Closed Borgquite closed 1 month ago
I'm good with it. Since it is a new resource there is nothing breaking, and you concluded that it must be its own resource, it cannot be implemented in an existing resource.
So if you send in a PR with the corresponding unit test I will review and merge.
@Borgquite ping me in the PR if I forget to review.
Resource proposal
Continuing the discussion from #40 - I can let you know of a need for support for Add-ADDSReadOnlyDomainControllerAccount to implement a pre-staged account for an RODC.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller--rodc---level-200-
The situation would be to reduce the exposure of Domain Admin level privileges on DSC configurations stored on an RODC. Consider:
If such a resource would be accepted, I am happy to implement. Originally I thought it would be best to include in the ADComputer resource. However I can now see that the basic code is going to look much more like ADDomainController - since Install-ADDSDomainController and Add-ADDSReadOnlyDomainControllerAccount are within the same PowerShell module and have extremely similar syntax, including the need for code to update SiteName/AllowPasswordReplicationAccountName, DelegatedAdministratorAccountName, DenyPasswordReplicationAccountName attributes. It should be fairly simple for me to duplicate the ADDomainController syntax / tests etc to stand up the new ADReadOnlyDomainControllerAccount resource.
I'm very happy to get on and do this, provided I can count on the relevant people's support to get it merged in the end - @johlju?
Proposed properties
The same attributes as ADDomainController, without any unsupported by Add-ADDSReadOnlyDomainControllerAccount
https://learn.microsoft.com/en-us/powershell/module/addsdeployment/add-addsreadonlydomaincontrolleraccount?view=windowsserver2022-ps
Special considerations or limitations
Should work as described.