functions/Set-DbaPrivilege.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
function Set-DbaPrivilege {
  <#
      .SYNOPSIS
      Adds the SQL Service account to local privileges on one or more computers.
 
      .DESCRIPTION
      Adds the SQL Service account to local privileges 'Lock Pages in Memory', 'Instant File Initialization', 'Logon as Batch' on one or more computers.
 
      Requires Local Admin rights on destination computer(s).
 
      .PARAMETER ComputerName
      The SQL Server (or server in general) that you're connecting to. This command handles named instances.
 
      .PARAMETER Credential
      Credential object used to connect to the computer as a different user.
  
   .PARAMETER Silent
   Use this switch to disable any kind of verbose messages.
  
   .PARAMETER Type
   Use this to choose the privilege(s) to which you want to add the SQL Service account.
      Accepts 'IFI', 'LPIM' and/or 'BatchLogon' for local privileges 'Instant File Initialization', 'Lock Pages in Memory' and 'Logon as Batch'.
 
      .NOTES
      Author: Klaas Vandenberghe ( @PowerDBAKlaas )
      Tags: Privilege
      Website: https://dbatools.io
   Copyright: (C) Chrissy LeMaire, clemaire@gmail.com
   License: GNU GPL v3 https://opensource.org/licenses/GPL-3.0
       
 .LINK
      https://dbatools.io/Set-DbaPrivilege
 
      .EXAMPLE
      Set-DbaPrivilege -ComputerName sqlserver2014a -Type LPIM,IFI
 
      Adds the SQL Service account(s) on computer sqlserver2014a to the local privileges 'SeManageVolumePrivilege' and 'SeLockMemoryPrivilege'.
 
      .EXAMPLE
      'sql1','sql2','sql3' | Set-DbaPrivilege -Type IFI
 
      Adds the SQL Service account(s) on computers sql1, sql2 and sql3 to the local privilege 'SeManageVolumePrivilege'.
 
  #>

    [CmdletBinding()]
    Param (
        [parameter(ValueFromPipeline)]
        [Alias("cn", "host", "Server")]
        [dbainstanceparameter[]]$ComputerName = $env:COMPUTERNAME,
        [PSCredential]$Credential,
        [Parameter(Mandatory=$true)]
        [ValidateSet('IFI','LPIM','BatchLogon')]
        [string[]]$Type,
        [switch]$Silent
    )
    
    begin {
        $ResolveAccountToSID = @"
function Convert-UserNameToSID ([string] `$Acc ) {
`$objUser = New-Object System.Security.Principal.NTAccount(`"`$Acc`")
`$strSID = `$objUser.Translate([System.Security.Principal.SecurityIdentifier])
`$strSID.Value
}
"@

        $ComputerName = $ComputerName.ComputerName | Select-Object -Unique
    }
    process {
        foreach ($computer in $ComputerName) {
            Write-Message -Level Verbose -Message "Connecting to $computer"
            $null = Test-ElevationRequirement -ComputerName $Computer -Continue
            if (Test-PSRemoting -ComputerName $Computer) {
                Write-Message -Level Verbose -Message "Exporting Privileges on $Computer"
                Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock {
                    $temp = ([System.IO.Path]::GetTempPath()).TrimEnd(""); secedit /export /cfg $temp\secpolByDbatools.cfg > $NULL;
                }
                Write-Message -Level Verbose -Message "Getting SQL Service Accounts on $computer"
                $SQLServiceAccounts = (Get-DbaSqlService -ComputerName $computer -Type Engine).StartName
                if ( $SQLServiceAccounts.count -ge 1 ) {
                    Write-Message -Level Verbose -Message "Setting Privileges on $Computer"
                    Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -Verbose -ArgumentList $ResolveAccountToSID, $SQLServiceAccounts, $BatchLogon, $IFI, $LPIM -ScriptBlock {
                        [CmdletBinding()]
                        Param ($ResolveAccountToSID, $SQLServiceAccounts, $BatchLogon, $IFI, $LPIM)
                        . ([ScriptBlock]::Create($ResolveAccountToSID))
                        $temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
                        $tempfile = "$temp\secpolByDbatools.cfg"
                        if ( 'BatchLogon' -in $Type ) {
                            $BLline = Get-Content $tempfile | Where-Object { $_ -match "SeBatchLogonRight" }
                            ForEach ( $acc in $SQLServiceAccounts ) {
                                $SID = Convert-UserNameToSID -Acc $acc;
                                if ( $BLline -notmatch $SID ) {
                                    (Get-Content $tempfile) -replace "SeBatchLogonRight = ","SeBatchLogonRight = *$SID," |
                                    Set-Content $tempfile
                                    Write-Verbose "Added $acc to Batch Logon Privileges on $env:ComputerName"
                                }
                                else {
                                    Write-Warning "$acc already has Batch Logon Privilege on $env:ComputerName"
                                }
                            }
                        }
                        if ( 'IFI' -in $Type ) {
                            $IFIline = Get-Content $tempfile | Where-Object { $_ -match "SeManageVolumePrivilege" }
                            ForEach ( $acc in $SQLServiceAccounts ) {
                                $SID = Convert-UserNameToSID -Acc $acc;
                                if ( $IFIline -notmatch $SID ) {
                                    (Get-Content $tempfile) -replace "SeManageVolumePrivilege = ","SeManageVolumePrivilege = *$SID," |
                                    Set-Content $tempfile
                                    Write-Verbose "Added $acc to Instant File Initialization Privileges on $env:ComputerName"
                                }
                                else {
                                    Write-Warning "$acc already has Instant File Initialization Privilege on $env:ComputerName"
                                }
                            }
                        }
                        if ( 'LPIM' -in $Type ) {
                            $LPIMline = Get-Content $tempfile | Where-Object { $_ -match "SeLockMemoryPrivilege" }
                            ForEach ( $acc in $SQLServiceAccounts ) {
                                $SID = Convert-UserNameToSID -Acc $acc;
                                if ( $LPIMline -notmatch $SID ) {
                                    (Get-Content $tempfile) -replace "SeLockMemoryPrivilege = ","SeLockMemoryPrivilege = *$SID," |
                                    Set-Content $tempfile
                                    Write-Verbose "Added $acc to Lock Pages in Memory Privileges on $env:ComputerName"
                                }
                                else {
                                    Write-Warning "$acc already has Lock Pages in Memory Privilege on $env:ComputerName"
                                }
                            }
                        }
                        $null = secedit /configure /cfg $tempfile /db secedit.sdb /areas USER_RIGHTS /overwrite /quiet
                    } -ErrorAction SilentlyContinue
                    Write-Message -Level Verbose -Message "Removing secpol file on $computer"
                    Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock { $temp = ([System.IO.Path]::GetTempPath()).TrimEnd(""); Remove-Item $temp\secpolByDbatools.cfg -Force > $NULL }
                }
                else {
                    Write-Message -Level Warning -Message "No SQL Service Accounts found on $Computer"
                }
            }
            else {
                Write-Message -Level Warning -Message "Failed to connect to $Computer"
            }
        }
    }
}