jeffpatton1971/gist:1bfb19a06782f0975f6e Secret

## gistfile1.ps1
$ConfigurationData =
@{
    AllNodes =
    @(
        @{
            NodeName = "it08082";
            ActionAccount = "DOMAIN\SqlDefaultAction_sa"
            LowPrivGroup = "DOMAIN\SqlMPLowPriv"
            Registry = "HKLM:\Software\Microsoft\Microsoft SQL Server\"
            PSDscAllowPlainTextPassword = $true
            }
        );
    }

function Format-DscScriptBlock()
 {
     param(
         [parameter(Mandatory=$true)]
         [System.Collections.Hashtable] $Node,
         [parameter(Mandatory=$true)]
         [System.Management.Automation.ScriptBlock] $ScriptBlock
     )
     $result = $scriptBlock.ToString();
     foreach( $key in $node.Keys )
     {
         $result = $result.Replace("`$Node.$key", $node[$key]);
     }
     return $result;
 }

Configuration SQLLowPrivRegistry
{
    Node $AllNodes.NodeName
    {
        Script TopLevelActionAccountPermissions
        {
            SetScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl = Get-Acl -Path $Node.Registry;$Ace = New-Object System.Security.AccessControl.RegistryAccessRule($Node.ActionAccount,[System.Security.AccessControl.RegistryRights]::ReadKey,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow);$Acl.SetAccessRule($Ace);}
            TestScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl = Get-Acl -Path $Node.Registry;$Aces = ($Acl |Select-Object -Property Access).Access;if (($Aces |Where-Object {$_.IdentityReference -eq $Node.ActionAccount})){return $true;}else{return $false;}}
            GetScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl = Get-Acl -Path $Node.Registry;$Aces = ($Acl |Select-Object -Property Access).Access;if (($Aces |Where-Object {$_.IdentityReference -eq $Node.ActionAccount})){$Result = "Action Account has required permissions.";}else{$Result = "Action Account missing required permissions.";};return @{GetScript = $GetScript;SetScript = $SetScript;TestScript = $TestScrip;Result = $Result};}
            }
        }
    }
	$ConfigurationData =
	@{
	AllNodes =
	@(
	@{
	NodeName = "it08082";
	ActionAccount = "DOMAIN\SqlDefaultAction_sa"
	LowPrivGroup = "DOMAIN\SqlMPLowPriv"
	Registry = "HKLM:\Software\Microsoft\Microsoft SQL Server\"
	PSDscAllowPlainTextPassword = $true
	}
	);
	}

	function Format-DscScriptBlock()
	{
	param(
	[parameter(Mandatory=$true)]
	[System.Collections.Hashtable] $Node,
	[parameter(Mandatory=$true)]
	[System.Management.Automation.ScriptBlock] $ScriptBlock
	)
	$result = $scriptBlock.ToString();
	foreach( $key in $node.Keys )
	{
	$result = $result.Replace("`$Node.$key", $node[$key]);
	}
	return $result;
	}

	Configuration SQLLowPrivRegistry
	{
	Node $AllNodes.NodeName
	{
	Script TopLevelActionAccountPermissions
	{
	SetScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl = Get-Acl -Path $Node.Registry;$Ace = New-Object System.Security.AccessControl.RegistryAccessRule($Node.ActionAccount,[System.Security.AccessControl.RegistryRights]::ReadKey,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow);$Acl.SetAccessRule($Ace);}
	TestScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl = Get-Acl -Path $Node.Registry;$Aces = ($Acl \|Select-Object -Property Access).Access;if (($Aces \|Where-Object {$_.IdentityReference -eq $Node.ActionAccount})){return $true;}else{return $false;}}
	GetScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl = Get-Acl -Path $Node.Registry;$Aces = ($Acl \|Select-Object -Property Access).Access;if (($Aces \|Where-Object {$_.IdentityReference -eq $Node.ActionAccount})){$Result = "Action Account has required permissions.";}else{$Result = "Action Account missing required permissions.";};return @{GetScript = $GetScript;SetScript = $SetScript;TestScript = $TestScrip;Result = $Result};}
	}
	}
	}