DSC resource for managing privileges.
Carbon_Privilege [String] #ResourceName
{
Identity = [string]
[DependsOn = [string[]]]
[Ensure = [string]{ Absent | Present }]
[Privilege = [string[]]]
[PsDscRunAsCredential = [PSCredential]]
}
The Carbon_Privilege resource manages privileges, i.e. the system operations and logons a user or group can perform.
Privileges are granted by default. The user/group is granted only the privileges specified by the Privilege property. All other privileges are revoked.
To revoke all a user's privileges, set the Ensure property to Absent. To revoke specific privileges, grant the user just the desired privileges. All others are revoked.
Privilege names are case-sensitive. Valid privileges are documented on Microsoft's website: Privilege Constants and Account Right Constants. Here is the most current list, as of August 2014:
Carbon_Privilege is new in Carbon 2.0.
| Name | Type | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| Identity | String | The identity of the principal whose privileges to set. |
true | false | |
| Privilege | String[] | The user's expected/desired privileges. Privilege names are case-sensitive. Ignored when |
false | false | @() |
| Ensure | String | Should the user exist or not exist? |
false | false | Present |
| WhatIf | SwitchParameter | false | false | ||
| Confirm | SwitchParameter | false | false | ||
| CommonParameters | This cmdlet supports common parameters. For more information type Get-Help about_CommonParameters. |
Demonstrates how to grant a service user the ability to log in as a service.
Carbon_Privilege GrantServiceLogonPrivileges
{
Identity = 'CarbonServiceUser'
Privilege = 'SeBatchLogonRight','SeServiceLogonRight';
}
Demonstrates how to revoke all a user/group's privileges. To revoke specific privileges, grant just the privileges you want. All other privileges are revoked.
Carbon_Privilege RevokePrivileges
{
Identity = 'CarbonServiceUser'
Ensure = 'Absent'
}