readme.md

Indented.SecurityPolicy

This module provides commands and DSC resources for manipulating and maintaining User Rights Assignment, Security Options, and Group Managed Service Account installation.

Installation

Install-Module Indented.SecurityPolicy

Commands

The commands below are exported by this module.

User rights

• Clear-UserRight
• Get-AssignedUserRight
• Get-UserRight
• Grant-UserRight
• Grant-UserRight
• Resolve-UserRight
• Revoke-UserRight
• Set-UserRight

Security Option

• Get-SecurityOption
• Reset-SecurityOption
• Resolve-SecurityOption
• Set-SecurityOption

Service accounts

• Install-GroupManagedServiceAccount
• Test-GroupManagedServiceAccount
• Uninstall-GroupManagedServiceAccount

DSC resources

The following DSC resources are made available.

GroupManagedServiceAccount

• Ensure - Optional. Present by default.
• Name - Mandatory. The SamAccountName of the account to install.

Example usage:

GroupManagedServiceAccount AccountName {
    Ensure = 'Present'
    Name   = 'Username$'
}

RegistryPolicy

• Ensure - Optional. Present by default.
• Name - Key. The name of the policy, a registry value.
• Path - Key. The path to the registry key.
• Data - Optional. Should be defined if Ensure is present.
• ValueType - Optional. String by default. Permissible values: String, DWord, QWord, MultiString, and Binary.

A helper resource used to configure arbitrary policies.

RegistryPolicy LocalAccountTokenFilterPolicy {
    Ensure    = 'Present'
    Name      = 'LocalAccountTokenFilterPolicy'
    Path      = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
    Data      = 0
    ValueType = 'DWord'
}

SecurityOption

• Ensure - Optional. Present by default.
• Name - Key. The name or descriptive name of the policy. See Resolve-SecurityOption.
• Value - Optional. Should be defined if Ensure is present. A value consistent with the value type for the option.

Policies may be referenced either using the short name, see Resolve-SecurityOption, or the long policy name.

Example usage:

SecurityOption EnableLUA {
    Ensure = 'Present'
    Name   = 'EnableLUA'
    Value  = 'Enabled'
}

SecurityOption ShutdownWithoutLogon {
    Ensure = 'Present'
    Name   = 'Shutdown: Allow system to be shut down without having to log on'
    Value  = 'Enabled'
}

UserRightAssignment

• Ensure - Optional. Present by default.
• Name - Mandatory. The name or descriptive name of a policy.
• AccountName - An array of accounts to add or remove. To clear the right, set Ensure to absent, and leave this list empty.
• Replace - By default principals are added to, or removed from, the list. Setting replace to true rewrites the list.
• Description - NotConfigurable Set by the resource to the descriptive name of the policy.

Rights may be referenced either using the short name, see Resolve-UserRight, or the long right name.

Example usage:

UserRightAssignment SeMachineAccountPrivilege {
    Ensure      = 'Present'
    Name        = 'Add workstations to domain'
    AccountName = 'Account1', 'Account2'
}