mcollera · chasewilson · Mar 18, 2019 · Mar 1, 2019 · Mar 4, 2019 · Mar 6, 2019
diff --git a/AccessControlDsc.psd1 b/AccessControlDsc.psd1
@@ -1,10 +1,6 @@
-#
-# Module manifest for module 'AccessControlDsc'
-#
-# Generated by: Adam Hynes
-#
-# Generated on: 8/21/2017
-#
+
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
 
 @{
     # Version number of this module.
@@ -28,39 +24,6 @@
     # Minimum version of the Windows PowerShell engine required by this module
     PowerShellVersion = '4.0'
 
-    # Name of the Windows PowerShell host required by this module
-    # PowerShellHostName = ''
-
-    # Minimum version of the Windows PowerShell host required by this module
-    # PowerShellHostVersion = ''
-
-    # Minimum version of the .NET Framework required by this module
-    # DotNetFrameworkVersion = ''
-
-    # Minimum version of the common language runtime (CLR) required by this module
-    # CLRVersion = ''
-
-    # Processor architecture (None, X86, Amd64) required by this module
-    # ProcessorArchitecture = ''
-
-    # Modules that must be imported into the global environment prior to importing this module
-    # RequiredModules = @()
-
-    # Assemblies that must be loaded prior to importing this module
-    # RequiredAssemblies = @()
-
-    # Script files (.ps1) that are run in the caller's environment prior to importing this module.
-    # ScriptsToProcess = ''
-
-    # Type files (.ps1xml) to be loaded when importing this module
-    # TypesToProcess = 'PowerShellAccessControl.types.ps1xml'
-
-    # Format files (.ps1xml) to be loaded when importing this module
-    # FormatsToProcess = ''
-
-    # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
-    # NestedModules = @()
-
     # Functions to export from this module
     FunctionsToExport = @()
 
@@ -73,23 +36,8 @@
     # Aliases to export from this module
     AliasesToExport = @()
 
-    # List of all modules packaged with this module.
-    # ModuleList = @()
-
-    # List of all files packaged with this module
-    # FileList = @()
-
-    # Private data to pass to the module specified in RootModule/ModuleToProcess
-    # PrivateData = ''
-
-    # HelpInfo URI of this module
-    # HelpInfoURI = ''
-
-    # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
-    # DefaultCommandPrefix = ''
-
     # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
-PrivateData = @{
+    PrivateData = @{
 
         PSData = @{
 
@@ -102,14 +50,6 @@ PrivateData = @{
 
             # A URL to the main website for this project.
             ProjectUri = 'https://github.com/mcollera/AccessControlDsc'
-
-            # A URL to an icon representing this module.
-            # IconUri = ''
-
-            # ReleaseNotes of this module
-            #ReleaseNotes = ''
-        } # End of PSData hashtable
-
-    } # End of PrivateData hashtable
-
+        }
+    }
 }
diff --git a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1
@@ -1,8 +1,31 @@
+try
+{
+    $importLocalizedDataParams = @{
+        BaseDirectory = $PSScriptRoot
+        UICulture     = $PSUICulture
+        FileName      = 'AccessControlResourceHelper.strings.psd1'
+        ErrorAction   = 'Stop'
+    }
+    $script:localizedData = Import-LocalizedData @importLocalizedDataParams
+}
+catch
+{
+    $importLocalizedDataParams.UICulture = 'en-US'
+    try
+    {
+        $script:localizedData = Import-LocalizedData @importLocalizedDataParams
+    }
+    catch
+    {
+        throw 'Unable to load localized data'
+    }
+}
+
 function Resolve-Identity
 {
     <#
         .SYNOPSIS
-            Resolves the principal name SID 
+            Resolves the principal name SID
 
         .PARAMETER Identity
             Specifies the identity of the principal.
@@ -24,7 +47,7 @@ function Resolve-Identity
 
