DSCResources/MSFT_ADComputer/MSFT_ADComputer.psm1
$script:resourceModulePath = Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent $script:modulesFolderPath = Join-Path -Path $script:resourceModulePath -ChildPath 'Modules' $script:localizationModulePath = Join-Path -Path $script:modulesFolderPath -ChildPath 'ActiveDirectoryDsc.Common' Import-Module -Name (Join-Path -Path $script:localizationModulePath -ChildPath 'ActiveDirectoryDsc.Common.psm1') $script:localizedData = Get-LocalizedData -ResourceName 'MSFT_ADComputer' <# A property map that maps the resource parameters to the corresponding Active Directory computer account object attribute. #> $script:computerObjectPropertyMap = @( @{ ParameterName = 'ComputerName' PropertyName = 'CN' }, @{ ParameterName = 'Location' }, @{ ParameterName = 'DnsHostName' }, @{ ParameterName = 'ServicePrincipalNames' PropertyName = 'ServicePrincipalName' }, @{ ParameterName = 'UserPrincipalName' }, @{ ParameterName = 'DisplayName' }, @{ ParameterName = 'Path' PropertyName = 'DistinguishedName' }, @{ ParameterName = 'Description' }, @{ ParameterName = 'Enabled' }, @{ ParameterName = 'Manager' PropertyName = 'ManagedBy' }, @{ ParameterName = 'DistinguishedName' ParameterType = 'Read' PropertyName = 'DistinguishedName' }, @{ ParameterName = 'SID' ParameterType = 'Read' } ) <# .SYNOPSIS Returns the current state of the Active Directory computer account. .PARAMETER ComputerName Specifies the name of the Active Directory computer account to manage. You can identify a computer by its distinguished name, GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. .PARAMETER RequestFile Specifies the full path to the Offline Domain Join Request file to create. .PARAMETER EnabledOnCreation Specifies if the computer account is created enabled or disabled. By default the Enabled property of the computer account will be set to the default value of the cmdlet New-ADComputer. This property is ignored if the parameter RequestFile is specified in the same configuration. This parameter does not enforce the property `Enabled`. To enforce the property `Enabled` see the resource ADObjectEnabledState. .PARAMETER DomainController Specifies the Active Directory Domain Services instance to connect to perform the task. Used by Get-ADCommonParameters and is returned as a common parameter. .PARAMETER Credential Specifies the user account credentials to use to perform the task. Used by Get-ADCommonParameters and is returned as a common parameter. .PARAMETER RestoreFromRecycleBin Try to restore the organizational unit from the recycle bin before creating a new one. #> function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $true)] [System.String] $ComputerName, [Parameter()] [ValidateNotNull()] [System.String] $RequestFile, [Parameter()] [ValidateNotNull()] [System.String] $DomainController, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Credential, [Parameter()] [ValidateNotNull()] [System.Boolean] $RestoreFromRecycleBin, [Parameter()] [ValidateNotNull()] [System.Boolean] $EnabledOnCreation ) Assert-Module -ModuleName 'ActiveDirectory' -ImportModule <# These are properties that have no corresponding property in a Computer account object. #> $getTargetResourceReturnValue = @{ Ensure = 'Absent' ComputerName = $null Location = $null DnsHostName = $null ServicePrincipalNames = $null UserPrincipalName = $null DisplayName = $null Path = $null Description = $null Enabled = $false Manager = $null DomainController = $DomainController Credential = $Credential RequestFile = $RequestFile RestoreFromRecycleBin = $RestoreFromRecycleBin EnabledOnCreation = $EnabledOnCreation DistinguishedName = $null SID = $null SamAccountName = $null } $getADComputerResult = $null try { <# Create an array of the Active Directory Computer object property names to retrieve from the Computer object. #> $computerObjectProperties = Convert-PropertyMapToObjectProperties -PropertyMap $script:computerObjectPropertyMap <# When the property ServicePrincipalName is read with Get-ADComputer the property name must be 