Merge pull request #1319 from ykuijs/bugfix

Bugfix PR

CHANGELOG.md

@@ -6,22 +6,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+
+- SPSearchServiceApp
+  - Added ability to correct database permissions for the farm account, to prevent issue
+    as described in the Readme of the resource
 - SPSecurityTokenServiceConfig
   - Added support for LogonTokenCacheExpirationWindow, WindowsTokenLifetime and FormsTokenLifetime settings
 - SPService
   - New resource
-- SPUsageDefinition
-  - New resource
  - SPSecurityTokenServiceConfig
   - Added support for LogonTokenCacheExpirationWindow, WindowsTokenLifetime and FormsTokenLifetime settings
+- SPUsageDefinition
+  - New resource
+- SPUserProfileProperty
+  - Added check for unique ConnectionNames in PropertyMappings, which is required by SharePoint
+- SPWebAppAuthentication
+  - Added ability to configure generic authentication settings per zone, like allow
+    anonymous authentication or a custom signin page
 
 ### Fixed
+
 - SharePointDsc
-  - Fixed code coverage in pipeline.
+  - Fixed code coverage in pipeline
 - SPConfigWizard
   - Fixed issue with executing PSCONFIG remotely.
 - SPFarm
   - Fixed issue where developer dashboard could not be configured on first farm setup.
+  - Fixed issue with PSConfig in SharePoint 2019 when executed remotely
+  - Corrected issue where the setup account didn't have permissions to create the Lock
+    table in the TempDB. Updated to use a global temporary table, which users are always
+    allowed to create
 
 ## [4.6.0] - 2021-04-02
 

CODE_OF_CONDUCT.md

@@ -1,3 +1,9 @@
-# Code of Conduct
+# Microsoft Open Source Code of Conduct
 
-This project has adopted the [DSC Community Code of Conduct](https://dsccommunity.org/code_of_conduct).
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+
+Resources:
+
+- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
+- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns

SharePointDsc/DSCResources/MSFT_SPFarm/MSFT_SPFarm.psm1

@@ -1032,8 +1032,8 @@ function Set-TargetResource
             {
                 Write-Verbose -Message "The database does not exist, so create a new farm"
 
-                Write-Verbose -Message "Creating Lock database to prevent two servers creating the same farm"
-                Add-SPDscConfigDBLock -SQLServer $params.DatabaseServer `
+                Write-Verbose -Message "Creating Lock to prevent two servers creating the same farm"
+                $lockConnection = Add-SPDscConfigDBLock -SQLServer $params.DatabaseServer `
                     -Database $params.FarmConfigDatabaseName `
                     @databaseCredentialsParam
 
@@ -1063,9 +1063,10 @@ function Set-TargetResource
                 }
                 finally
                 {
-                    Write-Verbose -Message "Removing Lock database"
+                    Write-Verbose -Message "Removing Lock"
                     Remove-SPDscConfigDBLock -SQLServer $params.DatabaseServer `
                         -Database $params.FarmConfigDatabaseName `
+                        -Connection $lockConnection `
                         @databaseCredentialsParam
                 }
             }

SharePointDsc/DSCResources/MSFT_SPPowerPointAutomationServiceApp/MSFT_SPPowerPointAutomationServiceApp.psm1

@@ -362,7 +362,7 @@ function Set-TargetResource
             $serviceApps = Get-SPServiceApplication | Where-Object -FilterScript {
                 $_.Name -eq $params.Name
             }
-            
+
             if ($null -eq $serviceApps)
             {
                 return;

SharePointDsc/DSCResources/MSFT_SPSearchServiceApp/MSFT_SPSearchServiceApp.psm1

@@ -55,6 +55,10 @@ function Get-TargetResource
         [System.Boolean]
         $AlertsEnabled,
 
