DSC resource for managing privileges.


Carbon_Privilege [String] #ResourceName
    Identity = [string]
    [DependsOn = [string[]]]
    [Ensure = [string]{ Absent | Present }]
    [Privilege = [string[]]]
    [PsDscRunAsCredential = [PSCredential]]


The Carbon_Privilege resource manages privileges, i.e. the system operations and logons a user or group can perform.

Privileges are granted by default. The user/group is granted only the privileges specified by the Privilege property. All other privileges are revoked.

To revoke all a user's privileges, set the Ensure property to Absent. To revoke specific privileges, grant the user just the desired privileges. All others are revoked.

Privilege names are case-sensitive. Valid privileges are documented on Microsoft's website: Privilege Constants and Account Right Constants. Here is the most current list, as of August 2014:

Carbon_Privilege is new in Carbon 2.0.

Related Commands


Name Type Description Required? Pipeline Input Default Value
Identity String

The identity of the principal whose privileges to set.

true false
Privilege String[]

The user's expected/desired privileges. Privilege names are case-sensitive. Ignored when Ensure is set to Absent.

false false @()
Ensure String

Should the user exist or not exist?

false false Present
WhatIf SwitchParameter false false
Confirm SwitchParameter false false
CommonParameters This cmdlet supports common parameters. For more information type
Get-Help about_CommonParameters.


Demonstrates how to grant a service user the ability to log in as a service.

Carbon_Privilege GrantServiceLogonPrivileges
    Identity = 'CarbonServiceUser'
    Privilege = 'SeBatchLogonRight','SeServiceLogonRight';


Demonstrates how to revoke all a user/group's privileges. To revoke specific privileges, grant just the privileges you want. All other privileges are revoked.

Carbon_Privilege RevokePrivileges
    Identity = 'CarbonServiceUser'
    Ensure = 'Absent'