dscResources/common/windows.UserRightsAssignment.ps1
|
#region Header $rules = Get-RuleClassData -StigData $StigData -Name UserRightRule #endregion Header #region Resource Foreach( $rule in $rules ) { $groupTranslation = @{ 'Administrators' = 'Builtin\Administrators' 'Auditors' = '{0}\auditors' 'Authenticated Users' = 'Authenticated Users' 'Domain Admins' = '{0}\Domain Admins' 'Enterprise Admins' = '{0}\Enterprise Admins' 'Guests' = 'Guests' 'Local Service' = 'NT Authority\Local Service' 'Network Service' = 'NT Authority\Network Service' 'NT Service\WdiServiceHost' = 'NT Service\WdiServiceHost' 'NULL' = '' 'Security' = '{0}\security' 'Service' = 'Service' 'Window Manager\Window Manager Group' = 'Window Manager\Window Manager Group' } # This requires a local domain name to be injected to ensure a valid account name. $domainName = Get-DomainName -Name $DomainName -Format 'NetbiosName' $identitySplit = $rule.Identity -split "," [System.Collections.ArrayList] $IdentityList = @() foreach ($identity in $identitySplit) { if ($null -eq $groupTranslation.$identity) { continue } [void] $IdentityList.Add($groupTranslation.$identity -f $domainName ) } UserRightsAssignment (Get-ResourceTitle -Rule $rule) { Policy = ($rule.DisplayName -replace " ","_") Identity = $IdentityList } } #endregion Resource |