This module provides commands and DSC resources for manipulating and maintaining User Rights Assignment, Security Options, and Group Managed Service Account installation.
Install-Module Indented.SecurityPolicy
The commands below are exported by this module.
- Clear-UserRight
- Get-AssignedUserRight
- Get-UserRight
- Grant-UserRight
- Grant-UserRight
- Resolve-UserRight
- Revoke-UserRight
- Set-UserRight
- Install-GroupManagedServiceAccount
- Test-GroupManagedServiceAccount
- Uninstall-GroupManagedServiceAccount
The following DSC resources are made available.
- Ensure - Optional. Present by default.
- Name - Mandatory. The SamAccountName of the account to install.
Example usage:
GroupManagedServiceAccount AccountName {
Ensure = 'Present'
Name = 'Username$'
}
- Ensure - Optional. Present by default.
- Name - Key. The name of the policy, a registry value.
- Path - Key. The path to the registry key.
- Data - Optional. Should be defined if Ensure is present.
- ValueType - Optional. String by default. Permissible values: String, DWord, QWord, MultiString, and Binary.
A helper resource used to configure arbitrary policies.
RegistryPolicy LocalAccountTokenFilterPolicy {
Ensure = 'Present'
Name = 'LocalAccountTokenFilterPolicy'
Path = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
Data = 0
ValueType = 'DWord'
}
- Ensure - Optional. Present by default.
- Name - Key. The name or descriptive name of the policy. See Resolve-SecurityOption.
- Value - Optional. Should be defined if Ensure is present. A value consistent with the value type for the option.
Policies may be referenced either using the short name, see Resolve-SecurityOption, or the long policy name.
Example usage:
SecurityOption EnableLUA {
Ensure = 'Present'
Name = 'EnableLUA'
Value = 'Enabled'
}
SecurityOption ShutdownWithoutLogon {
Ensure = 'Present'
Name = 'Shutdown: Allow system to be shut down without having to log on'
Value = 'Enabled'
}
- Ensure - Optional. Present by default.
- Name - Mandatory. The name or descriptive name of a policy.
- AccountName - An array of accounts to add or remove. To clear the right, set Ensure to absent, and leave this list empty.
- Replace - By default principals are added to, or removed from, the list. Setting replace to true rewrites the list.
- Description - NotConfigurable Set by the resource to the descriptive name of the policy.
Rights may be referenced either using the short name, see Resolve-UserRight, or the long right name.
Example usage:
UserRightAssignment SeMachineAccountPrivilege {
Ensure = 'Present'
Name = 'Add workstations to domain'
AccountName = 'Account1', 'Account2'
}