         $tryNTService = $false
 
-        try 
+        try
         {
             if ($Identity -match '^S-\d-(\d+-){1,14}\d+$')
             {
@@ -58,20 +81,20 @@ function Resolve-Identity
                 [System.Security.Principal.NTAccount]$Id = "NT Service\" + $Identity
                 $SID = $Id.Translate([System.Security.Principal.SecurityIdentifier])
                 $NTAccount = $SID.Translate([System.Security.Principal.NTAccount])
-                
+
                 $Principal = [PSCustomObject]@{
                     Name = $NTAccount.Value
                     SID = $SID.Value
                 }
-    
+
                 return $Principal
             }
             catch
             {
                 $ErrorMessage = "Could not resolve identity '{0}': '{1}'." -f $Identity, $_.Exception.Message
                 Write-Error -Exception $_.Exception -Message $ErrorMessage
             }
-        }        
+        }
     }
 }
 
@@ -80,7 +103,7 @@ function Resolve-Identity
     Takes identity name and translates to SID
 
     .PARAMETER IdentityReference
-    System.Security.Principal.NTAccount object 
+    System.Security.Principal.NTAccount object
 
     .EXAMPLE
     $IdentityReference = (Get-Acl -Path C:\temp).access[0].IdentityReference
@@ -96,27 +119,27 @@ function ConvertTo-SID
         $IdentityReference
     )
 
-    try 
+    try
     {
         If($IdentityReference.Contains("\"))
         {
             $IdentityReference = $IdentityReference.split('\')[1]
         }
-        
+
         [System.Security.Principal.NTAccount]$PrinicipalName = $IdentityReference
         $SID = $PrinicipalName.Translate([System.Security.Principal.SecurityIdentifier])
-    
+
         Return $SID
     }
-    catch 
+    catch
     {
         # Probably NT Service which needs domain portion to translate without error
         [System.Security.Principal.NTAccount]$Id = "NT Service\" + $IdentityReference
         $SID = $Id.Translate([System.Security.Principal.SecurityIdentifier])
 
         return $SID
     }
-    
+
 }
 
 function Assert-Module
@@ -136,33 +159,33 @@ function Assert-Module
         $errorMessage = $localizedString.RoleNotFoundError -f $ModuleName;
         ThrowInvalidOperationError -ErrorId $errorId -ErrorMessage $errorMessage;
     }
-} 
+}
 
 function Get-DelegationRightsGuid
 {
-    Param 
+    Param
     (
         [Parameter()]
         [string]
         $ObjectName
     )
 
-    if($ObjectName)
+    if ($ObjectName)
     {
         # Create a hashtable to store the GUID value of each schemaGuids and rightsGuids
         $guidmap = @{}
         $rootdse = Get-ADRootDSE
-        Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID | 
-            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID }
+        Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID |
+            Foreach-Object -Process {$guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID}
 
-        Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid | 
-            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid }
+        Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid |
+            Foreach-Object -Process {$guidmap[$_.Name] = [System.GUID]$_.rightsGuid}
 
         return [system.guid]$guidmap[$ObjectName]
     }
     else
     {
-        return [system.guid]"00000000-0000-0000-0000-000000000000"
+        return [system.guid]'00000000-0000-0000-0000-000000000000'
     }
 }
 
@@ -175,22 +198,84 @@ function Get-SchemaObjectName
         $SchemaIdGuid
     )
 
-    if($SchemaIdGuid)
+    if ($SchemaIdGuid -and ($SchemaIdGuid.Guid -ne '00000000-0000-0000-0000-000000000000'))
     {
         $guidmap = @{}
         $rootdse = Get-ADRootDSE
-        Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID | 
-            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID }
+        Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID |
+            Foreach-Object -Process {$guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID}
 
-        Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid | 
-            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid }
+        Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid |
+            Foreach-Object -Process {$guidmap[$_.Name] = [System.GUID]$_.rightsGuid}
 
