Skip to content

indented-automation/Indented.SecurityPolicy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build status

Indented.SecurityPolicy

This module provides commands and DSC resources for manipulating and maintaining User Rights Assignment, Security Options, and Group Managed Service Account installation.

Installation

Install-Module Indented.SecurityPolicy

Commands

The commands below are exported by this module.

User rights

Security Option

Service accounts

DSC resources

The following DSC resources are made available.

GroupManagedServiceAccount

  • Ensure - Optional. Present by default.
  • Name - Mandatory. The SamAccountName of the account to install.

Example usage:

GroupManagedServiceAccount AccountName {
    Ensure = 'Present'
    Name   = 'Username$'
}

RegistryPolicy

  • Ensure - Optional. Present by default.
  • Name - Key. The name of the policy, a registry value.
  • Path - Key. The path to the registry key.
  • Data - Optional. Should be defined if Ensure is present.
  • ValueType - Optional. String by default. Permissible values: String, DWord, QWord, MultiString, and Binary.

A helper resource used to configure arbitrary policies.

RegistryPolicy LocalAccountTokenFilterPolicy {
    Ensure    = 'Present'
    Name      = 'LocalAccountTokenFilterPolicy'
    Path      = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
    Data      = 0
    ValueType = 'DWord'
}

SecurityOption

  • Ensure - Optional. Present by default.
  • Name - Key. The name or descriptive name of the policy. See Resolve-SecurityOption.
  • Value - Optional. Should be defined if Ensure is present. A value consistent with the value type for the option.

Policies may be referenced either using the short name, see Resolve-SecurityOption, or the long policy name.

Example usage:

SecurityOption EnableLUA {
    Ensure = 'Present'
    Name   = 'EnableLUA'
    Value  = 'Enabled'
}

SecurityOption ShutdownWithoutLogon {
    Ensure = 'Present'
    Name   = 'Shutdown: Allow system to be shut down without having to log on'
    Value  = 'Enabled'
}

UserRightAssignment

  • Ensure - Optional. Present by default.
  • Name - Mandatory. The name or descriptive name of a policy.
  • AccountName - An array of accounts to add or remove. To clear the right, set Ensure to absent, and leave this list empty.
  • Replace - By default principals are added to, or removed from, the list. Setting replace to true rewrites the list.
  • Description - NotConfigurable Set by the resource to the descriptive name of the policy.

Rights may be referenced either using the short name, see Resolve-UserRight, or the long right name.

Example usage:

UserRightAssignment SeMachineAccountPrivilege {
    Ensure      = 'Present'
    Name        = 'Add workstations to domain'
    AccountName = 'Account1', 'Account2'
}

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Packages

No packages published