+        [Parameter()]
+        [System.Boolean]
+        $FixFarmAccountPermissions = $true,
+
         [Parameter()]
         [System.Management.Automation.PSCredential]
         $DefaultContentAccessAccount,
@@ -72,7 +76,8 @@ function Get-TargetResource
         $params = $args[0]
         $scriptRoot = $args[1]
 
-        Import-Module -Name (Join-Path $scriptRoot "MSFT_SPSearchServiceApp.psm1")
+        $modulePath = "..\..\Modules\SharePointDsc.Search\SPSearchServiceApp.psm1"
+        Import-Module -Name (Join-Path -Path $scriptRoot -ChildPath $modulePath -Resolve) -Verbose:$false
 
         [void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
         [void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Administration")
@@ -143,6 +148,53 @@ function Get-TargetResource
                 }
             }
 
+            Write-Verbose -Message "Checking Farm account permissions"
+            $farmAccountPermissionsNeedCorrecting = $false
+
+            $farmAccount = (Get-SPFarm).DefaultServiceAccount.Name
+            $dbServer = $serviceApp.SearchAdminDatabase.NormalizedDataSource
+
+            Write-Verbose -Message "Checking Admin Database"
+            $adminDB = $serviceApp.SearchAdminDatabase.Name
+            $farmAccountPermissionsNeedCorrecting = (Confirm-UserIsDBOwner -SQLServer $dbServer `
+                    -Database $adminDB `
+                    -User $farmAccount) -eq $false
+
+            Write-Verbose -Message "Checking Analytics reporting Database"
+            $analyticsDB = "$($adminDB)_AnalyticsReportingStore"
+            if ($farmAccountPermissionsNeedCorrecting -eq $false)
+            {
+                $farmAccountPermissionsNeedCorrecting = (Confirm-UserIsDBOwner -SQLServer $dbServer `
+                        -Database $analyticsDB `
+                        -User $farmAccount) -eq $false
+            }
+
+            Write-Verbose -Message "Checking Crawl Database(s)"
+            if ($farmAccountPermissionsNeedCorrecting -eq $false)
+            {
+                foreach ($database in (Get-SPEnterpriseSearchCrawlDatabase -SearchApplication $serviceApp))
+                {
+                    $crawlDB = $database.Database.Name
+                    $dbServer = $database.Database.NormalizedDataSource
+                    $farmAccountPermissionsNeedCorrecting = (Confirm-UserIsDBOwner -SQLServer $dbServer `
+                            -Database $crawlDB `
+                            -User $farmAccount) -eq $false
+                }
+            }
+
+            Write-Verbose -Message "Checking Links Database(s)"
+            if ($farmAccountPermissionsNeedCorrecting -eq $false)
+            {
+                foreach ($database in (Get-SPEnterpriseSearchLinksDatabase -SearchApplication $serviceApp))
+                {
+                    $linksDB = $database.Database.Name
+                    $dbServer = $database.Database.NormalizedDataSource
+                    $farmAccountPermissionsNeedCorrecting = (Confirm-UserIsDBOwner -SQLServer $dbServer `
+                            -Database $linksDB `
+                            -User $farmAccount) -eq $false
+                }
+            }
+
             $returnVal = @{
                 Name                        = $serviceApp.DisplayName
                 ProxyName                   = $pName
@@ -154,6 +206,7 @@ function Get-TargetResource
                 DefaultContentAccessAccount = $defaultAccount
                 CloudIndex                  = $cloudIndex
                 AlertsEnabled               = $serviceApp.AlertsEnabled
+                FixFarmAccountPermissions   = $farmAccountPermissionsNeedCorrecting
             }
             return $returnVal
         }
@@ -211,6 +264,10 @@ function Set-TargetResource
         [System.Boolean]
         $AlertsEnabled,
 
+        [Parameter()]
+        [System.Boolean]
+        $FixFarmAccountPermissions = $true,
+
         [Parameter()]
         [System.Management.Automation.PSCredential]
         $DefaultContentAccessAccount,
@@ -222,12 +279,13 @@ function Set-TargetResource
 
