dbatools icon indicating copy to clipboard operation
dbatools copied to clipboard
verified publisher icon dataplat

Add 'Create global objects' to Set-DbaPrivilege

Open bilodeauj opened this issue 2 years ago • 2 comments

Summarize Functionality

It would be great to add a new type of 'Create global objects' to the Set-DbaPrivilege cmdlet, which would allow adding an account to the "Create global objects" item in the local security policy. This access is required for certain backup solution for their SQL backup agent. I figured it would be usefull to be able to configure this using dbatools.

We're using Dell PowerProtect Data Manager, but i've also seen it in documentations for RedGate, Veritas and others.

Is there a command that is similiar or close to what you are looking for?

Yes

Technical Details

This should be fairly easy to implement by adding a new 'CreateGlobalObjects' to the -Type Parameter set, and add the code below in the process block that detects the type selected.

if ('CreateGlobalObjects' -in $Type) {
	$CGOline = Get-Content $tempfile | Where-Object { $_ -match "SeCreateGlobalPrivilege" }
	ForEach ($acc in $SQLServiceAccounts) {
		$SID = Convert-UserNameToSID -Acc $acc;
		if (-not $CGOline) {
			$CGOline = "SeCreateGlobalPrivilege = *$SID"
			(Get-Content $tempfile) -replace "\[Privilege Rights\]", "[Privilege Rights]`n$CGOline" |
				Set-Content $tempfile
			<# DO NOT use Write-Message as this is inside of a script block #>
			Write-Verbose "Added $acc to Create Global Objects Privileges on $env:ComputerName"
		} elseif ($CGOline -notmatch $SID) {
			(Get-Content $tempfile) -replace "SeCreateGlobalPrivilege = ", "SeCreateGlobalPrivilege = *$SID," |
				Set-Content $tempfile
			<# DO NOT use Write-Message as this is inside of a script block #>
			Write-Verbose "Added $acc to Create Global Objects Privileges on $env:ComputerName"
		} else {
			<# DO NOT use Write-Message as this is inside of a script block #>
			Write-Verbose "$acc already has Create Global Objects Privilege on $env:ComputerName"
		}
	}
}

bilodeauj avatar Nov 27 '23 19:11 bilodeauj

@bilodeauj are you still around? Do you still need this feature? @wsmelton you reacted with thumbs down, can you share some words? @niphlod , @potatoqualitee - what do you think?

andreasjordan avatar May 31 '25 15:05 andreasjordan

@andreasjordan I think that this feature could still be usefull. For my specific use case, when I build a new SQL Server and configure it via code using Powershell and dbatools I have steps to configure and required accounts and permissions as part of the setup. The create global objects was required for the backup account for our backup solution. For now i'm having to use other methods to assign this, but it would be nice if I could do it via dbatools

bilodeauj avatar Jun 05 '25 13:06 bilodeauj