< Back
Set-DbsAcl
Post
NAME Set-DbsAcl
SYNOPSIS
Sets the permissions required by DISA for SQL Server directories.
SYNTAX
Set-DbsAcl [-SqlInstance] <DbaInstanceParameter[]> [-SqlCredential <PSCredential>] -Account <String[]> [-Path
<String[]>] [-EnableException] [-WhatIf] [-Confirm] [<CommonParameters>]
DESCRIPTION
Sets the required permissions for SQL Server directories.
By default, it will detect and secure the default Data, Log and Backup directories.
Currently, this is accomplished using admin UNC shares so they should be available to your account.
PARAMETERS
-SqlInstance <DbaInstanceParameter[]>
The target SQL Server instance or instances. Server version must be SQL Server version 2012 or higher.
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-SqlCredential <PSCredential>
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory -
Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Account <String[]>
The account name or names that are to be granted permissions along with the service accounts.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String[]>
By default, the ACLs on the paths to the data, log and backup files will be modified.
If you want to set permissions on a specific path, use this option.
Note that if your Backup directory is a UNC share, it will be skipped.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-EnableException [<SwitchParameter>]
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables
advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own
try/catch.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
If this switch is enabled, no actions are performed but informational messages will be displayed that explain
what would happen if the command were to run.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
If this switch is enabled, you will be prompted for confirmation before executing any operations that change
state.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Tags: DISA, STIG
Author: Chrissy LeMaire (@cl), netnerds.net
Copyright: (c) 2010 by Chrissy LeMaire, licensed under MIT
License: MIT https://opensource.org/licenses/MITl
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Set-DbsAcl -SqlInstance sql2017, sql2016, sql2012 -Account "AD\\SQL Admins"
Sets permissions for the default data, log and backups on sql2017, sql2016, sql2012.
Adds appropriate permissions for the "AD\\SQL Admins" group as well as the SQL Server service accounts.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Get-DbaRegServer -SqlInstance sqlcentral | Set-DbsAcl -Account "AD\\SQL Admins"
Sets the appropriate permissions for all SQL Servers stored in the sqlcentral registered server.
RELATED LINKS
SYNOPSIS
Sets the permissions required by DISA for SQL Server directories.
SYNTAX
Set-DbsAcl [-SqlInstance] <DbaInstanceParameter[]> [-SqlCredential <PSCredential>] -Account <String[]> [-Path
<String[]>] [-EnableException] [-WhatIf] [-Confirm] [<CommonParameters>]
DESCRIPTION
Sets the required permissions for SQL Server directories.
By default, it will detect and secure the default Data, Log and Backup directories.
Currently, this is accomplished using admin UNC shares so they should be available to your account.
PARAMETERS
-SqlInstance <DbaInstanceParameter[]>
The target SQL Server instance or instances. Server version must be SQL Server version 2012 or higher.
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-SqlCredential <PSCredential>
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory -
Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Account <String[]>
The account name or names that are to be granted permissions along with the service accounts.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String[]>
By default, the ACLs on the paths to the data, log and backup files will be modified.
If you want to set permissions on a specific path, use this option.
Note that if your Backup directory is a UNC share, it will be skipped.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-EnableException [<SwitchParameter>]
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables
advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own
try/catch.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
If this switch is enabled, no actions are performed but informational messages will be displayed that explain
what would happen if the command were to run.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
If this switch is enabled, you will be prompted for confirmation before executing any operations that change
state.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Tags: DISA, STIG
Author: Chrissy LeMaire (@cl), netnerds.net
Copyright: (c) 2010 by Chrissy LeMaire, licensed under MIT
License: MIT https://opensource.org/licenses/MITl
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Set-DbsAcl -SqlInstance sql2017, sql2016, sql2012 -Account "AD\\SQL Admins"
Sets permissions for the default data, log and backups on sql2017, sql2016, sql2012.
Adds appropriate permissions for the "AD\\SQL Admins" group as well as the SQL Server service accounts.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Get-DbaRegServer -SqlInstance sqlcentral | Set-DbsAcl -Account "AD\\SQL Admins"
Sets the appropriate permissions for all SQL Servers stored in the sqlcentral registered server.
RELATED LINKS