. $PSScriptRoot\..\..\Load-PesterModules.ps1 $here = Split-Path -Parent $MyInvocation.MyCommand.Path $sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.tests\.', '.' $functionPath = Join-Path -Path $here -ChildPath $sut Write-Host "Overriding SUT: $functionPath" Import-Module $functionPath -Force $moduleForMock = "" Import-Module ActiveDirectory Describe "Disable-ActiveDirectoryAccount" { $fakeAccountName = "FakeyMcFakeAccount" function Get-CleanTestUser { $fakeAccountName = "FakeyMcFakeAccount" $testUser = New-Object Microsoft.ActiveDirectory.Management.ADUser $testUser.DistinguishedName = "CN=$fakeAccountName,CN=Managed Service Accounts,DC=foo,DC=bar" $testUser.Enabled = $false $testUser.ObjectClass = "msDS-GroupManagedServiceAccount" $testUser.ObjectGUID = "deadbeef-dead-beef-dead-beef00000075" $testUser.SamAccountName = "fake.mcfakeuser$" $testUser.SID = "S-1-2-34-5678901234-5678901234-5678901234-56789" $testUser.UserPrincipalName = "" # This property is 'read-only' $testUser.Item('Name').Value = $fakeAccountName return $testUser } Mock -CommandName Get-LogLeadName -ModuleName $moduleForMock -MockWith { return 'Disable-ActiveDirectoryAccount.tests' } Mock -CommandName Set-ADUser -ModuleName $moduleForMock -MockWith { } Mock -CommandName Set-ADServiceAccount -ModuleName $moduleForMock -MockWith { } Mock -CommandName Write-Warning -ModuleName $moduleForMock -MockWith { } Context "User Permissions" { It "Writes a Warning and Exits Early if the User Does Not Have Domain Admin Rights" { Mock Test-IsUserDomainAdmin -ModuleName $moduleForMock -MockWith { return $false } $testUser = Get-CleanTestUser Disable-ActiveDirectoryAccount $testUser Assert-MockCalled -ModuleName $moduleForMock -CommandName Write-Warning ` -ParameterFilter { $Message -match "You must have domain administrative privileges" } -Times 1 -Exactly -Scope It Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADServiceAccount -Times 0 -Exactly -Scope It Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADUser -Times 0 -Exactly -Scope It } } Context "Logic" { Mock Test-IsUserDomainAdmin -ModuleName $moduleForMock -MockWith { return $true } It "Writes a Warning and Does Not Disable the User if it is Already Disabled" { $testUser = Get-CleanTestUser Disable-ActiveDirectoryAccount $testUser Assert-MockCalled -ModuleName $moduleForMock -CommandName Write-Warning ` -ParameterFilter { $Message -match "already disabled" } -Times 1 -Exactly -Scope It Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADServiceAccount -Times 0 -Exactly -Scope It Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADUser -Times 0 -Exactly -Scope It } It "Disables the Service Account User if they are Enabled" { $testUser = Get-CleanTestUser $testUser.Enabled = $true Disable-ActiveDirectoryAccount $testUser Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADServiceAccount -Times 1 -Exactly -Scope It ` -ParameterFilter { ($Identity -match "$fakeAccountName") -and ($Enabled -eq $false) } Assert-MockCalled -ModuleName $moduleForMock -CommandName Write-Warning -Times 0 -Exactly -Scope It Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADUser -Times 0 -Exactly -Scope It } It "Disables the Standard Account User if they are Enabled" { $testUser = Get-CleanTestUser $testUser.Enabled = $true $testUser.DistinguishedName = "CN=$fakeAccountName,CN=Users,DC=foo,DC=bar" Disable-ActiveDirectoryAccount $testUser Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADUser -Times 1 -Exactly -Scope It ` -ParameterFilter { ($Identity -match "$fakeAccountName") -and ($Enabled -eq $false) } Assert-MockCalled -ModuleName $moduleForMock -CommandName Write-Warning -Times 0 -Exactly -Scope It Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADServiceAccount -Times 0 -Exactly -Scope It } } }