     Write-Verbose -Message "Setting Search service application '$Name'"
 
+    $PSBoundParameters.FixFarmAccountPermissions = $FixFarmAccountPermissions
+
     $result = Get-TargetResource @PSBoundParameters
 
     if ($result.Ensure -eq "Absent" -and $Ensure -eq "Present")
     {
         # Create the service app as it doesn't exist
-
         Write-Verbose -Message "Creating Search Service Application $Name"
         Invoke-SPDscCommand -Credential $InstallAccount `
             -Arguments @($PSBoundParameters, $MyInvocation.MyCommand.Source) `
@@ -446,6 +504,87 @@ function Set-TargetResource
         }
     }
 
+    # Only check and correct when Ensure=Present, FixFarmAccountPermissions=True and the permissions are incorrect
+    if ($Ensure -eq "Present" -and `
+            $FixFarmAccountPermissions -eq $true -and `
+            $result.FixFarmAccountPermissions -eq $true)
+    {
+        Write-Verbose -Message "Fixing database permissions for Search Service Application $Name"
+        Invoke-SPDscCommand -Credential $InstallAccount `
+            -Arguments @($PSBoundParameters, $PSScriptRoot) `
+            -ScriptBlock {
+            $params = $args[0]
+            $scriptRoot = $args[1]
+
+            $modulePath = "..\..\Modules\SharePointDsc.Search\SPSearchServiceApp.psm1"
+            Import-Module -Name (Join-Path -Path $scriptRoot -ChildPath $modulePath -Resolve) -Verbose:$false
+
+            $serviceApp = Get-SPServiceApplication | Where-Object -FilterScript {
+                $_.Name -eq $params.Name -and `
+                    $_.GetType().FullName -eq "Microsoft.Office.Server.Search.Administration.SearchServiceApplication"
+            }
+
+            $farmAccount = (Get-SPFarm).DefaultServiceAccount.Name
+            $dbServer = $serviceApp.SearchAdminDatabase.NormalizedDataSource
+
+            Write-Verbose -Message "Checking and correcting Admin Database"
+            $adminDB = $serviceApp.SearchAdminDatabase.Name
+            if ((Confirm-UserIsDBOwner -SQLServer $dbServer `
+                        -Database $adminDB `
+                        -User $farmAccount) -eq $false)
+            {
+                Set-UserAsDBOwner -SQLServer $dbServer `
+                    -Database $adminDB `
+                    -User $farmAccount
+            }
+
+            Write-Verbose -Message "Checking and correcting Analytics reporting Database"
+            $analyticsDB = "$($adminDB)_AnalyticsReportingStore"
+            if ((Confirm-UserIsDBOwner -SQLServer $dbServer `
+                        -Database $analyticsDB `
+                        -User $farmAccount) -eq $false)
+            {
+                Set-UserAsDBOwner -SQLServer $dbServer `
+                    -Database $analyticsDB `
+                    -User $farmAccount
+            }
+
+            Write-Verbose -Message "Checking and correcting Crawl Database(s)"
+            foreach ($database in (Get-SPEnterpriseSearchCrawlDatabase -SearchApplication $serviceApp))
+            {
+                $crawlDB = $database.Database.Name
+                Write-Verbose -Message "  * Processing $crawlDB"
+
+                $dbServer = $database.Database.NormalizedDataSource
+                if ((Confirm-UserIsDBOwner -SQLServer $dbServer `
+                            -Database $crawlDB `
+                            -User $farmAccount) -eq $false)
+                {
+                    Set-UserAsDBOwner -SQLServer $dbServer `
+                        -Database $crawlDB `
+                        -User $farmAccount
+                }
+            }
+
+            Write-Verbose -Message "Checking and correcting Links Database(s)"
+            foreach ($database in (Get-SPEnterpriseSearchLinksDatabase -SearchApplication $serviceApp))
+            {
+                $linksDB = $database.Database.Name
+                Write-Verbose -Message "  * Processing $linksDB"
+
+                $dbServer = $database.Database.NormalizedDataSource
+                if ((Confirm-UserIsDBOwner -SQLServer $dbServer `
+                            -Database $linksDB `
+                            -User $farmAccount) -eq $false)
+                {
+                    Set-UserAsDBOwner -SQLServer $dbServer `
+                        -Database $linksDB `
+                        -User $farmAccount
+                }
+            }
+        }
+    }
+
     if ($Ensure -eq "Absent")
     {
         # The service app should not exit
@@ -525,6 +664,10 @@ function Test-TargetResource
         [System.Boolean]
         $AlertsEnabled,
 
