ADManagedServiceAccount: add TrustedForDelegation setting (#718)

CHANGELOG.md

@@ -8,7 +8,9 @@ For older change log history see the [historic changelog](HISTORIC_CHANGELOG.md)
 ## [Unreleased]
 
 ### Added
-
+- ADManagedServiceAccount
+  - New parameter TrustedForDelegation for Kerberos Delegation
+    ([issue #717](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/717)).
 - ADDomainController
   - New parameter UseExistingAccount for attaching a server to an existing RODC account.
     ([issue #711](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/711)).

source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.psm1

@@ -96,6 +96,7 @@ function Get-TargetResource
             'Enabled'
             'PrincipalsAllowedToRetrieveManagedPassword'
             'KerberosEncryptionType'
+            'TrustedForDelegation'
         )
     }
 
@@ -158,6 +159,7 @@ function Get-TargetResource
             DistinguishedName         = $adServiceAccount.DistinguishedName
             Enabled                   = $adServiceAccount.Enabled
             KerberosEncryptionType    = $adServiceAccount.KerberosEncryptionType -split (', ')
+            TrustedForDelegation      = $adServiceAccount.TrustedForDelegation
             ManagedPasswordPrincipals = $managedPasswordPrincipals
             MembershipAttribute       = $MembershipAttribute
             Ensure                    = 'Present'
@@ -176,6 +178,7 @@ function Get-TargetResource
             DistinguishedName         = $null
             Enabled                   = $false
             KerberosEncryptionType    = @()
+            TrustedForDelegation      = $null
             ManagedPasswordPrincipals = @()
             MembershipAttribute       = $MembershipAttribute
             Ensure                    = 'Absent'
@@ -224,6 +227,9 @@ function Get-TargetResource
         This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes
         attribute.
 
+    .PARAMETER TrustedForDelegation
+        Specifies whether an account is trusted for Kerberos delegation. Default value is $false.
+
     .PARAMETER ManagedPasswordPrincipals
         Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName
         'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'.
@@ -294,6 +300,11 @@ function Test-TargetResource
         [System.String[]]
         $KerberosEncryptionType,
 
+        [Parameter()]
+        [ValidateNotNull()]
+        [System.Boolean]
+        $TrustedForDelegation,
+
         [Parameter()]
         [System.String[]]
         $ManagedPasswordPrincipals,
@@ -420,6 +431,9 @@ function Test-TargetResource
         This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes
         attribute.
 
+    .PARAMETER TrustedForDelegation
+        Specifies whether an account is trusted for Kerberos delegation. Default value is $false.
+
     .PARAMETER ManagedPasswordPrincipals
         Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName
         'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'.
@@ -498,6 +512,11 @@ function Set-TargetResource
         [System.String[]]
         $KerberosEncryptionType,
 
+        [Parameter()]
+        [ValidateNotNull()]
+        [System.Boolean]
+        $TrustedForDelegation,
+
         [Parameter()]
         [System.String[]]
         $ManagedPasswordPrincipals,

source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.schema.mof

@@ -10,6 +10,7 @@ class MSFT_ADManagedServiceAccount : OMI_BaseResource
     [Write, Description("Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller.")] String DomainController;
     [Write, Description("Specifies whether the user account is created or deleted. If not specified, this value defaults to Present."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
     [Write, Description("Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute."),ValueMap{"None","RC4","AES128","AES256"}, Values{"None","RC4","AES128","AES256"}] String KerberosEncryptionType[];
+    [Write, Description("Specifies whether an account is trusted for Kerberos delegation. Default value is $false.")] Boolean TrustedForDelegation;
     [Write, Description("Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName 'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'.")] String ManagedPasswordPrincipals[];
     [Write, Description("Active Directory attribute used to perform membership operations for Group Managed Service Accounts (gMSA). If not specified, this value defaults to SamAccountName."), ValueMap{"SamAccountName","DistinguishedName","ObjectGUID","ObjectSid"}, Values{"SamAccountName","DistinguishedName","ObjectGUID","ObjectSid"}] String MembershipAttribute;
     [Write, Description("Specifies the X.500 path of the Organizational Unit (OU) or container where the new account is created. Specified as a Distinguished Name (DN).")] String Path;

source/DSCResources/MSFT_ADManagedServiceAccount/en-US/about_ADManagedServiceAccount.help.txt

@@ -45,6 +45,10 @@
     Allowed values: None, RC4, AES128, AES256
     Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute.
 
