Computer: Delete existing AD Computer object when joining Computer to Domain

CHANGELOG.md

@@ -4,6 +4,8 @@ The format is based on and uses the types of changes according to [Keep a Change
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+- Computer
+  - When joining a computer to a domain, existing AD computer objects will be deleted.
 
 ### Added
 - Computer

source/DSCResources/DSC_Computer/DSC_Computer.psm1

@@ -263,6 +263,15 @@ function Set-TargetResource
                     $addComputerParameters.Add("Server", $Server)
                 }
 
+                # Check for existing computer objecst using ADSI without ActiveDirectory module
+                $computerObject = Get-ADSIComputer -Name $Name -DomainName $DomainName -Credential $Credential
+
+                if ($computerObject)
+                {
+                    Delete-ADSIObject -Path $computerObject.Path -Credential $Credential
+                    Write-Verbose -Message ($script:localizedData.DeletedExistingComputerObject -f $Name, $computerObject.Path)
+                }
+
                 if (-not [System.String]::IsNullOrEmpty($Options))
                 {
                     <#
@@ -680,6 +689,115 @@ function Get-LogonServer
     return $logonserver
 }
 
+<#
+    .SYNOPSIS
+        Returns an ADSI Computer Object.
+
+    .PARAMETER Name
+        Name of the computer to search for in the given domain.
+
+    .PARAMETER Domain
+        Domain to search.
+
+    .PARAMETER Credential
+        Credential to search domain with.
+#>
+function Get-ADSIComputer
+{
+    [CmdletBinding()]
+    [OutputType([System.DirectoryServices.SearchResult])]
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [ValidateLength(1, 15)]
+        [ValidateScript( { $_ -inotmatch '[\/\\:*?"<>|]' })]
+        [System.String]
+        $Name,
+
+        [Parameter(Mandatory = $true)]
+        [System.String]
+        $DomainName,
+
+        [Parameter(Mandatory = $true)]
+        [System.Management.Automation.PSCredential]
+        $Credential
+    )
+
+    $searcher = New-Object -TypeName System.DirectoryServices.DirectorySearcher
+    $searcher.Filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$Name))"
+    if ($DomainName -notlike "LDAP://*")
+    {
+        $DomainName = "LDAP://$DomainName"
+    }
+
+    $params = @{
+        TypeName     = 'System.DirectoryServices.DirectoryEntry'
+        ArgumentList = @(
+            $DomainName,
+            $Credential.UserName,
+            $Credential.GetNetworkCredential().password
+        )
+        ErrorAction  = 'Stop'
+    }
+    $searchRoot = New-Object @params
+    $searcher.SearchRoot = $searchRoot
+
+    try
+    {
+        return $searcher.FindOne()
+    }
+    catch
+    {
+        New-InvalidOperationException -Message ($script:localizedData.InvalidUserNameorPassword -f $Credential.Username)
+    }
+}
+
+<#
+    .SYNOPSIS
+        Deletes an ADSI DirectoryEntry Object.
+
+    .PARAMETER Path
+        Path to Object to delete.
+
+    .PARAMETER Credential
+        Credential to authenticate to the domain.
+#>
+function Delete-ADSIObject
+{
+    [CmdletBinding()]
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [ValidateScript( { $_ -imatch "LDAP://*" })]
+        [System.String]
+        $Path,
+
+        [Parameter(Mandatory = $true)]
+        [System.Management.Automation.PSCredential]
+        $Credential
+    )
+
+    try
+    {
+        $params = @{
+            TypeName     = 'System.DirectoryServices.DirectoryEntry'
+            ArgumentList = @(
+                $DomainName,
+                $Credential.UserName
+                $Credential.GetNetworkCredential().password
+            )
+            ErrorAction  = 'Stop'
+        }
+        $adsiObj = New-Object @params
+
+        $adsiObj.DeleteTree()
+    }
+    catch
+    {
+        New-InvalidOperationException -Message $_.Exception.Message -ErrorRecord $_
+    }
+}
+
 Export-ModuleMember -Function *-TargetResource
 
 <#

source/DSCResources/DSC_Computer/en-US/DSC_Computer.strings.psd1

@@ -16,6 +16,8 @@ ConvertFrom-StringData @'
     CheckingWorkgroupMemberMessage = Checking if the machine is a member of workgroup '{0}'.
     DomainNameAndWorkgroupNameError = Only DomainName or WorkGroupName can be specified at once.
     ComputerNotInDomainMessage = This machine is not a domain member.
+    DeletedExistingComputerObject = Deleted existing computer object with name '{0}' at path '{1}'.
     InvalidOptionPasswordPassUnsecuredJoin = Domain Join option 'PasswordPass' may not be specified if 'UnsecuredJoin' is specified.
     InvalidOptionCredentialUnsecuredJoinNullUsername = 'Credential' username must be null if 'UnsecuredJoin' is specified.
+    InvalidUserNameorPassword = Password specified for UserName {0} is invalid.
 '@