+        [Parameter()]
+        [System.Boolean]
+        $FixFarmAccountPermissions = $true,
+
         [Parameter()]
         [System.Management.Automation.PSCredential]
         $DefaultContentAccessAccount,
@@ -537,6 +680,7 @@ function Test-TargetResource
     Write-Verbose -Message "Testing Search service application '$Name'"
 
     $PSBoundParameters.Ensure = $Ensure
+    $PSBoundParameters.FixFarmAccountPermissions = $FixFarmAccountPermissions
 
     $CurrentValues = Get-TargetResource @PSBoundParameters
 
@@ -555,8 +699,18 @@ function Test-TargetResource
                     "Actual: $current Desired: $desired")
             Write-Verbose -Message $message
             Add-SPDscEvent -Message $message -EntryType 'Error' -EventID 1 -Source $MyInvocation.MyCommand.Source
+            return $false
+        }
+    }
 
-            Write-Verbose -Message "Desired: $desired. Current: $current."
+    if ($FixFarmAccountPermissions -eq $true)
+    {
+        if ($CurrentValues.FixFarmAccountPermissions -eq $true)
+        {
+            $message = ("FixFarmAccountPermissions is set to True, but the Search databases " + `
+                    "do not have the correct permissions")
+            Write-Verbose -Message $message
+            Add-SPDscEvent -Message $message -EntryType 'Error' -EventID 1 -Source $MyInvocation.MyCommand.Source
             return $false
         }
     }

SharePointDsc/DSCResources/MSFT_SPSearchServiceApp/MSFT_SPSearchServiceApp.schema.mof

@@ -10,9 +10,9 @@ class MSFT_SPSearchServiceApp : OMI_BaseResource
     [Write, Description("The default content access account for this search service app"), EmbeddedInstance("MSFT_Credential")] String DefaultContentAccessAccount;
     [Write, Description("Should this search service application be a cloud based service app")] boolean CloudIndex;
     [Write, Description("Should alerts be enabled for this search service application")] boolean AlertsEnabled;
+    [Write, Description("Should the permissions for the Farm account on the Search databases be corrected")] boolean FixFarmAccountPermissions;
     [Write, Description("Present if the service app should exist, absent if it should not"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
     [Write, Description("POWERSHELL 4 ONLY: The account to run this resource as, use PsDscRunAsCredential if using PowerShell 5"), EmbeddedInstance("MSFT_Credential")] String InstallAccount;
     [Write, Description("Should SQL Server authentication be used to connect to the database?")] Boolean UseSQLAuthentication;
     [Write, Description("If using SQL authentication, the SQL credentials to use to connect to the instance"), EmbeddedInstance("MSFT_Credential")] String DatabaseCredentials;
 };
-

SharePointDsc/DSCResources/MSFT_SPSearchServiceApp/readme.md

@@ -17,3 +17,9 @@ parameter, the service application is provisioned.
 NOTE: The WindowsServiceAccount parameter is deprecated and no longer does
 anything. The functionality for changing this account has been moved to
 SPSearchServiceSettings.
+
+NOTE2: The resource is also able to add the Farm account as db_owner to all
+Search databases, to prevent the issue described here:
+https://www.techmikael.com/2014/10/caution-if-you-have-used.html
+Use the FixFarmAccountPermissions parameter to implement this fix (default
+$true if not specified).