurationItem.Name, ($configurationItem.Path -replace '%DomainDN%',$Partition)
            if ($path -notmatch ',DC=') { $path = $path, $Partition -join ',' }

            $resultDefaults = @{
                Type = 'User'
                Identity = $path
                Configuration = $configurationItem

            $failed = $null
            $adObject = $null
            try { $adObject = Get-ADUser @ldsParam -Identity $path -Properties * -ErrorAction SilentlyContinue -ErrorVariable failed }
            catch { $failed = $_ }
            if ($failed -and $failed.CategoryInfo.Category -ne 'ObjectNotFound') {
                foreach ($failure in $failed) { Write-Error $failure }

            #region Cases
            # Case: Does not Exist
            if (-not $adObject) {
                if ($Delete) { continue }

                New-TestResult @resultDefaults -Action Create

            # Case: Exists
            $resultDefaults.ADObject = $adObject
            if ($Delete) {
                New-TestResult @resultDefaults -Action Delete

            $changes = foreach ($pair in $configurationItem.GetEnumerator()) {
                if ($pair.Key -in $systemProperties) { continue }
                if ($pair.Value -ne $adObject.$($pair.Key)) {
                    New-Change -Identity $path -Property $pair.Key -OldValue $adObject.$($pair.Key) -NewValue $pair.Value

            if ($changes) {
                New-TestResult @resultDefaults -Action Update -Change $changes
            #endregion Cases

This is an example configuration file
By default, it is enough to have a single one of them,
however if you have enough configuration settings to justify having multiple copies of it,
feel totally free to split them into multiple files.

Set-PSFConfig -Module 'ADLDSMF' -Name 'Import.DoDotSource' -Value $false -Initialize -Validation 'bool' -Description "Whether the module files should be dotsourced on import. By default, the files of this module are read as string value and invoked, which is faster but worse on debugging."
Set-PSFConfig -Module 'ADLDSMF' -Name 'Import.IndividualFiles' -Value $false -Initialize -Validation 'bool' -Description "Whether the module files should be imported individually. During the module build, all module code is compiled into few files, which are imported instead by default. Loading the compiled versions is faster, using the individual files is easier for debugging and testing out adjustments."

$script:content = @{
    user               = @{ }
    group              = @{ }
    organizationalUnit = @{ }
    groupmembership    = @{ }
    accessrule         = @{ }
    SchemaAttribute    = @{ }

$script:adrights = @{
    'FullControl'    = @(
    'Enumerate'      = @(
    'Read'           = @(
    'EditObject'     = @(
    'ManageChildren' = @(
    'Extended'       = @(

# Make ACL work again
$null = Get-Acl -Path . -ErrorAction Ignore

# Disable AD Connection Check
Set-PSFConfig -FullName 'ADSec.Connect.NoAssertion' -Value $true

# Load config if present
if (Test-Path -Path "$script:ModuleRoot\Config") {
    Import-LdsConfiguration -Path "$script:ModuleRoot\Config"

New-PSFLicense -Product 'ADLDSMF' -Manufacturer 'Friedrich Weinmann' -ProductVersion $script:ModuleVersion -ProductType Module -Name MIT -Version "" -Date (Get-Date "2023-12-11") -Text @"
Copyright (c) 2023 Friedrich Weinmann
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

#endregion Load compiled code