jeffpatton1971/gist:3aeb568130988a460738 Secret

## gistfile1.txt
PS C:\projects\DSC-WorkInProgress> $ConfigurationData =
>> @{
>>     AllNodes =
>>     @(
>>         @{
>>             NodeName = "it08082";
>>             ActionAccount = "DOMAIN\SqlDefaultAction_sa"
>>             LowPrivGroup = "DOMAIN\SqlMPLowPriv"
>>             Registry = "HKLM:\Software\Microsoft\Microsoft SQL Server\"
>>             PSDscAllowPlainTextPassword = $true
>>             }
>>         );
>>     }
>>
PS C:\projects\DSC-WorkInProgress> function Format-DscScriptBlock()
>>  {
>>      param(
>>          [parameter(Mandatory=$true)]
>>          [System.Collections.Hashtable] $Node,
>>          [parameter(Mandatory=$true)]
>>          [System.Management.Automation.ScriptBlock] $ScriptBlock
>>      )
>>      $result = $scriptBlock.ToString();
>>      foreach( $key in $node.Keys )
>>      {
>>          $result = $result.Replace("`$Node.$key", $node[$key]);
>>      }
>>      return $result;
>>  }
>>
PS C:\projects\DSC-WorkInProgress> Configuration SQLLowPrivRegistry
>> {
>>     Node $AllNodes.NodeName
>>     {
>>         Script TopLevelActionAccountPermissions
>>         {
>>             SetScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl
= Get-Acl -Path $Node.Registry;$Ace = New-Object System.Security.AccessControl.R
egistryAccessRule($Node.ActionAccount,[System.Security.AccessControl.RegistryRig
hts]::ReadKey,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit
,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessC
ontrol.AccessControlType]::Allow);$Acl.SetAccessRule($Ace);}
>>             TestScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl
 = Get-Acl -Path $Node.Registry;$Aces = ($Acl |Select-Object -Property Access).A
ccess;if (($Aces |Where-Object {$_.IdentityReference -eq $Node.ActionAccount})){
return $true;}else{return $false;}}
>>             GetScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl
= Get-Acl -Path $Node.Registry;$Aces = ($Acl |Select-Object -Property Access).Ac
cess;if (($Aces |Where-Object {$_.IdentityReference -eq $Node.ActionAccount})){$
Result = "Action Account has required permissions.";}else{$Result = "Action Acco
unt missing required permissions.";};return @{GetScript = $GetScript;SetScript =
 $SetScript;TestScript = $TestScrip;Result = $Result};}
>>             }
>>         }
>>     }
>>
PS C:\projects\DSC-WorkInProgress> SQLLowPrivRegistry -ConfigurationData $Config
urationData


    Directory: C:\projects\DSC-WorkInProgress\SQLLowPrivRegistry


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          7/2/2014   4:23 PM       3322 it08082.mof


PS C:\projects\DSC-WorkInProgress>
	PS C:\projects\DSC-WorkInProgress> $ConfigurationData =
	>> @{
	>> AllNodes =
	>> @(
	>> @{
	>> NodeName = "it08082";
	>> ActionAccount = "DOMAIN\SqlDefaultAction_sa"
	>> LowPrivGroup = "DOMAIN\SqlMPLowPriv"
	>> Registry = "HKLM:\Software\Microsoft\Microsoft SQL Server\"
	>> PSDscAllowPlainTextPassword = $true
	>> }
	>> );
	>> }
	>>
	PS C:\projects\DSC-WorkInProgress> function Format-DscScriptBlock()
	>> {
	>> param(
	>> [parameter(Mandatory=$true)]
	>> [System.Collections.Hashtable] $Node,
	>> [parameter(Mandatory=$true)]
	>> [System.Management.Automation.ScriptBlock] $ScriptBlock
	>> )
	>> $result = $scriptBlock.ToString();
	>> foreach( $key in $node.Keys )
	>> {
	>> $result = $result.Replace("`$Node.$key", $node[$key]);
	>> }
	>> return $result;
	>> }
	>>
	PS C:\projects\DSC-WorkInProgress> Configuration SQLLowPrivRegistry
	>> {
	>> Node $AllNodes.NodeName
	>> {
	>> Script TopLevelActionAccountPermissions
	>> {
	>> SetScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl
	= Get-Acl -Path $Node.Registry;$Ace = New-Object System.Security.AccessControl.R
	egistryAccessRule($Node.ActionAccount,[System.Security.AccessControl.RegistryRig
	hts]::ReadKey,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit
	,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessC
	ontrol.AccessControlType]::Allow);$Acl.SetAccessRule($Ace);}
	>> TestScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl
	= Get-Acl -Path $Node.Registry;$Aces = ($Acl \|Select-Object -Property Access).A
	ccess;if (($Aces \|Where-Object {$_.IdentityReference -eq $Node.ActionAccount})){
	return $true;}else{return $false;}}
	>> GetScript = Format-DscScriptBlock -Node $Node -ScriptBlock {$Acl
	= Get-Acl -Path $Node.Registry;$Aces = ($Acl \|Select-Object -Property Access).Ac
	cess;if (($Aces \|Where-Object {$_.IdentityReference -eq $Node.ActionAccount})){$
	Result = "Action Account has required permissions.";}else{$Result = "Action Acco
	unt missing required permissions.";};return @{GetScript = $GetScript;SetScript =
	$SetScript;TestScript = $TestScrip;Result = $Result};}
	>> }
	>> }
	>> }
	>>
	PS C:\projects\DSC-WorkInProgress> SQLLowPrivRegistry -ConfigurationData $Config
	urationData


	Directory: C:\projects\DSC-WorkInProgress\SQLLowPrivRegistry


	Mode LastWriteTime Length Name
	---- ------------- ------ ----
	-a--- 7/2/2014 4:23 PM 3322 it08082.mof


	PS C:\projects\DSC-WorkInProgress>