SqlSpnManager

1.4.0

Private/Get-SqlAccountPolicy.ps1

                                # =============================================================================

# Script  : Get-SqlAccountPolicy.ps1

# Author  : Keith Ramsey

# =============================================================================

# Change Log

# -----------------------------------------------------------------------------

# 2026-05-09  Keith Ramsey  Phase 2 release polish - DR-202 standard header applied.

# =============================================================================

function Get-SqlAccountPolicy {

    <#

    .SYNOPSIS

        Returns the AD compliance policy (object class, name prefix, OU) for a named role.

    .DESCRIPTION

        The policy table maps role-policy keys to the rules Assert-SqlAccountStandard

        enforces. Phase 1 fills out the table to cover all twelve BTRD roles plus

        their gMSA variants where applicable.

        OU values are placeholders ('OU=ServiceAccounts,DC=Corp', 'OU=Clusters,DC=Corp')

        from the original spec. Real-world deployment customizes these via a

        configuration overlay (Phase 1.x candidate work).

    .PARAMETER PolicyName

        Policy key, e.g., Std_Engine, Std_Engine_gMSA, Std_FCI_VNN, Std_SSAS, Std_SSRS,

        Std_SSIS, Std_FTS, Std_PolyBase, Std_Browser, Std_ReplayClient,

        Std_ReplayController, Std_QueryStore, Std_VSSWriter, Std_Agent.

    #>

    [CmdletBinding()]

    param($PolicyName)

    $svcUserOu  = 'OU=ServiceAccounts,DC=Corp'

    $clusterOu  = 'OU=Clusters,DC=Corp'

    $gmsaOu     = 'OU=GMSA,DC=Corp'

    $Policies = @{

        'Std_Engine'             = @{ Prefix = 'svc_sql_';           Type = 'user';                                 OU = $svcUserOu }

        'Std_Engine_gMSA'        = @{ Prefix = 'gmsa_sql_';          Type = 'msDS-GroupManagedServiceAccount';      OU = $gmsaOu    }

        'Std_FCI_VNN'            = @{ Suffix = '$';                  Type = 'computer';                             OU = $clusterOu }

        'Std_SSAS'               = @{ Prefix = 'svc_as_';            Type = 'user';                                 OU = $svcUserOu }

        'Std_SSAS_gMSA'          = @{ Prefix = 'gmsa_as_';           Type = 'msDS-GroupManagedServiceAccount';      OU = $gmsaOu    }

        'Std_SSRS'               = @{ Prefix = 'svc_rs_';            Type = 'user';                                 OU = $svcUserOu }

        'Std_SSRS_gMSA'          = @{ Prefix = 'gmsa_rs_';           Type = 'msDS-GroupManagedServiceAccount';      OU = $gmsaOu    }

        'Std_SSIS'               = @{ Prefix = 'svc_is_';            Type = 'user';                                 OU = $svcUserOu }

        'Std_FTS'                = @{ Prefix = 'svc_fts_';           Type = 'user';                                 OU = $svcUserOu }

        'Std_PolyBase'           = @{ Prefix = 'svc_pb_';            Type = 'user';                                 OU = $svcUserOu }

        'Std_Browser'            = @{ Prefix = 'svc_brw_';           Type = 'user';                                 OU = $svcUserOu }

        'Std_ReplayClient'       = @{ Prefix = 'svc_drc_';           Type = 'user';                                 OU = $svcUserOu }

        'Std_ReplayController'   = @{ Prefix = 'svc_drs_';           Type = 'user';                                 OU = $svcUserOu }

        'Std_QueryStore'         = @{ Prefix = 'svc_qs_';            Type = 'user';                                 OU = $svcUserOu }

        'Std_VSSWriter'          = @{ Prefix = 'svc_vss_';           Type = 'user';                                 OU = $svcUserOu }

        'Std_Agent'              = @{ Prefix = 'svc_agt_';           Type = 'user';                                 OU = $svcUserOu }

        'Std_Agent_gMSA'         = @{ Prefix = 'gmsa_agt_';          Type = 'msDS-GroupManagedServiceAccount';      OU = $gmsaOu    }

    }

    return $Policies[$PolicyName]

}