functions/ntauthstore/Test-FMNTAuthStore.ps1

function Test-FMNTAuthStore {
    <#
        .SYNOPSIS
            Tests, whether the NTAuthStore is in the desired state.
         
        .DESCRIPTION
            Tests, whether the NTAuthStore is in the desired state, that is, all defined certificates are already in place.
            Use Register-FMNTAuthStore to define desired the desired state.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
     
        .EXAMPLE
            PS C:\> Test-FMNTAuthStore -Server contoso.com
 
            Checks whether the contoso.com forest has all the NTAuth certificates it should
    #>

    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential
    )
    
    begin {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type ntAuthStoreCertificates -Cmdlet $PSCmdlet

        #region Utility Functions
        function New-TestResult {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
            [CmdletBinding()]
            Param (
                [Parameter(Mandatory = $true)]
                [string]
                $Type,

                [Parameter(Mandatory = $true)]
                [string]
                $Identity,

                [object[]]
                $Changed,

                [Parameter(Mandatory = $true)]
                [AllowNull()]
                [PSFComputer]
                $Server,

                $Configuration,

                $ADObject
            )
    
            process {
                $object = [PSCustomObject]@{
                    PSTypeName    = "ForestManagement.NTAuthStore.TestResult"
                    Type          = $Type
                    ObjectType    = "NTAuthStore"
                    Identity      = $Identity
                    Changed       = $Changed
                    Server        = $Server
                    Configuration = $Configuration
                    ADObject      = $ADObject
                }
                Add-Member -InputObject $object -MemberType ScriptMethod -Name ToString -Value { $this.Identity } -Force
                $object
            }
        }
        #endregion Utility Functions

        $rootDSE = Get-ADRootDSE @parameters
        $storeObject = $null
        $storedCertificates = $null
        try {
            $storeObject = Get-ADObject @parameters -Identity "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)" -ErrorAction Stop -Properties cACertificate
            $storedCertificates = $storeObject.cACertificate | ForEach-Object {
                [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($_)
            }
            $hasStore = $storeObject -as [bool]
        }
        catch {
            $hasStore = $false
        }
    }
    process {
        $resDefault = @{
            Server = $Server
        }
        $configuredCertificates = Get-FMNTAuthStore
        foreach ($configuredCertificate in $configuredCertificates) {
            if ($storeObject) { $resDefault.ADObject = $storeObject }

            if (-not $hasStore) {
                New-TestResult @resDefault -Type 'Add' -Identity $configuredCertificate.Thumbprint -Configuration $configuredCertificate
                continue
            }

            if ($configuredCertificate.Thumbprint -notin $storedCertificates.Thumbprint) {
                New-TestResult @resDefault -Type 'Add' -Identity $configuredCertificate.Thumbprint -Configuration $configuredCertificate
                continue
            }
        }
        if (-not $hasStore) { return }
        if (-not $script:ntAuthStoreAuthorative) { return }
        
        $resDefault = @{
            Server = $Server
        }
        foreach ($storedCertificate in $storedCertificates) {
            if ($storedCertificate.Thumbprint -notin $configuredCertificates.Thumbprint) {
                New-TestResult @resDefault -Type 'Remove' -Identity $storedCertificate.Thumbprint -ADObject $storedCertificate
            }
        }
    }
}