'ServicePrincipalNames', but when it is written with Set-ADComputer the property name must be 'ServicePrincipalName'. This difference is handled here. #> $computerObjectProperties = @($computerObjectProperties | Where-Object -FilterScript { $_ -ne 'ServicePrincipalName' }) $computerObjectProperties += @('ServicePrincipalNames') Write-Verbose -Message ($script:localizedData.RetrievingComputerAccount -f $ComputerName) $getADComputerParameters = Get-ADCommonParameters @PSBoundParameters $getADComputerParameters['Properties'] = $computerObjectProperties # If the computer account is not found Get-ADComputer will throw an error. $getADComputerResult = Get-ADComputer @getADComputerParameters Write-Verbose -Message ($script:localizedData.ComputerAccountIsPresent -f $ComputerName) $getTargetResourceReturnValue['Ensure'] = 'Present' $getTargetResourceReturnValue['ComputerName'] = $getADComputerResult.CN $getTargetResourceReturnValue['Location'] = $getADComputerResult.Location $getTargetResourceReturnValue['DnsHostName'] = $getADComputerResult.DnsHostName $getTargetResourceReturnValue['ServicePrincipalNames'] = [System.String[]] $getADComputerResult.ServicePrincipalNames $getTargetResourceReturnValue['UserPrincipalName'] = $getADComputerResult.UserPrincipalName $getTargetResourceReturnValue['DisplayName'] = $getADComputerResult.DisplayName $getTargetResourceReturnValue['Path'] = Get-ADObjectParentDN -DN $getADComputerResult.DistinguishedName $getTargetResourceReturnValue['Description'] = $getADComputerResult.Description $getTargetResourceReturnValue['Enabled'] = $getADComputerResult.Enabled $getTargetResourceReturnValue['Manager'] = $getADComputerResult.ManagedBy $getTargetResourceReturnValue['DomainController'] = $DomainController $getTargetResourceReturnValue['Credential'] = $Credential $getTargetResourceReturnValue['RequestFile'] = $RequestFile $getTargetResourceReturnValue['RestoreFromRecycleBin'] = $RestoreFromRecycleBin $getTargetResourceReturnValue['EnabledOnCreation'] = $EnabledOnCreation $getTargetResourceReturnValue['DistinguishedName'] = $getADComputerResult.DistinguishedName $getTargetResourceReturnValue['SID'] = $getADComputerResult.SID $getTargetResourceReturnValue['SamAccountName'] = $getADComputerResult.SamAccountName } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { Write-Verbose -Message ($script:localizedData.ComputerAccountIsAbsent -f $ComputerName) } catch { $errorMessage = $script:localizedData.FailedToRetrieveComputerAccount -f $ComputerName New-InvalidOperationException -Message $errorMessage -ErrorRecord $_ } return $getTargetResourceReturnValue } <# .SYNOPSIS Determines if the Active Directory computer account is in the desired state. .PARAMETER ComputerName Specifies the name of the Active Directory computer account to manage. You can identify a computer by its distinguished name, GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. .PARAMETER Ensure Specifies whether the computer account is present or absent. Valid values are 'Present' and 'Absent'. The default is 'Present'. .PARAMETER UserPrincipalName Specifies the UPN assigned to the computer account. .PARAMETER DisplayName Specifies the display name of the computer. .PARAMETER Path Specifies the X.500 path of the container where the computer is located. .PARAMETER Location Specifies the location of the computer, such as an office number. .PARAMETER DnsHostName Specifies the fully qualified domain name (FQDN) of the computer. .PARAMETER ServicePrincipalNames Specifies the service principal names for the computer account. .PARAMETER Description Specifies a description of the computer account. .PARAMETER Manager Specifies the user or group Distinguished Name that manages the computer account. Valid values are the user's or group's DistinguishedName, ObjectGUID, SID or SamAccountName. .PARAMETER RequestFile Specifies the full path to the Offline Domain Join Request file to create. .PARAMETER DomainController Specifies the Active Directory Domain Services instance to connect to perform the task. .PARAMETER Credential Specifies