Pester – Validate home directory share permissions

In our company a user’s home directory is created through a script. Unfortunately, the script had been somewhat broken for at least a few months. Home directories created during that time have wrong permissions and need to be fixed.

With hundreds of home directories this needs to be scripted – so I thought why not use Pester for that.

Describing Tests ACL of [\\homedrive\home$\jsp\]
   Context jsp
    [+] ACL should contain only 3 ACEs 66ms
    [+] ACL should contain [mydomain\fileradmins] 14ms
    [+] ACL should contain [mydomain\Domain-Admins] 13ms
    [+] ACL should contain [mydomain\jsp] 14ms
Describing Tests ACL of [\\homedrive\home$\jsp\MyScans]
   Context jsp
    [+] [\\homedrive\home$\jsp\MyScans] should exist 83ms
    [+] ACL should contain only 4 ACEs 9ms
    [+] ACL should contain [mydomain\printerserviceaccount] 15ms
Tests completed in 219ms
Passed: 7 Failed: 0 Skipped: 0 Pending: 0





Describing Tests ACL of [\\homedrive\home$\pfisterer\]
   Context pfisterer
    [-] ACL should contain only 3 ACEs 65ms
      Expected: {3}
      But was:  {4}
      at line: 10 in \\homedrive\home$\megamorf\gitlab\HomedrivePermissions\HomedrivePermissions.Tests.ps1
      10:             $Acl.Access.Count | Should Be 3
    [-] ACL should contain [mydomain\fileradmins] 14ms
      Expected: {FullControl}
      But was:  {}
      at line: 18 in \\homedrive\home$\megamorf\gitlab\HomedrivePermissions\HomedrivePermissions.Tests.ps1
      18:             $ACE.FileSystemRights  | Should Be 'FullControl'
    [-] ACL should contain [mydomain\Domain-Admins] 13ms
      Expected: {FullControl}
      But was:  {}
      at line: 30 in \\homedrive\home$\megamorf\gitlab\HomedrivePermissions\HomedrivePermissions.Tests.ps1
      30:             $ACE.FileSystemRights  | Should Be 'FullControl'
    [-] ACL should contain [mydomain\pfisterer] 14ms
      Expected: {Modify, Synchronize}
      But was:  {}
      at line: 42 in \\homedrive\home$\megamorf\gitlab\HomedrivePermissions\HomedrivePermissions.Tests.ps1
      42:             $ACE.FileSystemRights  | Should Be 'Modify, Synchronize'
Describing Tests ACL of [\\homedrive\home$\pfisterer\MyScans]
   Context pfisterer
    [+] [\\homedrive\home$\pfisterer\MyScans] should exist 110ms
    [-] ACL should contain only 4 ACEs 10ms
      Expected: {4}
      But was:  {5}
      at line: 66 in \\homedrive\home$\megamorf\gitlab\HomedrivePermissions\HomedrivePermissions.Tests.ps1
      66:             $Acl.Access.Count | Should Be 4
    [+] ACL should contain [mydomain\printerserviceaccount] 16ms
Tests completed in 244ms
Passed: 2 Failed: 5 Skipped: 0 Pending: 0

By default our home directories have Access Control Entries (ACEs) for the domain admins and storage admins groups with full access and the respective user account with modify permissions. For our printers’ “scan to home directory”-feature we have to ensure that a folder called MyScans exists in the user’s home directory. That folder needs an additional ACE of the printing service account with write permissions.

Advertisements

Pester – Operational validation

I’ve started using Pester for practical validation scenarios in our company. I recently discovered that someone from our SQL consulting company has disabled the firewall on all of our Windows Server 2012 R2 machines that run SQL Server 2014 – a thing that I’m not going to tolerate.

Here’s the firewall test code. You’ll see that I’m using a Pester feature called Testcases in order to minimize redundant code. Unfortunately, test cases are not described in the Pester wiki on github – I believe they’d be more widely used if that were the case.

PS ov:\> ls


    Directory: D:\Pester
          
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       14.02.2016     13:30           2000 FirewallStatus.Tests.ps1


PS ov:\> Invoke-Pester


Describing Firewall is enabled
        
 [+] tests if the Domain Profile is enabled 3.02s
 [+] tests if the Public Profile is enabled 199ms
 [+] tests if the Private Profile is enabled 211ms

Tests completed in 3.43s
Passed: 3 Failed: 0 Skipped: 0 Pending: 0 Inconclusive: 0
PS ov:\> Invoke-Pester -Script @{ Path = '.'; Parameters = @{ ComputerName = 'localhost' } }


Describing Firewall is enabled 

 [+] tests if the Domain Profile is enabled 2.95s
 [+] tests if the Public Profile is enabled 168ms
 [+] tests if the Private Profile is enabled 218ms

Tests completed in 3.34s
Passed: 3 Failed: 0 Skipped: 0 Pending: 0 Inconclusive: 0

Examples

Stay tuned for my post-deployment validation tests.