functions/Set-DbaPrivilege.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
function Set-DbaPrivilege {
    <#
      .SYNOPSIS
      Adds the SQL Service account to local privileges on one or more computers.
 
      .DESCRIPTION
      Adds the SQL Service account to local privileges 'Lock Pages in Memory', 'Instant File Initialization', 'Logon as Batch' on one or more computers.
 
      Requires Local Admin rights on destination computer(s).
 
      .PARAMETER ComputerName
      The SQL Server (or server in general) that you're connecting to. This command handles named instances.
 
      .PARAMETER Credential
      Credential object used to connect to the computer as a different user.
 
      .PARAMETER EnableException
        By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
        This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
        Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
 
      .PARAMETER Type
      Use this to choose the privilege(s) to which you want to add the SQL Service account.
      Accepts 'IFI', 'LPIM' and/or 'BatchLogon' for local privileges 'Instant File Initialization', 'Lock Pages in Memory' and 'Logon as Batch'.
 
      .NOTES
      Author: Klaas Vandenberghe ( @PowerDBAKlaas )
      Tags: Privilege
      Website: https://dbatools.io
      Copyright: (C) Chrissy LeMaire, clemaire@gmail.com
      License: MIT https://opensource.org/licenses/MIT
 
    .LINK
      https://dbatools.io/Set-DbaPrivilege
 
      .EXAMPLE
      Set-DbaPrivilege -ComputerName sqlserver2014a -Type LPIM,IFI
 
      Adds the SQL Service account(s) on computer sqlserver2014a to the local privileges 'SeManageVolumePrivilege' and 'SeLockMemoryPrivilege'.
 
      .EXAMPLE
      'sql1','sql2','sql3' | Set-DbaPrivilege -Type IFI
 
      Adds the SQL Service account(s) on computers sql1, sql2 and sql3 to the local privilege 'SeManageVolumePrivilege'.
 
  #>

    [CmdletBinding()]
    Param (
        [parameter(ValueFromPipeline)]
        [Alias("cn", "host", "Server")]
        [dbainstanceparameter[]]$ComputerName = $env:COMPUTERNAME,
        [PSCredential]$Credential,
        [Parameter(Mandatory = $true)]
        [ValidateSet('IFI', 'LPIM', 'BatchLogon')]
        [string[]]$Type,
        [switch][Alias('Silent')]
        $EnableException
    )
    
    begin {
        $ResolveAccountToSID = @"
function Convert-UserNameToSID ([string] `$Acc ) {
`$objUser = New-Object System.Security.Principal.NTAccount(`"`$Acc`")
`$strSID = `$objUser.Translate([System.Security.Principal.SecurityIdentifier])
`$strSID.Value
}
"@

        $ComputerName = $ComputerName.ComputerName | Select-Object -Unique
    }
    process {
        foreach ($computer in $ComputerName) {
            try {
                Write-Message -Level Verbose -Message "Connecting to $computer"
                $null = Test-ElevationRequirement -ComputerName $Computer -Continue
                if (Test-PSRemoting -ComputerName $Computer) {
                    Write-Message -Level Verbose -Message "Exporting Privileges on $Computer"
                    Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock {
                        $temp = ([System.IO.Path]::GetTempPath()).TrimEnd(""); secedit /export /cfg $temp\secpolByDbatools.cfg > $NULL;
                    }
                    Write-Message -Level Verbose -Message "Getting SQL Service Accounts on $computer"
                    $SQLServiceAccounts = (Get-DbaSqlService -ComputerName $computer -Type Engine).StartName
                    if ($SQLServiceAccounts.count -ge 1) {
                        Write-Message -Level Verbose -Message "Setting Privileges on $Computer"
                        Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -Verbose -ArgumentList $ResolveAccountToSID, $SQLServiceAccounts, $BatchLogon, $IFI, $LPIM -ScriptBlock {
                            [CmdletBinding()]
                            Param ($ResolveAccountToSID,
                                $SQLServiceAccounts,
                                $BatchLogon,
                                $IFI,
                                $LPIM)
                            . ([ScriptBlock]::Create($ResolveAccountToSID))
                            $temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
                            $tempfile = "$temp\secpolByDbatools.cfg"
                            if ('BatchLogon' -in $Type) {
                                $BLline = Get-Content $tempfile | Where-Object { $_ -match "SeBatchLogonRight" }
                                ForEach ($acc in $SQLServiceAccounts) {
                                    $SID = Convert-UserNameToSID -Acc $acc;
                                    if ($BLline -notmatch $SID) {
                                        (Get-Content $tempfile) -replace "SeBatchLogonRight = ", "SeBatchLogonRight = *$SID," |
                                        Set-Content $tempfile
                                        Write-Verbose "Added $acc to Batch Logon Privileges on $env:ComputerName"
                                    }
                                    else {
                                        Write-Warning "$acc already has Batch Logon Privilege on $env:ComputerName"
                                    }
                                }
                            }
                            if ('IFI' -in $Type) {
                                $IFIline = Get-Content $tempfile | Where-Object { $_ -match "SeManageVolumePrivilege" }
                                ForEach ($acc in $SQLServiceAccounts) {
                                    $SID = Convert-UserNameToSID -Acc $acc;
                                    if ($IFIline -notmatch $SID) {
                                        (Get-Content $tempfile) -replace "SeManageVolumePrivilege = ", "SeManageVolumePrivilege = *$SID," |
                                        Set-Content $tempfile
                                        Write-Verbose "Added $acc to Instant File Initialization Privileges on $env:ComputerName"
                                    }
                                    else {
                                        Write-Warning "$acc already has Instant File Initialization Privilege on $env:ComputerName"
                                    }
                                }
                            }
                            if ('LPIM' -in $Type) {
                                $LPIMline = Get-Content $tempfile | Where-Object { $_ -match "SeLockMemoryPrivilege" }
                                ForEach ($acc in $SQLServiceAccounts) {
                                    $SID = Convert-UserNameToSID -Acc $acc;
                                    if ($LPIMline -notmatch $SID) {
                                        (Get-Content $tempfile) -replace "SeLockMemoryPrivilege = ", "SeLockMemoryPrivilege = *$SID," |
                                        Set-Content $tempfile
                                        Write-Verbose "Added $acc to Lock Pages in Memory Privileges on $env:ComputerName"
                                    }
                                    else {
                                        Write-Warning "$acc already has Lock Pages in Memory Privilege on $env:ComputerName"
                                    }
                                }
                            }
                            $null = secedit /configure /cfg $tempfile /db secedit.sdb /areas USER_RIGHTS /overwrite /quiet
                        } -ErrorAction SilentlyContinue
                        Write-Message -Level Verbose -Message "Removing secpol file on $computer"
                        Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock { $temp = ([System.IO.Path]::GetTempPath()).TrimEnd(""); Remove-Item $temp\secpolByDbatools.cfg -Force > $NULL }
                    }
                    else {
                        Write-Message -Level Warning -Message "No SQL Service Accounts found on $Computer"
                    }
                }
                else {
                    Write-Message -Level Warning -Message "Failed to connect to $Computer"
                }
            }
            catch {
                Stop-Function -Continue -Message "Failure" -ErrorRecord $_ -Target $computer -Continue
            }
        }
    }
}