         # This is to address the edge case where one guid resolves to multiple names ex. f3a64788-5306-11d1-a9c5-0000f80367c1 resolves to Service-Principal-Name,Validated-SPN
-        $names = ( $guidmap.GetEnumerator() | Where-Object -FilterScript { $_.Value -eq $SchemaIdGuid } ).Name
+        $names = ($guidmap.GetEnumerator() | Where-Object -FilterScript {$_.Value -eq $SchemaIdGuid}).Name
         return $names -join ','
     }
     else
     {
-        return "none"
+        return 'None'
+    }
+}
+
+function Write-CustomVerboseMessage
+{
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [System.String]
+        $Action,
+
+        [Parameter(Mandatory = $true)]
+        [System.String]
+        $Path,
+
+        [Parameter(Mandatory = $true)]
+        [ValidateScript({
+            $_ -is [System.DirectoryServices.ActiveDirectoryAccessRule] -or
+            $_ -is [System.DirectoryServices.ActiveDirectoryAuditRule] -or
+            $_ -is [System.Security.AccessControl.FileSystemAccessRule]
+        })]
+        $Rule
+    )
+
+    $properties = [ordered]@{
+        IdentityReference = $Rule.IdentityReference
+    }
+
+    switch ($Rule.GetType().Name)
+    {
+        'ActiveDirectoryAccessRule'
+        {
+            # future expansion
+            break
+        }
+
+        'ActiveDirectoryAuditRule'
+        {
+            $properties.Add('ActiveDirectoryRights', $Rule.ActiveDirectoryRights)
+            $properties.Add('AuditFlags', $Rule.AuditFlags)
+            $properties.Add('ObjectType', $(Get-SchemaObjectName -SchemaIdGuid $Rule.ObjectType))
+            $properties.Add('InheritanceType', $Rule.InheritanceType)
+            $properties.Add('InheritedObjectType', $(Get-SchemaObjectName -SchemaIdGuid $Rule.InheritedObjectType))
+            break
+        }
+
+        'FileSystemAccessRule'
+        {
+            $properties.Add('AccessControlType', $Rule.AccessControlType)
+            $properties.Add('FileSystemRights', $Rule.FileSystemRights)
+            $properties.Add('InheritanceFlags', $Rule.InheritanceFlags)
+            $properties.Add('PropagationFlags', $Rule.PropagationFlags)
+            break
+        }
+    }
+
+    Write-Verbose -Message $localizedData[$Action] -Verbose
+    Write-Verbose -Message ($localizedData.Path -f $Path) -Verbose
+
+    foreach ($property in $properties.Keys -as [array])
+    {
+        Write-Verbose -Message ($localizedData[$property] -f $properties[$property]) -Verbose
     }
 }
diff --git a/DscResources/AccessControlResourceHelper/en-US/AccessControlResourceHelper.strings.psd1 b/DscResources/AccessControlResourceHelper/en-US/AccessControlResourceHelper.strings.psd1
@@ -1,3 +1,31 @@
-ConvertFrom-StringData -StringData @'   
-
+ConvertFrom-StringData -StringData @'
+    ErrorPathNotFound        = The requested path '{0}' cannot be found.
+    AclNotFound              = Error obtaining '{0}' ACL.
+    AclFound                 = Obtained '{0}' ACL.
+    RemoveAccessError        = Unable to remove access for '{0}'.
+    RemoveAuditError         = Unable to remove audit for '{0}'.
+    InheritanceDetectedForce = Force set to '{0}', Inheritance detected on path '{1}', returning 'false'
+    ResetDisableInheritance  = Disabling inheritance and wiping all existing inherited rules.
+    ActionAddAccess          = Adding access rule:
+    ActionAddAudit           = Adding audit rule:
+    ActionRemoveAccess       = Removing access rule:
+    ActionRemoveAudit        = Removing audit rule:
+    ActionResetAdd           = Resetting explicit access control list and adding access rule:
+    ActionNonMatchPermission = Non-matching permission entry found:
+    ActionNonMatchAudit      = Non-matching audit rule found:
+    ActionMissPresentPerm    = Found missing [Ensure = Present] permission rule:
+    ActionMissPresentAudit   = Found missing [Ensure = Present] audit rule:
+    ActionAbsentPermission   = Found [Ensure = Absent] permission rule:
+    ActionAbsentAudit        = Found [Ensure = Absent] audit rule:
+    Path                     = > Path                  : '{0}'
+    IdentityReference        = > IdentityReference     : '{0}'
+    AccessControlType        = > AccessControlType     : '{0}'
+    FileSystemRights         = > FileSystemRights      : '{0}'
+    ActiveDirectoryRights    = > ActiveDirectoryRights : '{0}'
+    InheritanceFlags         = > InheritanceFlags      : '{0}'
+    PropagationFlags         = > PropagationFlags      : '{0}'
+    AuditFlags               = > AuditFlags            : '{0}'
+    ObjectType               = > ObjectType            : '{0}'
+    InheritanceType          = > InheritanceType       : '{0}'
+    InheritedObjectType      = > InheritedObjectType   : '{0}'
 '@