the user account credentials to use to perform the task. .PARAMETER RestoreFromRecycleBin Try to restore the organizational unit from the recycle bin before creating a new one. .PARAMETER EnabledOnCreation Specifies if the computer account is created enabled or disabled. By default the Enabled property of the computer account will be set to the default value of the cmdlet New-ADComputer. This property is ignored if the parameter RequestFile is specified in the same configuration. This parameter does not enforce the property `Enabled`. To enforce the property `Enabled` see the resource ADObjectEnabledState. #> function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( # Common Name [Parameter(Mandatory = $true)] [System.String] $ComputerName, [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateNotNull()] [System.String] $UserPrincipalName, [Parameter()] [ValidateNotNull()] [System.String] $DisplayName, [Parameter()] [ValidateNotNull()] [System.String] $Path, [Parameter()] [ValidateNotNull()] [System.String] $Location, [Parameter()] [ValidateNotNull()] [System.String] $DnsHostName, [Parameter()] [ValidateNotNull()] [System.String[]] $ServicePrincipalNames, [Parameter()] [ValidateNotNull()] [System.String] $Description, [Parameter()] [ValidateNotNull()] [System.String] $Manager, [Parameter()] [ValidateNotNull()] [System.String] $RequestFile, [Parameter()] [ValidateNotNull()] [System.String] $DomainController, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Credential, [Parameter()] [ValidateNotNull()] [System.Boolean] $RestoreFromRecycleBin, [Parameter()] [ValidateNotNull()] [System.Boolean] $EnabledOnCreation ) Write-Verbose -Message ( $script:localizedData.TestConfiguration -f $ComputerName ) $getTargetResourceParameters = @{ ComputerName = $ComputerName RequestFile = $RequestFile DomainController = $DomainController Credential = $Credential RestoreFromRecycleBin = $RestoreFromRecycleBin EnabledOnCreation = $EnabledOnCreation } # Need the @() around this to get a new array to enumerate. @($getTargetResourceParameters.Keys) | ForEach-Object { if (-not $PSBoundParameters.ContainsKey($_)) { $getTargetResourceParameters.Remove($_) } } $getTargetResourceResult = Get-TargetResource @getTargetResourceParameters $testTargetResourceReturnValue = $true if ($Ensure -eq 'Absent') { if ($getTargetResourceResult.Ensure -eq 'Present') { Write-Verbose -Message ( $script:localizedData.ComputerAccountShouldBeAbsent -f $ComputerName ) $testTargetResourceReturnValue = $false } } else { if ($getTargetResourceResult.Ensure -eq 'Absent') { Write-Verbose -Message ( $script:localizedData.ComputerAccountShouldBePresent -f $ComputerName ) $testTargetResourceReturnValue = $false } else { <# - Ignores the parameter ComputerName since we are not supporting renaming a computer account. - Ignore to compare the parameter ServicePrincipalNames here because it needs a special comparison, so it is handled afterwards. - Ignores the Enabled property because it is not enforced in this resource. #> $compareTargetResourceStateParameters = @{ CurrentValues = $getTargetResourceResult DesiredValues = $PSBoundParameters # This gives an array of properties to compare. Properties = $script:computerObjectPropertyMap.ParameterName # But these properties IgnoreProperties = @( 'ComputerName' 'ServicePrincipalNames' 'Enabled' ) } $compareTargetResourceStateResult = Compare-ResourcePropertyState @compareTargetResourceStateParameters if ($false -in $compareTargetResourceStateResult.InDesiredState) { $testTargetResourceReturnValue = $false } if ($PSBoundParameters.ContainsKey('ServicePrincipalNames')) { $testServicePrincipalNamesParameters = @{ ExistingServicePrincipalNames = $getTargetResourceResult.ServicePrincipalNames ServicePrincipalNames = $ServicePrincipalNames } $testTargetResourceReturnValue = Test-ServicePrincipalNames @testServicePrincipalNamesParameters } } } if ($testTargetResourceReturnValue) { Write-Verbose -Message ($script:localizedData.ComputerAccountInDesiredState -f $ComputerName) } else { Write-Verbose -Message ($script:localizedData.ComputerAccountNotInDesiredState -f $ComputerName) } return $testTargetResourceReturnValue } <# .SYNOPSIS Creates, removes or modifies the Active Directory computer account. .PARAMETER ComputerName Specifies the name of the Active Directory computer account to manage. You can identify a computer by its distinguished name, GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. .PARAMETER Ensure Specifies whether the computer account is present or absent. Valid values are 'Present' and 'Absent'. The default is 'Present'. .PARAMETER UserPrincipalName Specifies the UPN assigned to the computer account. .PARAMETER DisplayName Specifies the display name of the computer. .PARAMETER Path Specifies the X.500 path of the container where the computer is located. .PARAMETER Location Specifies the location of the computer, such as an office number. .PARAMETER DnsHostName Specifies the fully qualified domain name (FQDN) of the computer. .PARAMETER ServicePrincipalNames Specifies the service principal names for the computer account. .PARAMETER Description Specifies a description of the computer account. .PARAMETER Manager Specifies the user or group Distinguished Name that manages the computer account. Valid values are the user's or group's DistinguishedName, ObjectGUID, SID or SamAccountName. .PARAMETER RequestFile Specifies the full path to the Offline Domain Join Request file to create. .PARAMETER DomainController Specifies the Active Directory Domain Services instance to connect to perform the task. .PARAMETER Credential Specifies the user account credentials to use to perform the task. .PARAMETER RestoreFromRecycleBin Try to restore the organizational unit from the recycle bin before creating a new one. .PARAMETER EnabledOnCreation Specifies if the computer account is created enabled or disabled. By default the Enabled property of the computer account will be set to the default value of the cmdlet New-ADComputer. This property is ignored if the parameter RequestFile is specified in the same configuration. This parameter does not enforce the property `Enabled`. To enforce the property `Enabled` see the resource ADObjectEnabledState. #> function Set-TargetResource { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.String] $ComputerName, [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateNotNull()] [System.String] $UserPrincipalName, [Parameter()] [ValidateNotNull()] [System.String] $DisplayName, [Parameter()] [ValidateNotNull()] [System.String] $Path, [Parameter()] [ValidateNotNull()] [System.String] $Location, [Parameter()] [ValidateNotNull()] [System.String] $DnsHostName, [Parameter()] [ValidateNotNull()] [System.String[]] $ServicePrincipalNames, [Parameter()] [ValidateNotNull()] [System.String] $Description, [Parameter()] [ValidateNotNull()] [System.String] $Manager, [Parameter()] [ValidateNotNull()] [System.String] $RequestFile, [Parameter()] [ValidateNotNull()] [System.String] $DomainController, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Credential, [Parameter()] [ValidateNotNull()] [System.Boolean] $RestoreFromRecycleBin, [Parameter()] [ValidateNotNull()] [System.Boolean] $EnabledOnCreation ) $getTargetResourceParameters = @{ ComputerName = $ComputerName RequestFile = $RequestFile DomainController = $DomainController Credential = $Credential RestoreFromRecycleBin = $RestoreFromRecycleBin EnabledOnCreation = $EnabledOnCreation } # Need the @() around this to get a new array to enumerate. @($getTargetResourceParameters.Keys) | ForEach-Object { if (-not $PSBoundParameters.ContainsKey($_)) { $getTargetResourceParameters.Remove($_) } } $getTargetResourceResult = Get-TargetResource @getTargetResourceParameters if ($Ensure -eq 'Present') { if ($getTargetResourceResult.Ensure -eq 'Absent') { $restorationSuccessful = $false # Try to restore computer account from recycle bin if it exists. if ($RestoreFromRecycleBin) { Write-Verbose -Message ( $script:localizedData.RestoringComputerAccount -f $ComputerName ) $restoreADCommonObjectParameters = Get-ADCommonParameters @PSBoundParameters $restoreADCommonObjectParameters['ObjectClass'] = 'Computer' $restoreADCommonObjectParameters['ErrorAction'] = 'Stop' $restorationSuccessful = Restore-ADCommonObject @restoreADCommonObjectParameters } if (-not $RestoreFromRecycleBin -or ($RestoreFromRecycleBin -and -not $restorationSuccessful)) { <# The computer account does not exist, or the computer account was not present in recycle bin, so the computer account needs to be created. #> if ($RequestFile) { <# Use DJOIN to create the computer account as well as the Offline Domain Join (ODJ) request file. #> # This should only be performed on a Domain Member, so detect the Domain Name. $domainName = Get-DomainName Write-Verbose -Message ( $script:localizedData.CreateOfflineDomainJoinRequest -f $RequestFile, $ComputerName, $domainName ) $dJoinArguments = @( '/PROVISION' '/DOMAIN', $domainName '/MACHINE', $ComputerName ) if ($PSBoundParameters.ContainsKey('Path')) { $dJoinArguments += @( '/MACHINEOU', $Path ) } if ($PSBoundParameters.ContainsKey('DomainController')) { $dJoinArguments += @( '/DCNAME', $DomainController ) } $dJoinArguments += @( '/SAVEFILE', $RequestFile ) $startProcessParameters = @{ FilePath = 'djoin.exe' ArgumentList = $dJoinArguments Timeout = 300 } $dJoinProcessExitCode = Start-ProcessWithTimeout @startProcessParameters if ($dJoinProcessExitCode -ne 0) { $errorMessage = $script:localizedData.FailedToCreateOfflineDomainJoinRequest -f $ComputerName, $dJoinProcessExitCode New-InvalidOperationException -Message $errorMessage } else { Write-Verbose -Message ( $script:localizedData.CreatedOfflineDomainJoinRequestFile -f $RequestFile ) } } else { $newADComputerParameters = Get-ADCommonParameters @PSBoundParameters -UseNameParameter if ($PSBoundParameters.ContainsKey('Path')) { Write-Verbose -Message ( $script:localizedData.CreateComputerAccountInPath -f $ComputerName, $Path ) $newADComputerParameters['Path'] = $Path } else { Write-Verbose -Message ( $script:localizedData.CreateComputerAccount -f $ComputerName ) } <# If the parameter EnabledOnCreation is specified, then the property Enabled is set to that value. #> if ($PSBoundParameters.ContainsKey('EnabledOnCreation')) { if ($EnabledOnCreation) { Write-Verbose -Message ($script:localizedData.EnabledComputerAccount -f $ComputerName) } else { Write-Verbose -Message ($script:localizedData.DisabledComputerAccount -f $ComputerName) } $newADComputerParameters['Enabled'] = $EnabledOnCreation } New-ADComputer @newADComputerParameters } } <# Now retrieve the newly created computer account so the other properties can be set if specified. #> $getTargetResourceResult = Get-TargetResource @getTargetResourceParameters } <# - Ignores the parameter ComputerName since we are not supporting renaming a computer account. - Ignore to compare the parameter ServicePrincipalNames here because it needs a special comparison, so it is handled afterwards. - Ignores the Enabled property because it is not enforced in this resource. #> $compareTargetResourceStateParameters = @{ CurrentValues = $getTargetResourceResult DesiredValues = $PSBoundParameters # This gives an array of properties to compare. Properties = $script:computerObjectPropertyMap.ParameterName # But these properties IgnoreProperties = @( 'ComputerName' 'ServicePrincipalNames' 'Enabled' ) } $compareTargetResourceStateResult = Compare-ResourcePropertyState @compareTargetResourceStateParameters if ($PSBoundParameters.ContainsKey('ServicePrincipalNames')) { $testServicePrincipalNamesParameters = @{ ExistingServicePrincipalNames = $getTargetResourceResult.ServicePrincipalNames ServicePrincipalNames = $ServicePrincipalNames } $compareTargetResourceStateResult += @{ ParameterName = 'ServicePrincipalNames' Expected = $testServicePrincipalNamesParameters.ServicePrincipalNames Actual = $testServicePrincipalNamesParameters.ExistingServicePrincipalNames InDesiredState = Test-ServicePrincipalNames @testServicePrincipalNamesParameters } } $commonParameters = Get-ADCommonParameters @PSBoundParameters if ($compareTargetResourceStateResult.Where( { $_.ParameterName -eq 'Path' -and -not $_.InDesiredState })) { <# Must move the computer account since we can't simply update the DistinguishedName property It does not work moving the computer account using the SamAccountName as the identity, so using the property DistinguishedName instead. #> $moveADObjectParameters = $commonParameters.Clone() $moveADObjectParameters['Identity'] = $getTargetResourceResult.DistinguishedName Write-Verbose -Message ( $script:localizedData.MovingComputerAccount -f $ComputerName, $getTargetResourceResult.Path, $Path ) Move-ADObject @moveADObjectParameters -TargetPath $Path } $replaceComputerProperties = @{} $removeComputerProperties = @{} # Get all properties, other than Path, that is not in desired state. $propertiesNotInDesiredState = $compareTargetResourceStateResult | Where-Object -FilterScript { $_.ParameterName -ne 'Path' -and -not $_.InDesiredState } foreach ($property in $propertiesNotInDesiredState) { $computerAccountPropertyName = ($script:computerObjectPropertyMap | Where-Object -FilterScript { $_.ParameterName -eq $property.ParameterName }).PropertyName if (-not $computerAccountPropertyName) { $computerAccountPropertyName = $property.ParameterName } if ($property.Expected) { Write-Verbose -Message ( $script:localizedData.UpdatingComputerAccountProperty -f $computerAccountPropertyName, ($property.Expected -join ''',''') ) # Replace the current value. $replaceComputerProperties[$computerAccountPropertyName] = $property.Expected } else { Write-Verbose -Message ( $script:localizedData.RemovingComputerAccountProperty -f $property.ParameterName, ($property.Actual -join ''',''') ) # Remove the current value since the desired value is empty or nothing. $removeComputerProperties[$computerAccountPropertyName] = $property.Actual } } $setADComputerParameters = $commonParameters.Clone() # Set-ADComputer is only called if we have something to change. if ($replaceComputerProperties.Count -gt 0 -or $removeComputerProperties.Count -gt 0) { if ($replaceComputerProperties.Count -gt 0) { $setADComputerParameters['Replace'] = $replaceComputerProperties } if ($removeComputerProperties.Count -gt 0) { $setADComputerParameters['Remove'] = $removeComputerProperties } Set-DscADComputer -Parameters $setADComputerParameters Write-Verbose -Message ( $script:localizedData.UpdatedComputerAccount -f $ComputerName ) } } elseif ($Ensure -eq 'Absent' -and $getTargetResourceResult.Ensure -eq 'Present') { # User exists and needs removing Write-Verbose -Message ( $script:localizedData.RemovingComputerAccount -f $ComputerName ) $removeADComputerParameters = Get-ADCommonParameters @PSBoundParameters $removeADComputerParameters['Confirm'] = $false Remove-ADComputer @removeADComputerParameters | Out-Null } } <# .SYNOPSIS This evaluates the service principal names current state against the desired state. .PARAMETER ExistingServicePrincipalNames An array of existing service principal names that should be compared against the array in parameter ServicePrincipalNames. .PARAMETER ServicePrincipalNames An array of the desired service principal names that should be compared against the array in parameter ExistingServicePrincipalNames. #> function Test-ServicePrincipalNames { param ( [Parameter(Mandatory = $true)] [AllowEmptyCollection()] [System.String[]] $ExistingServicePrincipalNames, [Parameter(Mandatory = $true)] [AllowEmptyCollection()] [AllowEmptyString()] [System.String[]] $ServicePrincipalNames ) $testServicePrincipalNamesReturnValue = $true $testMembersParameters = @{ ExistingMembers = $ExistingServicePrincipalNames Members = $ServicePrincipalNames } if (-not (Test-Members @testMembersParameters)) { Write-Verbose -Message ( $script:localizedData.ServicePrincipalNamesNotInDesiredState ` -f ($ExistingServicePrincipalNames -join ','), ($ServicePrincipalNames -join ',') ) $testServicePrincipalNamesReturnValue = $false } else { Write-Verbose -Message ( $script:localizedData.ServicePrincipalNamesInDesiredState ) } return $testServicePrincipalNamesReturnValue } Export-ModuleMember -Function *-TargetResource |