+.PARAMETER TrustedForDelegation
+    Write - Boolean
+    Specifies whether an account is trusted for Kerberos delegation. Default value is $false.
+
 .PARAMETER ManagedPasswordPrincipals
     Write - StringArray
     Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName 'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'.

tests/Unit/MSFT_ADManagedServiceAccount.Tests.ps1

@@ -77,6 +77,7 @@ try
             DisplayName               = 'TestSMSA'
             Enabled                   = $true
             KerberosEncryptionType    = 'RC4', 'AES128', 'AES256'
+            TrustedForDelegation      = $false
             ManagedPasswordPrincipals = @()
             MembershipAttribute       = 'SamAccountName'
             Ensure                    = 'Present'
@@ -113,6 +114,7 @@ try
             DisplayName               = 'TestGMSA'
             Enabled                   = $true
             KerberosEncryptionType    = 'RC4', 'AES128', 'AES256'
+            TrustedForDelegation      = $true
             ManagedPasswordPrincipals = $mockADUSer.SamAccountName, $mockADComputer.SamAccountName
             MembershipAttribute       = 'SamAccountName'
             Ensure                    = 'Present'
@@ -129,6 +131,7 @@ try
             ManagedPasswordPrincipals = @()
             MembershipAttribute       = $mockAdServiceAccountGroup.MembershipAttribute
             KerberosEncryptionType    = @()
+            TrustedForDelegation      = $null
             Ensure                    = 'Absent'
         }
 
@@ -139,6 +142,7 @@ try
             DistinguishedName      = $mockAdServiceAccountStandalone.DistinguishedName
             Enabled                = $mockAdServiceAccountStandalone.Enabled
             KerberosEncryptionType = $mockAdServiceAccountStandalone.KerberosEncryptionType
+            TrustedForDelegation   = $mockAdServiceAccountStandalone.TrustedForDelegation
             Name                   = $mockAdServiceAccountStandalone.ServiceAccountName
             ObjectClass            = 'msDS-ManagedServiceAccount'
             ObjectGUID             = '91bffe90-4c84-4026-b1fc-d03671ff56ad'
@@ -154,6 +158,7 @@ try
             DistinguishedName                          = $mockAdServiceAccountGroup.DistinguishedName
             Enabled                                    = $mockAdServiceAccountGroup.Enabled
             KerberosEncryptionType                     = $mockAdServiceAccountGroup.KerberosEncryptionType
+            TrustedForDelegation                       = $mockAdServiceAccountGroup.TrustedForDelegation
             Name                                       = $mockAdServiceAccountGroup.ServiceAccountName
             ObjectClass                                = 'msDS-GroupManagedServiceAccount'
             ObjectGUID                                 = '91bffe90-4c84-4026-b1fc-d03671ff56ae'
@@ -178,6 +183,8 @@ try
             Credential                = $mockCredentials
             DomainController          = $mockDomainController
             KerberosEncryptionType    = 'RC4', 'AES128', 'AES256'
+            TrustedForDelegation      = $false
+
         }
 
         $mockGetTargetResourceResultsGroup = @{
@@ -195,6 +202,7 @@ try
             Credential                = $mockCredentials
             DomainController          = $mockDomainController
             KerberosEncryptionType    = 'RC4', 'AES128', 'AES256'
+            TrustedForDelegation      = $false
         }
 
         $mockGetTargetResourceResultsStandAloneAbsent = @{
@@ -210,6 +218,7 @@ try
             ManagedPasswordPrincipals = @()
             MembershipAttribute       = 'SamAccountName'
             KerberosEncryptionType    = @()
+            TrustedForDelegation      = $null
         }
 
         #region Function Get-TargetResource