Configuration driven Active Directory management.
Credential providers are used for translating the credentials to use for all actions performed against active directory.
For example, the ADMF could be extended to integrate a password safe solution: When connecting to a target domain, this provider scriptblock would retrieve the required credentials from a password safe solution.
Custom privilege grant workflows can also be integrated with that. For example, you could temporarily grant Schema Admin permissions before updating Schema Components, and afterwards revoke them again.
Credential Providers are integrated into the ADMF wrapper commands:
They are not integrated into the individual Component commands, such as
Invoke-DMUser
orTest-FMSchema
!
A credential provider consists of two scriptblocks:
Both scriptblocks receive a single input object, with two properties:
Register-AdmfCredentialProvider -Name Secrets -PreScript {
Param (
$Data
)
Get-Secret $data.Server
}
Then later you would use it like this:
Test-AdmfDomain -Server contoso.com -CredentialProvider Secrets
Register-AdmfCredentialProvider -Name Schema -PreScript {
Param (
$Data
)
$parameters = $Data | ConvertTo-PSFhashTable -Include Server, Credential
$pdcEmulator = (Get-ADDomain @parameters).PDCEmulator
$parameters.Server = $pdcEmulator
$password = & (Get-Module DomainManagement) { New-Password -Length 256 -AsSecureString }
$user = New-ADUser @parameters -SamAccountName "tempSchemaAdmin" -Name "tempSchemaAdmin" -AccountPassword $password -Enabled $true
$group = Get-ADGroup @parameters -Identity 'Schema Admins'
Add-ADPrincipalGroupMembership @parameters -Identity $user -MemberOf $group
[PSCredential]::new("tempSchemaAdmin@$((Get-ADDomain @parameters).DNSRoot)", $password)
} -PostScript {
Param (
$Data
)
$parameters = $Data | ConvertTo-PSFhashTable -Include Server, Credential
$pdcEmulator = (Get-ADDomain @parameters).PDCEmulator
$parameters.Server = $pdcEmulator
Remove-ADUser @parameters -Identity 'tempSchemaAdmin'
}
This credential provider will create a temporary account and adds it to the Schema Admins. After processing is done, it will then delete the account again.
There is a default Credential provider implemented in the ADMF itself:
Register-AdmfCredentialProvider -Name default -PreScript {
param (
$Data
)
$Data.Credential
}
This provider is used in all calls where no other Credential Provider was specified. If you want to change the default Credential Provider, define a new Credential Provider under the name “default”, overwriting the previous Provider. Just keep in mind, that any error might leave you unable to perform any authentication until fixed!